General information
Joebox version:	2.0.3
Start time:	17:06:22
Start date:	15/10/2010
Overall analysis duration:	0h 3m 28s
Target binary file name:	bfgbhk.ex
Target script file name:	xp.jbs
Errors:
Number of runs:	1
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0

Reputation information
Number of entries in reputation database:	200228993
Reputation threshold:	10

Calling statistics
NtCreateFile	1771
NtOpenFile	2069
NtDeleteFile	0
NtSetInformationFile	428
NtCreateIoCompletion	6
NtRemoveIoCompletion	0
NtSetIoCompletion	0
NtAreMappedFilesTheSame	2
NtCancelIoFile	0
NtCreateNamedPipeFile	0
NtFlushBuffersFile	0
NtFsControlFile	1638
NtLockFile	8
NtOpenDirectoryObject	11
NtQueryAttributesFile	349
NtQueryDirectoryFile	145
NtQueryFullAttributesFile	0
NtQueryInformationFile	344
NtQueryVolumeInformationFile	176
NtReadFile	171
NtUnlockFile	7
NtUnmapViewOfSection	184
NtWriteFile	27
NtCloseObjectAuditAlarm	0
NtClose	3629
NtDeleteObjectAuditAlarm	0
NtCreateSection	169
NtOpenSection	177
NtMapViewOfSection	362
NtQuerySection	68
NtMakeTemporaryObject	0
NtCreateKey	47
NtOpenKey	1599
NtRenameKey	0
NtDeleteKey	0
NtDeleteValueKey	0
NtSetValueKey	33
NtEnumerateKey	58
NtEnumerateValueKey	132
NtFlushKey	0
NtNotifyChangeKey	30
NtQueryKey	267
NtQueryValueKey	1031
NtSetInformationKey	0
NtCreateProcess	0
NtCreateProcessEx	4
NtTerminateProcess	8
NtFlushInstructionCache	692
NtOpenProcess	10
NtOpenProcessToken	55
NtOpenProcessTokenEx	255
NtReadVirtualMemory	18
NtWriteVirtualMemory	18
NtAllocateVirtualMemory	3466
NtFlushVirtualMemory	0
NtFreeVirtualMemory	1215
NtLockVirtualMemory	0
NtProtectVirtualMemory	1468
NtQueryInformationProcess	512
NtQueryVirtualMemory	119
NtSetInformationProcess	135
NtSuspendProcess	0
NtCreateThread	8
NtGetContextThread	0
NtSetContextThread	0
NtQueueApcThread	0
NtAlertThread	0
NtDelayExecution	9007
NtImpersonateThread	0
NtOpenThread	0
NtOpenThreadToken	64
NtOpenThreadTokenEx	255
NtQueryInformationThread	4
NtRegisterThreadTerminatePort	10
NtResumeThread	8
NtSetInformationThread	75
NtSuspendThread	0
NtTerminateThread	0
NtYieldExecution	3250
NtAcceptConnectPort	0
NtCompleteConnectPort	0
NtConnectPort	8
NtCreatePort	0
NtImpersonateClientOfPort	0
NtReplyPort	0
NtReplyWaitReceivePort	0
NtReplyWaitReceivePortEx	0
NtRequestPort	0
NtRequestWaitReplyPort	788
NtSecureConnectPort	6
NtReadRequestData	0
NtWriteRequestData	0
NtAccessCheck	35
NtAccessCheckAndAuditAlarm	0
NtAccessCheckByType	0
NtAdjustPrivilegesToken	6
NtAllocateLocallyUniqueId	5
NtQuerySecurityObject	0
NtSetSecurityObject	0
NtAddAtom	5
NtFindAtom	0
NtDeleteAtom	0
NtQueryInformationAtom	0
NtOpenKeyedEvent	6
NtCreateKeyedEvent	0
NtOpenEvent	12
NtQueryEvent	2
NtCreateEvent	128
NtSetEvent	33
NtSetEventBoostPriority	4
NtOpenMutant	4
NtCreateMutant	40
NtCreateSemaphore	40
NtReleaseSemaphore	88
NtReleaseMutant	32
NtCreateTimer	0
NtCancelTimer	0
NtSetTimer	0
NtDeviceIoControlFile	142
NtLoadDriver	0
NtUnloadDriver	0
NtDuplicateObject	38
NtOpenObjectAuditAlarm	0
NtDuplicateToken	17
NtImpersonateAnonymousToken	0
NtQueryInformationToken	298
NtGetPlugPlayEvent	0
NtPlugPlayControl	0
NtOpenSymbolicLinkObject	42
NtQuerySymbolicLinkObject	20
NtQueryDirectoryObject	0
NtQueryDebugFilterState	135
NtQueryDefaultLocale	230
NtQueryDefaultUILanguage	63
NtQueryInstallUILanguage	5
NtQueryInformationJobObject	4
NtQueryObject	6
NtQueryPerformanceCounter	932
NtQuerySystemInformation	145
NtQuerySystemTime	3
NtQueryTimerResolution	4
NtRaiseException	0
NtRaiseHardError	0
NtSetInformationObject	23
NtSetSystemInformation	0
NtShutdownSystem	0
NtSystemDebugControl	0
NtTestAlert	10
NtWaitForMultipleObjects	22
NtWaitForSingleObject	139
NtSetInformationDebugObject	0
NtCreateDebugObject	0
NtDebugContinue	0
NtWaitForDebugEvent	0
NtRemoveProcessDebug	0
NtUserPostMessage	1
NtUserSendInput	0
NtUserSetWindowsHookEx	6
NtUserSetWinEventHook	0
NtUserDestroyWindow	2
NtUserPostThreadMessage	2
NtUserBuildHwndList	7
NtUserSetCapture	0
NtUserRegisterHotKey	0
NtUserRegisterUserApiHook	0
NtUserCreateWindowEx	6
NtUserQueryWindow	13
NtUserFindWindowEx	12
NtUserGetAsyncKeyState	0
NtUserGetKeyboardState	0
NtUserGetKeyState	0

Startup

system is xp

bfgbhk.ex.exe (PID: 1580 MD5: 97656225E7B67973C7071C6126992921)

cmd.exe (PID: 1512 MD5: 6D778E0F95447E6546553EEEA709D03C)

explorer.exe (PID: 1592 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)

csrcs.exe (PID: 488 MD5: 97656225E7B67973C7071C6126992921)

cmd.exe (PID: 492 MD5: 6D778E0F95447E6546553EEEA709D03C)

cleanup

Global Network Data

All TCP
Reputation	Timestamp	Source Port	Dest Port	Source IP	Dest IP

All UDP
Reputation	Timestamp	Source Port	Dest Port	Source IP	Dest IP

All ICMP
Reputation	Timestamp	Source IP	Dest IP

DNS
Reputation	Timestamp	Source IP	Dest IP	Type	Data

HTTP
Reputation	Timestamp	Source IP	Dest IP	Host	Data

Analysis File: bfgbhk.ex.exe PID: 1580 Parent PID: 776 Run ID: 0

Sections

General
Start time:	23:47:48
Start date:	02/08/2010
Path:	C:\bfgbhk.ex.exe
Commandline:	C:\bfgbhk.ex.exe
File size:	575054 bytes
MD5 hash:	97656225E7B67973C7071C6126992921

File Activities:

File opened
Reputation	File Path	Access	Options	Completion	Count
1343	C:\WINDOWS\WindowsShell.Manifest	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
0	C:\bfgbhk.ex.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
8607	PIPE\lsarpc	read attributes and synchronize and generic read and generic write	non directory file	success or wait	2
0	C:\bfgbhk.ex.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
14039	C:\WINDOWS\system32\msctfime.ime	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
14039	C:\WINDOWS\system32\msctfime.ime	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
0	C:\bfgbhk.ex.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
22	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	read attributes and synchronize and generic write	synchronous io non alert and non directory file	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
20685	C:\WINDOWS\AppPatch\sysmain.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	3
2394	C:\WINDOWS\AppPatch\systest.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	object name not found	3
2856	C:\WINDOWS\system32\cmd.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
2856	C:\WINDOWS\system32\cmd.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
0	C:\WINDOWS\system32\csrcs.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	object name not found	1
0	C:\WINDOWS\system32\csrcs.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	object name not found	1
0	C:\bfgbhk.ex.exe	read attributes and synchronize and generic read	sequential only and synchronous io non alert and non directory file	success or wait	1
36	C:\WINDOWS\system32\csrcs.exe	read attributes and synchronize and generic write	synchronous io non alert and open for backup ident	success or wait	2
5180	PIPE\wkssvc	read attributes and synchronize and generic read and generic write	non directory file	success or wait	1
715	C:\WINDOWS\system32\ieframe.dll	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
7812	C:\WINDOWS\Registration\R000000000007.clb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
3824	C:\Program Files\Internet Explorer\IEXPLORE.EXE	read attributes and synchronize	synchronous io non alert and non directory file	success or wait	1
3998	C:\WINDOWS\system32\en-US\ieframe.dll.mui	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
4	C:\WINDOWS\system32\csrcs.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
4	C:\WINDOWS\system32\csrcs.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
18	C:\WINDOWS\system32\csrcs.exe	read attributes and write attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1

File created
Reputation	File Path	Access	Attributes	Options	Completion	Count
28	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp	read attributes and synchronize and generic read	normal	synchronous io non alert and non directory file	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	read attributes and synchronize and generic read and generic write	normal	synchronous io non alert and non directory file	success or wait	1
2	C:\WINDOWS\system32\csrcs.exe	read attributes and delete and synchronize and generic write	archive	sequential only and synchronous io non alert and non directory file	success or wait	1
15	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	read attributes and synchronize and generic read and generic write	normal	synchronous io non alert and non directory file	success or wait	1

File overwritten
Reputation	File Path	Access	Options	Completion	Count
20901	WMIDataDevice	read attributes and synchronize and generic read and generic write	non directory file	success or wait	1
20901	WMIDataDevice	read attributes and synchronize and generic read and generic write	non directory file	success or wait	1
62040	MountPointManager	read attributes and synchronize	synchronous io non alert and non directory file	success or wait	3
62040	MountPointManager	read attributes and synchronize	synchronous io non alert and non directory file	success or wait	6
22	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp	read attributes and synchronize and generic write	synchronous io non alert and non directory file	success or wait	1
34933	\Device\NamedPipe\ShimViewer	write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize	no options	object name not found	3
1796	C:\WINDOWS\system32\SHELL32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
2276	\Device\KsecDD	read data or list directory and synchronize	synchronous io alert	success or wait	1
1153	C:\WINDOWS\system32\urlmon.dll.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
817	C:\WINDOWS\system32\WININET.dll.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
442	IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io non alert and non directory file	success or wait	1
284	IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io alert	success or wait	1
441	STORAGE#Volume#1&30a96598&0&Signature94389438Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io non alert and non directory file	success or wait	1
438	STORAGE#Volume#1&30a96598&0&Signature94389438Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io alert	success or wait	1
319	C:\WINDOWS\system32\ieframe.dll.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1

File deleted
Reputation	File Path	Completion	Count
28	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1
0	C:\bfgbhk.ex.exe	cannot delete	1

File renamed
Reputation	Old File Path	New File Path	Completion	Count

File written
Reputation	File Path	Completion	Count
155362	\Device\NamedPipe\lsass	success or wait	2
43	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp	success or wait	1
43	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1
236	C:\WINDOWS\system32\csrcs.exe	success or wait	1
236	C:\WINDOWS\system32\csrcs.exe	success or wait	1
236	C:\WINDOWS\system32\csrcs.exe	success or wait	1
236	C:\WINDOWS\system32\csrcs.exe	success or wait	1
236	C:\WINDOWS\system32\csrcs.exe	success or wait	1
236	C:\WINDOWS\system32\csrcs.exe	success or wait	1
236	C:\WINDOWS\system32\csrcs.exe	success or wait	1
236	C:\WINDOWS\system32\csrcs.exe	success or wait	1
236	C:\WINDOWS\system32\csrcs.exe	success or wait	1
10107	\Device\NamedPipe\wkssvc	success or wait	1
15	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1

Other file operations
Reputation	File Path	Disposition	Data	Completion	Count
0	C:\bfgbhk.ex.exe	PositionInformation	00 00 01 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	EC FF 00 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	EC FF 01 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	D8 FF 01 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	D8 FF 02 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	C4 FF 02 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	C4 FF 03 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	B0 FF 03 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	B0 FF 04 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	9C FF 04 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	14 C8 05 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	14 D8 05 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	28 C8 05 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	28 CA 05 00 00 00 00 00	success or wait	3
0	C:\bfgbhk.ex.exe	PositionInformation	B9 C8 05 00 00 00 00 00	success or wait	2
0	C:\bfgbhk.ex.exe	PositionInformation	B9 CA 05 00 00 00 00 00	success or wait	2
0	C:\bfgbhk.ex.exe	PositionInformation	77 7A 08 00 00 00 00 00	success or wait	2
0	C:\bfgbhk.ex.exe	PositionInformation	77 7C 08 00 00 00 00 00	success or wait	1
0	C:\bfgbhk.ex.exe	PositionInformation	1A 7B 08 00 00 00 00 00	success or wait	1
0	C:\bfgbhk.ex.exe	PositionInformation	1A 7D 08 00 00 00 00 00	success or wait	1
0	C:\bfgbhk.ex.exe	PositionInformation	46 C6 08 00 00 00 00 00	success or wait	1
15856	\Device\NamedPipe\lsass	PipeInformation	01 00 00 00 00 00 00 00	success or wait	2
131	\Device\NamedPipe\lsass	CompletionInformation	EC 00 00 00 00 00 FF FF	success or wait	2
0	C:\bfgbhk.ex.exe	PositionInformation	D5 C8 05 00 00 00 00 00	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	BasicInformation	30 4F 03 65 3C 41 CB 01 00 00 00 00 00 00 00 00 F4 CB C9 67 3C 41 CB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	PositionInformation	00 00 00 00 00 00 00 00	success or wait	6
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	PositionInformation	4E 86 01 00 00 00 00 00	success or wait	2
0	C:\WINDOWS\system32\csrcs.exe	EndOfFileInformation	4E C6 08 00 00 00 00 00	success or wait	1
0	C:\WINDOWS\system32\csrcs.exe	BasicInformation	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4D 80 8E 87 7A 6C CB 01 35 42 49 5F 8C 32 CB 01 00 00 00 00 00 00 00 00	success or wait	1
36	C:\WINDOWS\system32\csrcs.exe	BasicInformation	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A7 00 00 00 00 00 00 00	success or wait	2
21	C:\WINDOWS\system32\csrcs.exe	BasicInformation	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00	success or wait	1
0	C:\WINDOWS\system32\csrcs.exe	BasicInformation	F0 01 5E A5 B0 3C C6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1
0	C:\WINDOWS\system32\csrcs.exe	BasicInformation	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 01 EC 35 79 9E C8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1
8697	\Device\NamedPipe\wkssvc	PipeInformation	01 00 00 00 00 00 00 00	success or wait	1
50	\Device\NamedPipe\wkssvc	CompletionInformation	EC 00 00 00 00 00 FF FF	success or wait	1
1236	C:\WINDOWS\Registration\R000000000007.clb	PositionInformation	F0 57 00 00 00 00 00 00	success or wait	1
10924	C:\WINDOWS\Registration\R000000000007.clb	PositionInformation	00 00 00 00 00 00 00 00	success or wait	1
0	C:\WINDOWS\system32\csrcs.exe	BasicInformation	00 00 00 00 00 00 00 00 6B 55 A8 61 8C 32 CB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1
5	C:\WINDOWS\system32\csrcs.exe	PositionInformation	10 01 00 00 00 00 00 00	success or wait	1
5	C:\WINDOWS\system32\csrcs.exe	PositionInformation	58 01 00 00 00 00 00 00	success or wait	1
5	C:\WINDOWS\system32\csrcs.exe	PositionInformation	6C 01 00 00 00 00 00 00	success or wait	1
0	C:\bfgbhk.ex.exe	BasicInformation	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	PositionInformation	00 00 00 00 00 00 00 00	success or wait	7

Section Activities:

Section opened
Reputation	File Path	Access	Base	Entrypoint	Size	Mapped to pid	Completion	Count
40475	\KnownDlls\kernel32.dll	map write and map read and map execute	7C800000	7C80B64E	F6000	own pid	success or wait	1
11	\NLS\NlsSectionUnicode	map read	00070000	not known	15DF4	own pid	success or wait	1
11	\NLS\NlsSectionLocale	map read	00090000	not known	40EDC	own pid	success or wait	1
10	\NLS\NlsSectionSortkey	query and map read	000E0000	not known	40004	own pid	success or wait	1
10	\NLS\NlsSectionSortTbls	map read	00130000	not known	5A04	own pid	success or wait	1
82482	\NLS\NlsSectionSortkey00000409	map read	not known	not known	not known	own pid	object name not found	2
35518	\KnownDlls\ADVAPI32.dll	map write and map read and map execute	77DD0000	77DD710B	9B000	own pid	success or wait	1
40913	\KnownDlls\RPCRT4.dll	map write and map read and map execute	77E70000	77E7628F	92000	own pid	success or wait	1
40856	\KnownDlls\Secur32.dll	map write and map read and map execute	77FE0000	77FE2146	11000	own pid	success or wait	1
14883	\KnownDlls\msvcrt.dll	map write and map read and map execute	77C10000	77C1F2A1	58000	own pid	success or wait	1
37497	\KnownDlls\GDI32.dll	map write and map read and map execute	77F10000	77F16587	49000	own pid	success or wait	1
33945	\KnownDlls\USER32.dll	map write and map read and map execute	7E410000	7E41B217	91000	own pid	success or wait	1
18615	\KnownDlls\SHLWAPI.dll	map write and map read and map execute	77F60000	77F651FB	76000	own pid	success or wait	1
191	\KnownDlls\COMDLG32.dll	map write and map read and map execute	763B0000	763B1619	49000	own pid	success or wait	1
25613	\KnownDlls\SHELL32.dll	map write and map read and map execute	7C9C0000	7C9E74E6	817000	own pid	success or wait	1
1194	\KnownDlls\MPR.dll	map write and map read and map execute	71B20000	71B2124A	12000	own pid	success or wait	1
4087	\KnownDlls\ole32.dll	map write and map read and map execute	774E0000	774FD0B9	13D000	own pid	success or wait	1
3896	\KnownDlls\OLEAUT32.dll	map write and map read and map execute	77120000	77121560	8B000	own pid	success or wait	1
5134	\KnownDlls\PSAPI.DLL	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
18938	\KnownDlls\USERENV.dll	map write and map read and map execute	769C0000	769C15E4	B4000	own pid	success or wait	1
25391	\KnownDlls\VERSION.dll	map write and map read and map execute	77C00000	77C01135	8000	own pid	success or wait	1
13922	\KnownDlls\WININET.dll	map write and map read and map execute	3D930000	3D931744	E6000	own pid	success or wait	1
79	\KnownDlls\Normaliz.dll	map write and map read and map execute	00140000	401782	9000	own pid	success or wait	1
19227	\KnownDlls\urlmon.dll	map write and map read and map execute	78130000	78131AFA	132000	own pid	success or wait	1
18908	\KnownDlls\iertutil.dll	map write and map read and map execute	3DFD0000	3E0E7B59	1E8000	own pid	success or wait	1
18656	\KnownDlls\WINMM.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
2386	\KnownDlls\WSOCK32.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
16409	\KnownDlls\WS2_32.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
22728	\KnownDlls\WS2HELP.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
11	\NLS\NlsSectionCType	map read	00160000	not known	20C2	own pid	success or wait	1
2059	\KnownDlls\uxtheme.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
10059	\KnownDlls\SETUPAPI.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
0	\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-220523388-1935655697-1343024091-1003SFM.DefaultS-1-5-21-220523388-1935655697-1343024091-1003	query and map write and map read and map execute and extend size	01570000	not known	40000	own pid	success or wait	1
33	\BaseNamedObjects\ShimSharedMemory	map write	003E0000	not known	E000	own pid	success or wait	1
301	\KnownDlls\netapi32.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
10926	\KnownDlls\CLBCATQ.DLL	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
1238	\KnownDlls\COMRes.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1

Section created
Reputation	File Path	Access	Attributes	Base	Entrypoint	Size	Protection	Mapped to pid	Completion	Count
2466	not known	query and map write and map read and map execute and extend size	reserve	not known	not known	10000	read write	own pid	success or wait	1
33522	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	query and map write and map read and map execute	image	773D0000	773D4256	103000	execute	own pid	success or wait	1
8524	C:\WINDOWS\system32\psapi.dll	query and map write and map read and map execute	image	76BF0000	76BF10F1	B000	execute	own pid	success or wait	1
20195	C:\WINDOWS\system32\winmm.dll	query and map write and map read and map execute	image	76B40000	76B42B61	2D000	execute	own pid	success or wait	1
5868	C:\WINDOWS\system32\wsock32.dll	query and map write and map read and map execute	image	71AD0000	71AD1039	9000	execute	own pid	success or wait	1
22720	C:\WINDOWS\system32\ws2_32.dll	query and map write and map read and map execute	image	71AB0000	71AB1273	17000	execute	own pid	success or wait	1
5468	C:\WINDOWS\system32\ws2help.dll	query and map write and map read and map execute	image	71AA0000	71AA1638	8000	execute	own pid	success or wait	1
22	C:\WINDOWS\system32\imm32.dll	map write and map read and map execute	commit	00240000	not known	1AE00	execute	own pid	success or wait	2
39628	C:\WINDOWS\system32\imm32.dll	query and map write and map read and map execute	image	76390000	763912C0	1D000	execute	own pid	success or wait	1
20	C:\WINDOWS\WindowsShell.Manifest	map write and map read and map execute	commit	00370000	not known	2ED	execute	own pid	success or wait	1
20	C:\WINDOWS\WindowsShell.Manifest	query and map read	commit	00370000	not known	2ED	readonly	own pid	success or wait	1
20	C:\WINDOWS\WindowsShell.Manifest	map read	commit	00370000	not known	2ED	readonly	own pid	success or wait	1
0	C:\WINDOWS\system32\shell32.dll	map read	commit	00FF0000	not known	811C00	readonly	own pid	success or wait	1
9375	C:\WINDOWS\system32\uxtheme.dll	query and map write and map read and map execute	image	5AD70000	5AD71626	38000	execute	own pid	success or wait	1
1090	C:\WINDOWS\system32\setupapi.dll	query and map write and map read and map execute	image	77920000	7792159A	F3000	execute	own pid	success or wait	1
0	C:\WINDOWS\system32\msctf.dll	map write and map read and map execute	commit	01570000	not known	48C00	execute	own pid	success or wait	1
20358	C:\WINDOWS\system32\msctf.dll	query and map write and map read and map execute	image	74720000	747213A5	4C000	execute	own pid	success or wait	1
45	\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-220523388-1935655697-1343024091-1003	query and map write and map read	commit	003D0000	not known	1000	read write	own pid	object name exists	1
0	C:\WINDOWS\system32\msctfime.ime	map write and map read and map execute	commit	015B0000	not known	2B400	execute	own pid	success or wait	3
0	C:\WINDOWS\system32\msctfime.ime	query and map read	commit	015B0000	not known	2B400	readonly	own pid	success or wait	2
11124	C:\WINDOWS\system32\msctfime.ime	query and map write and map read and map execute	image	755C0000	755D9FE1	2E000	execute	own pid	success or wait	1
3733	C:\WINDOWS\system32\cmd.exe	query and map write and map read and map execute and extend size	image	not known	4AD05046	61000	execute	own pid	success or wait	2
0	C:\WINDOWS\system32\apphelp.dll	map write and map read and map execute	commit	015B0000	not known	1EC00	execute	own pid	success or wait	1
1734	C:\WINDOWS\system32\apphelp.dll	query and map write and map read and map execute	image	77B40000	77B41C09	22000	execute	own pid	success or wait	1
1	C:\WINDOWS\AppPatch\sysmain.sdb	map read	commit	01D70000	not known	125ED2	readonly	own pid	success or wait	3
0	C:\WINDOWS\system32\cmd.exe	map write and map read and map execute	commit	015B0000	not known	5F000	execute	own pid	success or wait	2
0	C:\WINDOWS\system32\cmd.exe	query and map read	commit	015B0000	not known	5F000	readonly	own pid	success or wait	2
0	C:\WINDOWS\system32\cmd.exe	query and map read	commit	015B0000	not known	5F000	readonly	own pid	success or wait	1
0	not known	query and map write and map read	commit	015D0000	not known	3000	read write	own pid	success or wait	3
0	C:\WINDOWS\system32\rpcss.dll	map write and map read and map execute	commit	015C0000	not known	62000	execute	own pid	success or wait	1
18093	C:\WINDOWS\system32\netapi32.dll	query and map write and map read and map execute	image	5B860000	5B868B48	55000	execute	own pid	success or wait	1
10852	C:\WINDOWS\system32\clbcatq.dll	query and map write and map read and map execute	image	76FD0000	76FD3048	7F000	execute	own pid	success or wait	1
4879	C:\WINDOWS\system32\comres.dll	query and map write and map read and map execute	image	77050000	77051055	C5000	execute	own pid	success or wait	1
0	C:\WINDOWS\system32\ieframe.dll	map write and map read and map execute	commit	01D70000	not known	A8EA00	execute	own pid	success or wait	1
476	C:\WINDOWS\system32\ieframe.dll	query and map write and map read and map execute	image	3E1C0000	3E1C8086	A93000	execute	own pid	success or wait	1
0	C:\WINDOWS\system32\en-US\ieframe.dll.mui	query and map read	commit	01D70000	not known	12F000	write copy	own pid	success or wait	1
0	\BaseNamedObjects\Local\UrlZonesSM_Hanuele Baser	query and map write and map read	commit	015E0000	not known	1000	read write	own pid	object name exists	1
0	C:\WINDOWS\system32\csrcs.exe	map write and map read and map execute	commit	01EA0000	not known	8C64E	execute	own pid	success or wait	2
0	C:\WINDOWS\system32\csrcs.exe	query and map read	commit	01EA0000	not known	8C64E	readonly	own pid	success or wait	2
0	C:\WINDOWS\system32\csrcs.exe	query and map write and map read and map execute and extend size	image	not known	4CBBB0	E7000	execute	own pid	success or wait	1
0	C:\WINDOWS\system32\csrcs.exe	query and map read	commit	01EA0000	not known	8C64E	readonly	own pid	success or wait	1
7	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	query and map write and map read and map execute and extend size	image	not known	not known	not known	execute	own pid	invalid image not mz	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	query and map read	commit	015D0000	not known	72	readonly	own pid	success or wait	1

Registry Activities:

Key opened
Reputation	Key Path	Access	Completion	Count
0	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bfgbhk.ex.exe	generic read	object name not found	2
91200	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
153794	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots	enumerate sub key and read or execute	object name not found	5
96399	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option	query value and set value and read or execute and write	object name not found	5
26786	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and read or execute	success or wait	7
39584	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and read or execute	object name not found	1
6164	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll	generic read	object name not found	1
40564	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll	generic read	object name not found	1
707	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll	generic read	object name not found	1
51069	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
77159	HKEY_LOCAL_MACHINE	maximum allowed	success or wait	1
5318	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
4417	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll	generic read	object name not found	1
33679	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll	generic read	object name not found	1
71638	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager	query value and read or execute	success or wait	2
39518	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL	generic read	object name not found	1
20955	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll	generic read	object name not found	1
39992	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll	generic read	object name not found	1
39197	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll	generic read	object name not found	1
33789	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll	generic read	object name not found	1
2924	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMCTL32.dll	generic read	object name not found	1
25673	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll	generic read	object name not found	1
839	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMDLG32.dll	generic read	object name not found	1
536	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPR.dll	generic read	object name not found	1
14067	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll	generic read	object name not found	1
3843	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll	generic read	object name not found	1
4083	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL	generic read	object name not found	1
18911	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll	generic read	object name not found	1
25266	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll	generic read	object name not found	1
2184	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll	generic read	object name not found	1
18916	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll	generic read	object name not found	1
20565	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll	generic read	object name not found	1
13896	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll	generic read	object name not found	1
2621	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll	generic read	object name not found	1
3112	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll	generic read	object name not found	1
16343	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll	generic read	object name not found	1
2365	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WSOCK32.dll	generic read	object name not found	1
52210	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
81554	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
24208	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
36549	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance	maximum allowed	object name not found	1
167058	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	6
59427	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
32768	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
33471	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\LanguagePack	query value and read or execute	success or wait	1
35640	HKEY_LOCAL_MACHINE\SYSTEM\Setup	query value and read or execute	success or wait	1
5178	HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
43104	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
45275	HKEY_LOCAL_MACHINE\Software\Microsoft\Ole	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
18722	HKEY_LOCAL_MACHINE\Software\Classes\Interface	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
4967	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
86612	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT	query value and read or execute	object name not found	2
42185	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra	query value and enumerate sub key and read or execute	object name not found	1
13835	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon	maximum allowed	success or wait	5
20258	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
23213	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
40321	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System	maximum allowed	success or wait	2
3974	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes	maximum allowed	success or wait	1
2161	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\PROTOCOLS\Name-Space Handler\	maximum allowed	object name not found	1
20147	HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler	maximum allowed	success or wait	1
19597	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\PROTOCOLS\Name-Space Handler	maximum allowed	object name not found	1
10969	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	maximum allowed	success or wait	1
8120	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	query value and read or execute	object name not found	2
24926	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings	query value and read or execute	success or wait	1
7824	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	query value and read or execute	object name not found	3
38930	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
13105	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
26555	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\	query value and read or execute	object name not found	1
44734	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl	query value and read or execute	object name not found	1
36521	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl	query value and read or execute	object name not found	1
285696	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	query value and read or execute	success or wait	6
36487	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl	query value and read or execute	object name not found	1
21303	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915	query value and read or execute	object name not found	1
5168	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
2158	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
49870	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
14487	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
38918	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
42646	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
20677	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32	generic read	success or wait	1
20174	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	success or wait	1
150	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Mouse	query value and read or execute	success or wait	1
159	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\AutoIt v3\AutoIt	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
2055	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll	generic read	object name not found	1
5159	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17546	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager	query value and read or execute	success or wait	1
18065	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	query value and read or execute	success or wait	1
184233	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	query value and read or execute	success or wait	20
164740	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	query value and read or execute	success or wait	20
12568	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	query value and read or execute	object name not found	2
11453	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	query value and read or execute	object name not found	2
7509	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	query value and read or execute	success or wait	2
11437	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	maximum allowed	object name not found	2
9974	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll	generic read	object name not found	1
4032	HKEY_LOCAL_MACHINE\System\Setup	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
10159	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT	query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	object name not found	1
10183	HKEY_LOCAL_MACHINE\System\WPA\PnP	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
25023	HKEY_LOCAL_MACHINE\SYSTEM\Setup	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
48028	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	4
3472	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
8107	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	query value and read or execute	success or wait	1
10151	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels	query value and read or execute	object name not found	1
12948	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
25088	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
2174	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
24556	HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\PagedBuffers	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
31964	HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
0	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bfgbhk.ex.exe\RpcThreadPoolThrottle	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
32562	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
199052	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
195916	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
87441	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume	maximum allowed	success or wait	8
9528	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}\	maximum allowed	success or wait	2
16080	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}\	maximum allowed	success or wait	2
55250	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}\	maximum allowed	success or wait	4
28070	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions	enumerate sub key and read or execute	object name not found	2
4645	HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions	enumerate sub key and read or execute	success or wait	2
23452	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions	maximum allowed	object name not found	2
5899	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	query value and read or execute	object name not found	2
35736	HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	query value and read or execute	success or wait	2
3630	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	maximum allowed	object name not found	2
7721	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	maximum allowed	success or wait	1
727	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	maximum allowed	success or wait	1
544	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe	maximum allowed	object name not found	4
6455	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.exe	maximum allowed	object name not found	2
959	HKEY_LOCAL_MACHINE\Software\Classes\.exe	maximum allowed	success or wait	2
10235	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.exe	maximum allowed	object name not found	3
959	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\exefile	maximum allowed	object name not found	2
273	HKEY_LOCAL_MACHINE\Software\Classes\exefile	maximum allowed	success or wait	2
6571	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\CurVer	query value and read or execute	object name not found	2
4150	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer	query value and read or execute	object name not found	2
18277	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile	maximum allowed	object name not found	7
828	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\	maximum allowed	success or wait	2
14268	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\	maximum allowed	success or wait	3
7980	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System	query value and read or execute	object name not found	2
1076	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	maximum allowed	success or wait	2
1947	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\ShellEx\IconHandler	query value and read or execute	object name not found	1
1624	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler	query value and read or execute	object name not found	1
3358	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\SystemFileAssociations\.exe	maximum allowed	object name not found	1
357	HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.exe	maximum allowed	object name not found	1
5266	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\SystemFileAssociations\application	maximum allowed	object name not found	1
1673	HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\application	maximum allowed	object name not found	1
387	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\Clsid	query value and read or execute	object name not found	1
441	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid	query value and read or execute	object name not found	1
6614	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\*	maximum allowed	object name not found	1
670	HKEY_LOCAL_MACHINE\Software\Classes\*	maximum allowed	success or wait	1
4495	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\*\Clsid	query value and read or execute	object name not found	1
4495	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\Clsid	query value and read or execute	object name not found	1
20367	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll	generic read	object name not found	1
0	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\bfgbhk.ex.exe	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
2146	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
27570	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
497	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
14351	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM	maximum allowed	success or wait	1
40996	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	3
2201	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime	generic read	object name not found	1
22435	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\CTF	maximum allowed	success or wait	1
18527	HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared	maximum allowed	success or wait	1
8628	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls	query value and read or execute	object name not found	1
20542	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility	query value and read or execute	success or wait	2
9874	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll	generic read	object name not found	1
30384	HKEY_LOCAL_MACHINE\System\WPA\TabletPC	query value and wow64 64key and wow64 resource and read or execute	object name not found	3
30378	HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	query value and wow64 64key and wow64 resource and read or execute	success or wait	3
2937	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers	wow64 64key and wow64 resource and generic read	object name not found	3
14941	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers	wow64 64key and wow64 resource and generic read	object name not found	3
2579	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\cmd.exe	wow64 64key and wow64 resource and generic read	object name not found	1
1660	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags	wow64 64key and wow64 resource and generic read	object name not found	1
10141	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags	wow64 64key and wow64 resource and generic read	object name not found	1
17347	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1844	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17103	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
3362	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
1840	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
1901	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17108	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
1840	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
2593	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
4216	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
14565	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
2637	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17320	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17349	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17342	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17358	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17299	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1862	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17306	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
8514	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1848	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17317	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17121	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1845	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17112	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1765	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
13111	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1754	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17105	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17073	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17100	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1844	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1828	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17104	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1829	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17134	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17069	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
2738	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
17089	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
11150	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
11176	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	generic read	object name not found	2
7261	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	query value and read or execute	success or wait	1
8355	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer	query value and read or execute	success or wait	1
3084	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netapi32.dll	generic read	object name not found	1
5676	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
850	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{11016101-E366-4D22-BC06-4ADA335C892B}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
3755	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
1638	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
3745	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
850	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
3727	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
154	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\0000000000009559\Desktop\NameSpace	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
6840	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder	maximum allowed	object name not found	1
7096	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder	maximum allowed	success or wait	1
8155	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder	maximum allowed	object name not found	1
4241	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder	maximum allowed	object name not found	1
4195	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder	maximum allowed	success or wait	1
2220	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder	maximum allowed	object name not found	1
3784	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	maximum allowed	object name not found	1
3753	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	maximum allowed	success or wait	1
903	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	maximum allowed	object name not found	1
65081	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}	query value and read or execute	object name not found	2
31813	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32	query value and read or execute	object name not found	1
4375	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32	query value and read or execute	success or wait	1
83733	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32	maximum allowed	object name not found	5
33688	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32	generic read	success or wait	1
339702	HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	6
10879	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMRes.dll	generic read	object name not found	1
10857	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLBCATQ.DLL	generic read	object name not found	1
11017	HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\Debug	query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	object name not found	1
11016	HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\Debug	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
30789	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
3974	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes	maximum allowed	success or wait	1
121293	HKEY_LOCAL_MACHINE\Software\Classes	maximum allowed	success or wait	3
71127	HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	maximum allowed	success or wait	6
3921	HKEY_USERS	notify and read or execute	success or wait	3
28062	HKEY_LOCAL_MACHINE\Software\Classes\CLSID	maximum allowed	success or wait	2
37925	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	6
28549	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	6
1698	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs	query value and read or execute	object name not found	2
13228	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs	query value and read or execute	object name not found	2
135355	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
22400	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32	maximum allowed	object name not found	3
3036	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32	maximum allowed	success or wait	3
9808	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86	maximum allowed	object name not found	1
9879	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86	maximum allowed	object name not found	1
11702	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32	maximum allowed	object name not found	2
8906	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32	maximum allowed	object name not found	2
9821	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32	maximum allowed	object name not found	1
9872	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32	maximum allowed	object name not found	1
9776	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86	maximum allowed	object name not found	1
9885	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86	maximum allowed	object name not found	1
4528	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer	maximum allowed	object name not found	1
1354	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer	maximum allowed	object name not found	1
9853	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	maximum allowed	object name not found	1
503	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieframe.dll	generic read	object name not found	1
1160	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE	query value and read or execute	success or wait	1
20132	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup	query value and read or execute	success or wait	3
7586	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib	query value and read or execute	object name not found	1
7631	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib	query value and read or execute	success or wait	1
931	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib	maximum allowed	object name not found	1
39920	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
34888	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
7594	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32	query value and read or execute	object name not found	1
9333	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32	query value and read or execute	success or wait	1
1147	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32	maximum allowed	object name not found	1
7588	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32	query value and read or execute	object name not found	1
9323	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32	query value and read or execute	success or wait	1
5956	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32	maximum allowed	object name not found	1
7578	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32	query value and read or execute	object name not found	1
1047	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32	query value and read or execute	success or wait	1
7580	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32	maximum allowed	object name not found	1
7581	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32	query value and read or execute	object name not found	1
1044	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32	query value and read or execute	success or wait	1
932	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32	maximum allowed	object name not found	1
1129	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
6059	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
7997	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
14057	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
7098	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
5420	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
8311	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562	query value and read or execute	object name not found	1
1648	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder	maximum allowed	object name not found	1
1629	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder	maximum allowed	success or wait	1
336	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder	maximum allowed	object name not found	1
1636	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder	maximum allowed	object name not found	1
336	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder	maximum allowed	success or wait	1
1655	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	maximum allowed	object name not found	1
535	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder	maximum allowed	object name not found	1
2141	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder	maximum allowed	success or wait	1
3468	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder	maximum allowed	object name not found	1
2263	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder	maximum allowed	object name not found	1
2244	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder	maximum allowed	success or wait	1
453	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder	maximum allowed	object name not found	1
1625	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder	maximum allowed	object name not found	1
336	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder	maximum allowed	success or wait	1
1651	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	maximum allowed	object name not found	1
5094	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
872	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32	query value and read or execute	object name not found	1
5078	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32	query value and read or execute	success or wait	1
2724	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32	maximum allowed	object name not found	2
24	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\csrcs.exe	query value and read or execute	object name not found	6
12020	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Associations	query value and read or execute	object name not found	4
1281	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Associations	query value and read or execute	object name not found	4
3446	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.exe	query value and read or execute	object name not found	1
785	HKEY_LOCAL_MACHINE\Software\Classes\.exe	query value and read or execute	success or wait	1
655	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.ade	query value and read or execute	object name not found	1
4302	HKEY_LOCAL_MACHINE\Software\Classes\.ade	query value and read or execute	object name not found	1
3989	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.adp	query value and read or execute	object name not found	1
4317	HKEY_LOCAL_MACHINE\Software\Classes\.adp	query value and read or execute	object name not found	1
629	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.app	query value and read or execute	object name not found	1
4328	HKEY_LOCAL_MACHINE\Software\Classes\.app	query value and read or execute	object name not found	1
617	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.asp	query value and read or execute	object name not found	1
666	HKEY_LOCAL_MACHINE\Software\Classes\.asp	query value and read or execute	success or wait	1
2462	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.asp	maximum allowed	object name not found	1
3986	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.bas	query value and read or execute	object name not found	1
3983	HKEY_LOCAL_MACHINE\Software\Classes\.bas	query value and read or execute	object name not found	1
760	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.bat	query value and read or execute	object name not found	1
322	HKEY_LOCAL_MACHINE\Software\Classes\.bat	query value and read or execute	success or wait	1
2540	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.bat	maximum allowed	object name not found	1
3607	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.cer	query value and read or execute	object name not found	1
3890	HKEY_LOCAL_MACHINE\Software\Classes\.cer	query value and read or execute	success or wait	1
3669	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.cer	maximum allowed	object name not found	1
554	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.chm	query value and read or execute	object name not found	1
4009	HKEY_LOCAL_MACHINE\Software\Classes\.chm	query value and read or execute	success or wait	1
376	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.chm	maximum allowed	object name not found	1
546	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.cmd	query value and read or execute	object name not found	1
3729	HKEY_LOCAL_MACHINE\Software\Classes\.cmd	query value and read or execute	success or wait	1
372	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.cmd	maximum allowed	object name not found	1
569	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.com	query value and read or execute	object name not found	1
1167	HKEY_LOCAL_MACHINE\Software\Classes\.com	query value and read or execute	success or wait	1
3462	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.com	maximum allowed	object name not found	1
543	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.cpl	query value and read or execute	object name not found	1
3472	HKEY_LOCAL_MACHINE\Software\Classes\.cpl	query value and read or execute	success or wait	1
3616	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.cpl	maximum allowed	object name not found	1
185	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.crt	query value and read or execute	object name not found	1
575	HKEY_LOCAL_MACHINE\Software\Classes\.crt	query value and read or execute	success or wait	1
679	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.crt	maximum allowed	object name not found	1
544	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.csh	query value and read or execute	object name not found	1
825	HKEY_LOCAL_MACHINE\Software\Classes\.csh	query value and read or execute	object name not found	1
17866	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	5
18450	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	5
1329	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\TreatAs	query value and read or execute	object name not found	2
610	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\TreatAs	query value and read or execute	object name not found	2
3228	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32	maximum allowed	object name not found	7
1406	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32	maximum allowed	success or wait	3
494	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServerX86	maximum allowed	object name not found	1
3649	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServerX86	maximum allowed	object name not found	1
988	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\LocalServer32	maximum allowed	object name not found	2
7286	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\LocalServer32	maximum allowed	object name not found	2
3639	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocHandler32	maximum allowed	object name not found	1
3628	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocHandler32	maximum allowed	object name not found	1
494	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocHandlerX86	maximum allowed	object name not found	1
3636	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocHandlerX86	maximum allowed	object name not found	1
1934	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\LocalServer	maximum allowed	object name not found	1
3654	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\LocalServer	maximum allowed	object name not found	1
3642	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}	maximum allowed	object name not found	1
412	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InProcServer32	query value and read or execute	object name not found	1
417	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InProcServer32	query value and read or execute	success or wait	1
81890	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
7912	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001	query value and read or execute	object name not found	1
1254	HKEY_LOCAL_MACHINE\Software\Policies	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
9207	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
8673	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
11033	HKEY_LOCAL_MACHINE\Software	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
971	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	query value and read or execute	object name not found	1
7665	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
7663	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
7670	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
7913	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
7913	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn.com	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
3645	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn.com\related	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
9257	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION	query value and read or execute	object name not found	1
8569	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\IETld	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
2462	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610	query value and read or execute	object name not found	1
10720	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer	query value and read or execute	object name not found	1
7777	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Internet Explorer	query value and read or execute	object name not found	1
48833	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Security	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
53085	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
15352	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
36646	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
34218	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
23754	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
56669	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
43576	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
26348	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	3
15448	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
36646	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	4
18948	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
8849	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
34218	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	3
13095	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
960	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17720	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	success or wait	2
23754	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	3
18936	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
8883	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
56669	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	3
18924	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
8854	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
43576	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	3
18953	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
836	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
15356	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
6105	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17961	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	3
16676	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
10046	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
1120	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
2464	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
8690	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
6257	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
12824	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
10050	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
9663	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
22997	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
1084	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
10040	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
2580	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
2809	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
10026	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
2474	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
10055	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
2935	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000	query value and read or execute	object name not found	1
8123	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Directory	maximum allowed	object name not found	1
844	HKEY_LOCAL_MACHINE\Software\Classes\Directory	maximum allowed	success or wait	1
8133	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory\CurVer	query value and read or execute	object name not found	1
9457	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer	query value and read or execute	object name not found	1
47513	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory	maximum allowed	object name not found	6
8125	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\	maximum allowed	success or wait	1
7784	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory\ShellEx\IconHandler	query value and read or execute	object name not found	1
9019	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler	query value and read or execute	object name not found	1
7781	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory\Clsid	query value and read or execute	object name not found	1
8988	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid	query value and read or execute	object name not found	1
8680	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Folder	maximum allowed	object name not found	1
8682	HKEY_LOCAL_MACHINE\Software\Classes\Folder	maximum allowed	success or wait	1
8556	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Folder\Clsid	query value and read or execute	object name not found	1
9779	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid	query value and read or execute	object name not found	1
2250	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell	maximum allowed	object name not found	2
1082	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell	maximum allowed	success or wait	1
2870	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell\open	maximum allowed	object name not found	1
2681	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open	maximum allowed	success or wait	1
1355	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell\open\command	query value and read or execute	object name not found	3
9881	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command	query value and read or execute	success or wait	3
9873	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell\open\command	maximum allowed	object name not found	3
362	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
3267	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell\open\ddeexec	query value and read or execute	object name not found	1
3546	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\ddeexec	query value and read or execute	object name not found	1
2	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Applications\csrcs.exe	maximum allowed	object name not found	1
2	HKEY_LOCAL_MACHINE\Software\Classes\Applications\csrcs.exe	maximum allowed	object name not found	1
1834	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam	maximum allowed	success or wait	1
13045	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	3
5659	HKEY_USERS	maximum allowed	success or wait	1
167058	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
3911	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	maximum allowed	success or wait	1
2751	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\	maximum allowed	success or wait	2
4684	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation	query value and read or execute	success or wait	2
34	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\csrcs.exe	wow64 64key and wow64 resource and generic read	object name not found	1
10332	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	maximum allowed	success or wait	2
10268	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	maximum allowed	object name not found	2
69	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrcs.exe	generic read	object name not found	1
18	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
0	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\s.cmd	wow64 64key and wow64 resource and generic read	object name not found	1

Key created
Reputation	Key Path	Access	Options	Completion	Count
394	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	non volatile	success or wait	1
905	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb13-b32c-11de-8127-806d6172696f}\	maximum allowed	non volatile	success or wait	1
8013	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb11-b32c-11de-8127-806d6172696f}\	maximum allowed	non volatile	success or wait	1
8027	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb10-b32c-11de-8127-806d6172696f}\	maximum allowed	non volatile	success or wait	1
199	HKEY_LOCAL_MACHINE\Software\Microsoft\DRM\amty	set value and create sub key and read or execute and write and read control	non volatile	success or wait	1
483	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\0000000000009559	query value and read or execute	volatile	success or wait	1
3352	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked	query value and enumerate sub key and notify and read or execute and write and read control	non volatile	success or wait	1
3332	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked	query value and enumerate sub key and notify and read or execute and write and read control	non volatile	success or wait	1
3354	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	query value and enumerate sub key and notify and read or execute and write and read control	non volatile	success or wait	1
3331	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	non volatile	success or wait	1
7475	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	maximum allowed	non volatile	success or wait	2
17417	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	maximum allowed	non volatile	success or wait	2
3	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices	set value and create sub key and read or execute and write and read control	non volatile	success or wait	1
17	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	set value and create sub key and read or execute and write and read control	non volatile	success or wait	1
44	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	set value and create sub key and read or execute and write and read control	non volatile	success or wait	1
96	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	set value and create sub key and read or execute and write and read control	non volatile	success or wait	3
41	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL	set value and create sub key and read or execute and write and read control	non volatile	success or wait	1
199	HKEY_LOCAL_MACHINE\Software\Microsoft\DRM\amty	set value and create sub key and read or execute and write and read control	non volatile	success or wait	2

Key deleted
Reputation	Key Path	Completion	Count

Key value deleted
Reputation	Key Path	Key Value Name	Completion	Count

Key value set
Reputation	Key Path	Name	Type	Data	Completion	Count
30	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty	ilop	String	1	success or wait	1
0	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\WINDOWS\system32\csrcs.exe	String	f*[+]4a	success or wait	1
0	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices	csrcs	String	C:\WINDOWS\system32\csrcs.exe	success or wait	1
21	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	csrcs	String	C:\WINDOWS\system32\csrcs.exe	success or wait	1
30	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty	fix	String		success or wait	1
33	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty	fix1	String	1	success or wait	1

Key value replaced with new
Reputation	Key Path	Name	Type	Old Data	New Data	Completion	Count
18	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	Shell	String	Explorer.exe	Explorer.exe csrcs.exe	success or wait	1
194	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	Dword	1	2	success or wait	1
119	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	SuperHidden	Dword	1	0	success or wait	1
64	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowSuperHidden	Dword	1	0	success or wait	1

Key value replaced with same
Reputation	Key Path	Name	Type	Data	Completion	Count
7096	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb13-b32c-11de-8127-806d6172696f}	BaseClass	String	Drive	success or wait	1
1424	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb11-b32c-11de-8127-806d6172696f}	BaseClass	String	Drive	success or wait	1
7118	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb10-b32c-11de-8127-806d6172696f}	BaseClass	String	Drive	success or wait	1
1101	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	ProxyBypass	Dword	1	success or wait	2
15744	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	IntranetName	Dword	1	success or wait	2
11228	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	UNCAsIntranet	Dword	1	success or wait	2
5675	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	AutoDetect	Dword	1	success or wait	2
8837	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	String	C:\Documents and Settings\Hanuele Baser\Local Settings\Temporary Internet Files	success or wait	1
986	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cookies	String	C:\Documents and Settings\Hanuele Baser\Cookies	success or wait	1
35	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL	CheckedValue	Dword	1	success or wait	1

Key value queried
Reputation	Key Path	Name	Completion	Count
83709	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSAppCompat	success or wait	1
59209	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1
51204	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LeakTrack	object name not found	1
54359	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeDllSearchMode	object name not found	1
553	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1
39787	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs	success or wait	1
60053	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	SmoothScroll	object name not found	1
27240	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	EnableBalloonTips	object name not found	1
110591	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1
43256	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CriticalSectionTimeout	success or wait	1
18328	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole	RWLockResourceTimeOut	object name not found	1
43293	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAll	object name not found	1
43246	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAllForOle32	object name not found	1
13463	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableTypeLib	object name not found	1
26538	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAll	object name not found	1
43272	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAllForOle32	object name not found	1
60778	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1
20236	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	ChkAccDebugLevel	object name not found	1
21395	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions	ProductType	success or wait	1
24760	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	success or wait	1
19612	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	success or wait	1
14577	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopDebugLevel	object name not found	1
60778	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1
2754	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopLogging	object name not found	1
40492	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1
8125	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	RsopLogging	object name not found	1
60778	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1
40492	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1
2723	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	DisableImprovedZoneCheck	object name not found	1
0	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN	bfgbhk.ex.exe	object name not found	1
18141	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN	*	object name not found	1
41537	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1
41537	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1
2812	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	object name not found	1
21255	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave2	object name not found	1
21240	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave3	object name not found	1
4270	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave4	object name not found	1
21261	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave5	object name not found	1
21209	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave6	object name not found	1
21218	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave7	object name not found	1
21223	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave8	object name not found	1
21210	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave9	object name not found	1
40478	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1
40478	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1
17523	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	object name not found	1
2725	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi2	object name not found	1
20470	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi3	object name not found	1
20480	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi4	object name not found	1
20484	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi5	object name not found	1
20477	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi6	object name not found	1
11356	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi7	object name not found	1
2722	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi8	object name not found	1
20444	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi9	object name not found	1
40474	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1
40474	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1
20271	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	object name not found	1
176	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux2	object name not found	1
2713	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux3	object name not found	1
4096	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux4	object name not found	1
20244	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux5	object name not found	1
20249	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux6	object name not found	1
2712	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux7	object name not found	1
20233	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux8	object name not found	1
20196	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux9	object name not found	1
20238	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	success or wait	1
40583	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1
40583	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1
20237	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	object name not found	1
2715	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer2	object name not found	1
15856	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer3	object name not found	1
2722	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer4	object name not found	1
20235	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer5	object name not found	1
20266	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer6	object name not found	1
20222	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer7	object name not found	1
20246	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer8	object name not found	1
20283	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer9	object name not found	1
151	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Mouse	SwapMouseButtons	success or wait	1
17643	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager	Compositing	object name not found	1
17652	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	LameButtonText	object name not found	1
1079	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoNetHood	object name not found	1
9488	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoNetHood	object name not found	1
9517	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoPropertiesMyComputer	object name not found	1
9491	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoPropertiesMyComputer	object name not found	1
9525	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoInternetIcon	object name not found	1
9493	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoInternetIcon	object name not found	1
7016	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoCommonGroups	object name not found	1
1086	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoCommonGroups	object name not found	1
8882	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoControlPanel	object name not found	1
8861	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoControlPanel	object name not found	1
8770	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoSetFolders	object name not found	1
8738	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoSetFolders	object name not found	1
11526	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	NULL	success or wait	1
110591	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1
10220	HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP	seed	success or wait	1
25062	HKEY_LOCAL_MACHINE\SYSTEM\Setup	OsLoaderPath	success or wait	1
25062	HKEY_LOCAL_MACHINE\SYSTEM\Setup	OsLoaderPath	success or wait	1
11404	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemPartition	success or wait	1
11404	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemPartition	success or wait	1
20532	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	SourcePath	success or wait	1
20532	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	SourcePath	success or wait	1
20436	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	success or wait	1
20436	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	success or wait	1
5568	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	success or wait	1
5568	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	success or wait	1
2182	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	success or wait	1
2182	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	success or wait	1
7981	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	DevicePath	success or wait	1
25181	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogLevel	success or wait	1
25181	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogLevel	success or wait	1
12504	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogPath	object name not found	1
262517	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName	ComputerName	success or wait	1
134788	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	Hostname	success or wait	1
125958	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	Domain	success or wait	1
32753	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc	MaxRpcSize	object name not found	1
262517	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName	ComputerName	success or wait	1
8004	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}	Data	buffer overflow	1
7995	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}	Data	success or wait	1
8198	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}	Generation	success or wait	1
6150	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}	Data	buffer overflow	1
8006	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}	Data	success or wait	1
8212	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}	Generation	success or wait	1
7997	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}	Data	buffer overflow	1
8001	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}	Data	success or wait	1
47731	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}	Generation	success or wait	1
47731	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}	Generation	success or wait	1
37773	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	DriveMask	success or wait	1
641	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	AllowFileCLSIDJunctions	object name not found	1
6059	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	AllowFileCLSIDJunctions	object name not found	1
1980	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe	NULL	success or wait	1
3709	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	DontShowSuperHidden	object name not found	1
8685	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	DontShowSuperHidden	object name not found	1
17128	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	ShellState	success or wait	1
17128	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	ShellState	success or wait	1
4212	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	ForceActiveDesktopOn	object name not found	1
1035	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	ForceActiveDesktopOn	object name not found	1
8316	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoActiveDesktop	object name not found	1
1913	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoActiveDesktop	object name not found	1
8341	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoWebView	object name not found	1
1039	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoWebView	object name not found	1
3775	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	ClassicShell	object name not found	1
1048	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	ClassicShell	object name not found	1
8318	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	SeparateProcess	object name not found	1
8298	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	SeparateProcess	object name not found	1
1735	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoNetCrawling	object name not found	1
8327	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoNetCrawling	object name not found	1
8332	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoSimpleStartMenu	object name not found	1
8317	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoSimpleStartMenu	object name not found	1
9056	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	success or wait	1
1071	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowCompColor	success or wait	1
5197	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideFileExt	success or wait	1
8786	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	DontPrettyPath	success or wait	1
8820	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowInfoTip	success or wait	1
1074	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideIcons	success or wait	1
3925	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	MapNetDrvBtn	success or wait	1
195	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	WebView	success or wait	1
8806	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Filter	success or wait	1
4511	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowSuperHidden	success or wait	1
8790	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	SeparateProcess	success or wait	1
8790	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	NoNetCrawling	success or wait	1
468	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile	DocObject	object name not found	1
961	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile	BrowseInPlace	object name not found	1
2501	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile	IsShortcut	object name not found	1
3690	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile	AlwaysShowExt	object name not found	1
3667	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile	NeverShowExt	object name not found	1
29313	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared	CUAS	success or wait	1
5920	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle	Language Hotkey	success or wait	1
5920	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle	Language Hotkey	success or wait	1
55768	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle	Layout Hotkey	success or wait	1
55768	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle	Layout Hotkey	success or wait	1
23596	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF	EnableAnchorContext	object name not found	1
14410	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM	Ime File	success or wait	1
22641	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\CTF	Disable Thread Input Manager	object name not found	1
29313	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared	CUAS	success or wait	1
18279	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeProcessSearchMode	object name not found	1
20635	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility	DisableAppCompat	object name not found	1
30305	HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1
59209	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1
1636	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	success or wait	1
17163	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	Levels	object name not found	1
17125	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	success or wait	1
17170	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	success or wait	1
17173	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	success or wait	1
17187	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	success or wait	1
1836	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	success or wait	1
6713	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	success or wait	1
17132	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	success or wait	1
17177	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	success or wait	1
17158	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	success or wait	1
17151	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	success or wait	1
17177	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	success or wait	1
17160	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	success or wait	1
9133	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	success or wait	1
17158	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	success or wait	1
17186	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	success or wait	1
13416	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	success or wait	1
8727	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	success or wait	1
17123	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	success or wait	1
17163	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	success or wait	1
17158	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	success or wait	1
17192	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	success or wait	1
17142	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	success or wait	1
17147	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	success or wait	1
9120	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	success or wait	1
4605	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	buffer overflow	1
9255	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	success or wait	1
27376	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	LogFileName	object name not found	1
5923	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	MaximizeApps	object name not found	1
1148	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	MaximizeApps	object name not found	1
4553	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{11016101-E366-4D22-BC06-4ADA335C892B}	SuppressionPolicy	object name not found	1
861	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	SuppressionPolicy	object name not found	1
4543	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}	SuppressionPolicy	object name not found	1
4533	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}	SuppressionPolicy	object name not found	1
3755	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	SuppressionPolicy	object name not found	1
6034	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder	WantsParseDisplayName	object name not found	1
882	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder	WantsParseDisplayName	object name not found	1
894	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	WantsParseDisplayName	success or wait	1
45752	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32	NULL	success or wait	1
4307	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32	LoadWithoutCOM	object name not found	1
32101	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked	{871C5380-42A0-1069-A2EA-08002B30309D}	object name not found	1
32064	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked	{871C5380-42A0-1069-A2EA-08002B30309D}	object name not found	1
481	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	EnforceShellExtensionSecurity	object name not found	1
478	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	EnforceShellExtensionSecurity	object name not found	1
33185	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0x401	object name not found	1
31891	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0x401	success or wait	1
20635	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility	DisableAppCompat	object name not found	1
33896	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32		success or wait	1
28568	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3	Com+Enabled	success or wait	1
13114	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole	MinimumFreeMemPercentageToCreateProcess	object name not found	1
1360	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole	MinimumFreeMemPercentageToCreateObject	object name not found	1
28568	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3	Com+Enabled	success or wait	1
37867	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3	REGDBVersion	success or wait	1
37867	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3	REGDBVersion	success or wait	1
3931	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32	InprocServer32	object name not found	1
45752	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32	NULL	success or wait	1
42	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	AppID	object name not found	1
3761	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32	ThreadingModel	success or wait	1
443	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE		success or wait	1
6704	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup	IExploreLastModifiedLow	success or wait	1
6712	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup	IExploreLastModifiedHigh	success or wait	1
7665	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib	NULL	success or wait	1
6706	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup	InstallStarted	object name not found	1
1299	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32	NULL	success or wait	1
3842	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32	NULL	success or wait	1
9459	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32	NULL	success or wait	1
9434	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32	NULL	success or wait	1
914	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings	CreateUriCacheSize	object name not found	1
10411	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	CreateUriCacheSize	object name not found	1
8188	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings	EnablePunycode	object name not found	1
10494	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnablePunycode	success or wait	1
1767	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder	WantsParseDisplayName	object name not found	1
759	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	WantsParseDisplayName	object name not found	1
1765	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder	WantsParseDisplayName	object name not found	1
1772	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder	WantsParseDisplayName	object name not found	1
1571	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	WantsParseDisplayName	object name not found	1
864	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32	NULL	success or wait	1
5160	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32	LoadWithoutCOM	object name not found	1
1980	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe	NULL	success or wait	1
2441	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asp	NULL	success or wait	1
2512	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bat	NULL	success or wait	1
4118	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cer	NULL	success or wait	1
3629	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chm	NULL	success or wait	1
627	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cmd	NULL	success or wait	1
3253	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com	NULL	success or wait	1
3055	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cpl	NULL	success or wait	1
632	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.crt	NULL	success or wait	1
37867	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3	REGDBVersion	success or wait	1
37867	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3	REGDBVersion	success or wait	1
4312	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32	InprocServer32	object name not found	1
6289	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32	NULL	success or wait	1
3677	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}	AppID	object name not found	1
499	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32	ThreadingModel	success or wait	1
6289	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32	NULL	success or wait	1
9030	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\IETld	IETldDllVersionLow	success or wait	1
9060	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\IETld	IETldDllVersionHigh	success or wait	1
4934	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\IETld	IETldVersionLow	success or wait	1
1058	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\IETld	IETldVersionHigh	success or wait	1
5437	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Security	DisableSecuritySettingsCheck	object name not found	1
55467	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security	DisableSecuritySettingsCheck	object name not found	1
110591	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1
17843	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	Flags	success or wait	2
16719	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	Flags	success or wait	2
18871	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	Flags	success or wait	2
2046	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	Flags	success or wait	2
18874	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	Flags	success or wait	2
0	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	bfgbhk.ex.exe	object name not found	1
653	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	*	object name not found	1
318	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings	SpecialFoldersCacheSize	object name not found	1
3506	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SpecialFoldersCacheSize	object name not found	1
10243	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cache	success or wait	1
1355	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cookies	success or wait	1
2567	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1806	success or wait	1
59209	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1
11526	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	NULL	success or wait	1
47731	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}	Generation	success or wait	1
37773	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	DriveMask	success or wait	1
17128	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	ShellState	success or wait	1
9056	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	success or wait	1
1071	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowCompColor	success or wait	1
5197	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideFileExt	success or wait	1
8786	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	DontPrettyPath	success or wait	1
8820	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowInfoTip	success or wait	1
1074	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideIcons	success or wait	1
3925	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	MapNetDrvBtn	success or wait	1
195	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	WebView	success or wait	1
8806	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Filter	success or wait	1
4511	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowSuperHidden	success or wait	1
8790	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	SeparateProcess	success or wait	1
8790	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	NoNetCrawling	success or wait	1
9961	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory	DocObject	object name not found	1
5838	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory	BrowseInPlace	object name not found	1
951	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory	IsShortcut	object name not found	1
3393	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory	AlwaysShowExt	success or wait	1
9953	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory	NeverShowExt	object name not found	1
1980	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe	NULL	success or wait	1
1414	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell	NULL	object name not found	1
7112	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NULL	success or wait	1
3837	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command	command	object name not found	1
7112	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NULL	success or wait	1
2093	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003	Flags	success or wait	1
320	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003	State	success or wait	1
1528	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003	UserPreference	object name not found	1
2093	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003	CentralProfile	success or wait	1
19686	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003	ProfileImagePath	success or wait	1
2084	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003	ProfileLoadTimeLow	success or wait	1
2096	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003	ProfileLoadTimeHigh	success or wait	1
494	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	LangID	success or wait	1
21	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\WINDOWS\system32\csrcs.exe	object name not found	1
5686	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation	CutList	success or wait	2
1965	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	InheritConsoleHandles	object name not found	1
2860	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	InheritConsoleHandles	object name not found	1
355	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	RestrictRun	object name not found	1
525	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	RestrictRun	object name not found	1
2867	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	DisallowRun	object name not found	1
2871	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	DisallowRun	object name not found	1
2877	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoRunasInstallPrompt	object name not found	1
367	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoRunasInstallPrompt	object name not found	1
30305	HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1
27376	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	LogFileName	object name not found	1
134	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system	EnableLUA	object name not found	1
30305	HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1
27376	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	LogFileName	object name not found	1
553	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1

Mutant Activities:

Mutant opened
Reputation	Name	Completion	Count

Mutant created
Reputation	Name	Completion	Count
146640	no name	success or wait	3
20462	\BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1
20442	\BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1
2160	\BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1
12591	\BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1
11406	\BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1
2176	\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-220523388-1935655697-1343024091-1003MUTEX.DefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1
0	\BaseNamedObjects\981dsaf81wae98f19c8v98r1aeg1	success or wait	1
5561	\BaseNamedObjects\Local\ZonesCounterMutex	object name exists	1
1796	\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex	object name exists	2
895	\BaseNamedObjects\Local\ZonesCacheCounterMutex	object name exists	1
8011	\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex	object name exists	1

Mutant released
Reputation	Name	Completion	Count

Process Activities:

Process started
Reputation	PID	Filepath	Cmdline	Flags	Completion	Count
24	1512	C:\WINDOWS\system32\cmd.exe	C:\WINDOWS\system32\cmd.exe /c explorer C:\	00000000	success or wait	1
21	488	C:\WINDOWS\system32\csrcs.exe	C:\WINDOWS\system32\csrcs.exe	00000000	success or wait	1
1	492	C:\WINDOWS\system32\cmd.exe	cmd /c C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	00000000	success or wait	1

Process opened
Reputation	PID	Access	Filepath	Cmdline	Completion	Count
0	1580	query information	C:\bfgbhk.ex.exe	C:\bfgbhk.ex.exe	success or wait	2

Process suspended
Reputation	PID	Filepath	Cmdline	Completion	Count

Process terminated
Reputation	PID	Filepath	Completion	Count
0	1580	C:\bfgbhk.ex.exe	success or wait	1
0	1580	C:\bfgbhk.ex.exe	success or wait	1

Thread Activities:

Thread opened
Reputation	TID	PID	Filepath	Access	Completion	Count

Thread created
Reputation	TID	PID	EIP	Filepath	Access	Completion	Count
0	528	1580	7C8106F9	C:\bfgbhk.ex.exe	terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation	success or wait	1
161	2044	1512	7C810705	C:\WINDOWS\system32\cmd.exe	terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation	success or wait	1
3	1600	488	7C810705	C:\WINDOWS\system32\csrcs.exe	terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation	success or wait	1
161	1424	492	7C810705	C:\WINDOWS\system32\cmd.exe	terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation	success or wait	1

Thread APC queued
Reputation	TID	PID	Path	Completion	Count

Thread context set
Reputation	TID	PID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count

Thread continue
Reputation	TID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count
161215	528	0	0	0	0	0	200	7C8106F9	no status	1
29735	1664	0	0	0	0	0	200	7C810705	no status	1

Thread context got
Reputation	TID	PID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count

Thread delayed
Reputation	TID	Delay	Completion	Count
28549800	5732	0s	success or wait	125
28549800	1320	0s	success or wait	1

Thread terminated
Reputation	TID	PID	Completion	Count

Memory Activities:

Memory read
Reputation	PID	Path	Base	Completion	Count
107	1512	C:\WINDOWS\system32\cmd.exe	7FFDB008	success or wait	1
1551	1512	C:\WINDOWS\system32\cmd.exe	4AD00000	success or wait	1
401	1512	C:\WINDOWS\system32\cmd.exe	4AD3E000	success or wait	1
81	1512	C:\WINDOWS\system32\cmd.exe	7FFDB010	success or wait	1
0	488	C:\WINDOWS\system32\csrcs.exe	7FFD6008	success or wait	1
0	488	C:\WINDOWS\system32\csrcs.exe	00400000	success or wait	1
0	488	C:\WINDOWS\system32\csrcs.exe	004CC000	success or wait	1
0	488	C:\WINDOWS\system32\csrcs.exe	004CC4F8	success or wait	1
0	488	C:\WINDOWS\system32\csrcs.exe	004CC510	success or wait	1
0	488	C:\WINDOWS\system32\csrcs.exe	004CC528	success or wait	1
685	492	C:\WINDOWS\system32\cmd.exe	7FFDE008	success or wait	1
1551	492	C:\WINDOWS\system32\cmd.exe	4AD00000	success or wait	1
401	492	C:\WINDOWS\system32\cmd.exe	4AD3E000	success or wait	1
28	492	C:\WINDOWS\system32\cmd.exe	7FFDE010	success or wait	1

Memory written
Reputation	PID	Filepath	Base	Completion	Count
1755	1512	C:\WINDOWS\system32\cmd.exe	00010000	success or wait	1
22	1512	C:\WINDOWS\system32\cmd.exe	00020000	success or wait	1
212	1512	C:\WINDOWS\system32\cmd.exe	7FFDB010	success or wait	1
278	1512	C:\WINDOWS\system32\cmd.exe	00030000	success or wait	1
13	1512	C:\WINDOWS\system32\cmd.exe	7FFDB1E8	success or wait	1
21	488	C:\WINDOWS\system32\csrcs.exe	00010000	success or wait	1
11	488	C:\WINDOWS\system32\csrcs.exe	00020000	success or wait	1
0	488	C:\WINDOWS\system32\csrcs.exe	7FFD6010	success or wait	1
0	488	C:\WINDOWS\system32\csrcs.exe	7FFD61E8	success or wait	1
1755	492	C:\WINDOWS\system32\cmd.exe	00010000	success or wait	1
15	492	C:\WINDOWS\system32\cmd.exe	00020000	success or wait	1
458	492	C:\WINDOWS\system32\cmd.exe	7FFDE010	success or wait	1
195	492	C:\WINDOWS\system32\cmd.exe	7FFDE1E8	success or wait	1

Driver Activities:

Driver loaded
Reputation	Service name path	Completion	Count

Driver unloaded
Reputation	Service name path	Completion	Count

System Activities:

System information set
Reputation	System info class	Data	Completion	Count

System information queried
Reputation	System info class	Completion	Count
1881168	BasicInformation	success or wait	8
47532	RangeStartInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
41192	ProcessorInformation	success or wait	8
1881168	BasicInformation	success or wait	2
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
8730	PerformanceInformation	success or wait	1
25123	WatchdogTimerHandler	success or wait	1
39019	CurrentTimeZoneInformation	success or wait	1
44534	ProcessInformation	success or wait	1
44534	ProcessInformation	success or wait	1
44534	ProcessInformation	success or wait	1
1881168	BasicInformation	success or wait	1
25123	WatchdogTimerHandler	success or wait	1
25123	WatchdogTimerHandler	success or wait	1

Time Activities:

Performance counter queried
Reputation	Count	Frequency	Completion	Count
1585156	1577445104	3579545	success or wait	1
1585156	1577446724	3579545	success or wait	1
1585156	1577475177	3579545	success or wait	1
1585156	1577475708	3579545	success or wait	1
1585156	1577481160	3579545	success or wait	1
1585156	1577543016	3579545	success or wait	1
1585156	1577603266	3579545	success or wait	1
1585156	1584350747	3579545	success or wait	1
1585156	1617486837	3579545	success or wait	1
1585156	1620308398	3579545	success or wait	1
1585156	1620309435	3579545	success or wait	1
1585156	1620311352	3579545	success or wait	1
1585156	1620312044	3579545	success or wait	1
1585156	1620493329	3579545	success or wait	1
1585156	1620493969	3579545	success or wait	1
1585156	1620505447	3579545	success or wait	1
1585156	1620507304	3579545	success or wait	1
1585156	1620547205	3579545	success or wait	1
1585156	1620547806	3579545	success or wait	1
1585156	1620574291	3579545	success or wait	1
1585156	1620574993	3579545	success or wait	1
1585156	1639377893	3579545	success or wait	1
332558	1639380762	0	success or wait	1
332558	1639381254	0	success or wait	1
332558	1639390548	0	success or wait	1
332558	1639394702	0	success or wait	1
332558	1639445102	0	success or wait	1
332558	1639445369	0	success or wait	1
332558	1639459267	0	success or wait	1
332558	1639462067	0	success or wait	1
332558	1639467688	0	success or wait	1
332558	1639467866	0	success or wait	1
332558	1639471872	0	success or wait	1
332558	1639474566	0	success or wait	1
332558	1639538775	0	success or wait	1
332558	1639539036	0	success or wait	1
332558	1639539943	0	success or wait	1
332558	1639540202	0	success or wait	1
332558	1639552694	0	success or wait	1
332558	1639557042	0	success or wait	1
332558	1639603872	0	success or wait	1
332558	1639604141	0	success or wait	1
332558	1639604941	0	success or wait	1
332558	1639610851	0	success or wait	1
332558	1639631157	0	success or wait	1
332558	1639632836	0	success or wait	1
332558	1639637105	0	success or wait	1
332558	1639638766	0	success or wait	1
332558	1639650507	0	success or wait	1
332558	1639651380	0	success or wait	1
332558	1639653479	0	success or wait	1
332558	1639654911	0	success or wait	1
332558	1639655782	0	success or wait	1
332558	1639661093	0	success or wait	1
332558	1639669219	0	success or wait	1
332558	1639669777	0	success or wait	1
332558	1639686351	0	success or wait	1
332558	1639689127	0	success or wait	1
332558	1639691646	0	success or wait	1
332558	1639693645	0	success or wait	1
332558	1639702960	0	success or wait	1
332558	1639706080	0	success or wait	1
332558	1639709192	0	success or wait	1
332558	1639711099	0	success or wait	1
332558	1640556769	0	success or wait	1
332558	1640557882	0	success or wait	1
332558	1640566853	0	success or wait	1
332558	1640570223	0	success or wait	1
332558	1640574220	0	success or wait	1
332558	1640577305	0	success or wait	1
332558	1640586292	0	success or wait	1
332558	1640590337	0	success or wait	1
332558	1640594577	0	success or wait	1
332558	1640597653	0	success or wait	1
332558	1640604904	0	success or wait	1
332558	1640606821	0	success or wait	1
332558	1640608631	0	success or wait	1
332558	1640611400	0	success or wait	1
332558	1640614588	0	success or wait	1
332558	1640614851	0	success or wait	1
332558	1640622401	0	success or wait	1
332558	1640623074	0	success or wait	1
332558	1640627266	0	success or wait	1
332558	1640628148	0	success or wait	1
332558	1640636439	0	success or wait	1
332558	1640637157	0	success or wait	1
332558	1640640324	0	success or wait	1
332558	1640642355	0	success or wait	1
332558	1640643671	0	success or wait	1
332558	1640649105	0	success or wait	1
332558	1640658855	0	success or wait	1
332558	1640663753	0	success or wait	1
332558	1640666778	0	success or wait	1
332558	1640667696	0	success or wait	1
332558	1640672191	0	success or wait	1
332558	1640673998	0	success or wait	1
332558	1640689511	0	success or wait	1
332558	1640690543	0	success or wait	1
332558	1640700403	0	success or wait	1
332558	1640701190	0	success or wait	1
332558	1640711944	0	success or wait	1
332558	1640714239	0	success or wait	1
332558	1640717327	0	success or wait	1
332558	1640719507	0	success or wait	1
332558	1640722215	0	success or wait	1
332558	1640722384	0	success or wait	1
332558	1640723010	0	success or wait	1
332558	1640730413	0	success or wait	1
332558	1640735634	0	success or wait	1
332558	1640737876	0	success or wait	1
332558	1640746892	0	success or wait	1
332558	1640747497	0	success or wait	1
332558	1640752617	0	success or wait	1
332558	1640758931	0	success or wait	1
332558	1640766678	0	success or wait	1
332558	1640769474	0	success or wait	1
332558	1640772577	0	success or wait	1
332558	1640773996	0	success or wait	1
332558	1640774784	0	success or wait	1
332558	1640779999	0	success or wait	1
332558	1640783076	0	success or wait	1
332558	1640783952	0	success or wait	1
332558	1640793444	0	success or wait	1
332558	1640795641	0	success or wait	1
332558	1640800630	0	success or wait	1
332558	1640802465	0	success or wait	1
332558	1640807762	0	success or wait	1
332558	1640809317	0	success or wait	1
332558	1640815775	0	success or wait	1
332558	1640817737	0	success or wait	1
332558	1640824430	0	success or wait	1
332558	1640828857	0	success or wait	1
332558	1640835449	0	success or wait	1
332558	1640836667	0	success or wait	1
332558	1640837585	0	success or wait	1
332558	1640837845	0	success or wait	1
332558	1640847015	0	success or wait	1
332558	1640849251	0	success or wait	1
332558	1640849987	0	success or wait	1
332558	1640850161	0	success or wait	1
332558	1640858185	0	success or wait	1
332558	1640858359	0	success or wait	1
332558	1640865603	0	success or wait	1
332558	1640865970	0	success or wait	1
332558	1640866580	0	success or wait	1
332558	1640866843	0	success or wait	1
332558	1640867345	0	success or wait	1
332558	1640871298	0	success or wait	1
332558	1640873659	0	success or wait	1
332558	1640874022	0	success or wait	1
332558	1640874624	0	success or wait	1
332558	1640874887	0	success or wait	1
332558	1640875463	0	success or wait	1
332558	1640880392	0	success or wait	1
332558	1640883226	0	success or wait	1
332558	1640883489	0	success or wait	1
332558	1640884388	0	success or wait	1
332558	1640888830	0	success or wait	1
332558	1640890887	0	success or wait	1
332558	1640892285	0	success or wait	1
332558	1640892967	0	success or wait	1
332558	1640893228	0	success or wait	1
332558	1640900150	0	success or wait	1
332558	1640900475	0	success or wait	1
332558	1640907995	0	success or wait	1
332558	1640908357	0	success or wait	1
332558	1640909617	0	success or wait	1
332558	1640915786	0	success or wait	1
332558	1640918922	0	success or wait	1
332558	1640919181	0	success or wait	1
332558	1640927710	0	success or wait	1
332558	1640928019	0	success or wait	1
332558	1640935532	0	success or wait	1
332558	1640935794	0	success or wait	1
332558	1640943476	0	success or wait	1
332558	1640943738	0	success or wait	1
332558	1640950489	0	success or wait	1
332558	1640950750	0	success or wait	1
332558	1640954986	0	success or wait	1
332558	1640957200	0	success or wait	1
332558	1640958018	0	success or wait	1
332558	1640958190	0	success or wait	1
332558	1640964515	0	success or wait	1
332558	1640964876	0	success or wait	1
332558	1640966018	0	success or wait	1
332558	1640969760	0	success or wait	1
332558	1640973057	0	success or wait	1
332558	1640973331	0	success or wait	1
332558	1640974429	0	success or wait	1
332558	1640980070	0	success or wait	1
332558	1640983219	0	success or wait	1
332558	1640983482	0	success or wait	1
332558	1640994218	0	success or wait	1
332558	1640996278	0	success or wait	1
332558	1640997392	0	success or wait	1
332558	1640997661	0	success or wait	1
332558	1640998321	0	success or wait	1
332558	1640998589	0	success or wait	1
332558	1641003540	0	success or wait	1
332558	1641006069	0	success or wait	1
332558	1641022324	0	success or wait	1
332558	1641023610	0	success or wait	1
332558	1641031847	0	success or wait	1
332558	1641034060	0	success or wait	1
332558	1641035365	0	success or wait	1
332558	1641035626	0	success or wait	1
332558	1641045458	0	success or wait	1
332558	1641045633	0	success or wait	1
332558	1641046226	0	success or wait	1
332558	1641046485	0	success or wait	1
332558	1641046985	0	success or wait	1
332558	1641051780	0	success or wait	1
332558	1641052782	0	success or wait	1
332558	1641052953	0	success or wait	1
332558	1641053513	0	success or wait	1
332558	1641056455	0	success or wait	1
332558	1641058546	0	success or wait	1
332558	1641059211	0	success or wait	1
332558	1641069343	0	success or wait	1
332558	1641069607	0	success or wait	1
332558	1641070798	0	success or wait	1
332558	1641074013	0	success or wait	1
332558	1641075520	0	success or wait	1
332558	1641075781	0	success or wait	1
332558	1641076617	0	success or wait	1
332558	1641076917	0	success or wait	1
332558	1641084516	0	success or wait	1
332558	1641087615	0	success or wait	1
332558	1641089945	0	success or wait	1
332558	1641090208	0	success or wait	1
332558	1641095578	0	success or wait	1
332558	1641095840	0	success or wait	1
332558	1641096392	0	success or wait	1
332558	1641096653	0	success or wait	1
332558	1641101363	0	success or wait	1
332558	1641101625	0	success or wait	1
332558	1641108020	0	success or wait	1
332558	1641108280	0	success or wait	1
332558	1641113863	0	success or wait	1
332558	1641114124	0	success or wait	1
332558	1641114585	0	success or wait	1
332558	1641114845	0	success or wait	1
332558	1641122927	0	success or wait	1
332558	1641134547	0	success or wait	1
332558	1641140594	0	success or wait	1
332558	1641140859	0	success or wait	1
332558	1641141443	0	success or wait	1
332558	1641141706	0	success or wait	1
332558	1641148090	0	success or wait	1
332558	1641150997	0	success or wait	1
332558	1641153185	0	success or wait	1
332558	1641158449	0	success or wait	1
332558	1641161871	0	success or wait	1
332558	1641162132	0	success or wait	1
332558	1641171392	0	success or wait	1
332558	1641171560	0	success or wait	1
332558	1641180434	0	success or wait	1
332558	1641180809	0	success or wait	1
332558	1641190038	0	success or wait	1
332558	1641193186	0	success or wait	1
332558	1641194249	0	success or wait	1
332558	1641194504	0	success or wait	1
332558	1641199706	0	success or wait	1
332558	1641201946	0	success or wait	1
332558	1641203402	0	success or wait	1
332558	1641207625	0	success or wait	1
332558	1641212490	0	success or wait	1
332558	1641212757	0	success or wait	1
332558	1641216844	0	success or wait	1
332558	1641220333	0	success or wait	1
332558	1641222616	0	success or wait	1
332558	1641225174	0	success or wait	1
332558	1641228386	0	success or wait	1
332558	1641228655	0	success or wait	1
332558	1641233498	0	success or wait	1
332558	1641233767	0	success or wait	1
332558	1641239642	0	success or wait	1
332558	1641239822	0	success or wait	1
332558	1641244586	0	success or wait	1
332558	1641244958	0	success or wait	1
332558	1641245837	0	success or wait	1
332558	1641246110	0	success or wait	1
332558	1641250700	0	success or wait	1
332558	1641250971	0	success or wait	1
332558	1641255742	0	success or wait	1
332558	1641256144	0	success or wait	1
332558	1641259369	0	success or wait	1
332558	1641260917	0	success or wait	1
332558	1641265496	0	success or wait	1
332558	1641266795	0	success or wait	1
332558	1641268356	0	success or wait	1
332558	1641270720	0	success or wait	1
332558	1641273339	0	success or wait	1
332558	1641273511	0	success or wait	1
332558	1641280820	0	success or wait	1
332558	1641280994	0	success or wait	1
332558	1641287118	0	success or wait	1
332558	1641287293	0	success or wait	1
332558	1641293465	0	success or wait	1
332558	1641293822	0	success or wait	1

System resolution queried
Reputation	Minimum resolution	Maximum resolution	Current resolution	Completion	Count
1	40244204340873008	5576704752533645104	430115204990768	success or wait	1

System time queried
Reputation	Time	Completion	Count
199861	129252592686234147	success or wait	1

User Activities:

Window created
Reputation	Window name	Class name	Completion	Count
170	AutoIt v3	AutoIt v3	success	1
222	6.0.2600.5512!Edit	edit	success	1
14716	no string	no string	success	1

Window found
Reputation	Window name	Class name	Completion	Count
23050	no string	Shell_TrayWnd	success	5

Window hook set
Reputation	Module	Thread id	Hook code	Completion	Count
32955	C:\WINDOWS\system32\MSCTF.dll	1664	keyboard	success	1
3631	C:\WINDOWS\system32\MSCTF.dll	1664	mouse	success	1

Key async got
Reputation	Virtual key code	Key state	Count

Keyboard state got
Reputation	Completion	Count

Key state got
Reputation	Virtual key code	State	Count

Debug Activities:

System debug info set
Reputation	Debug info class	Input data	Output data	Completion	Count

Exception Activities:

Exception raised
Reputation	Exception code	Address	Completion	Count

Chronological sections
Operation	Data	Completion	Time
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bfgbhk.ex.exe Access: generic read	object name not found	1577161740
System info queried	Type: BasicInformation	success or wait	1577163352
System info queried	Type: BasicInformation	success or wait	1577165386
Section opened	Access: map write and map read and map execute Baseaddress: 7C800000 Size: F6000 Mapped to pid: own pid Path: \KnownDlls\kernel32.dll	success or wait	1577167819
System info queried	Type: RangeStartInformation	success or wait	1577171036
System info queried	Type: BasicInformation	success or wait	1577171154
Section created	Access: query and map write and map read and map execute and extend size Protection: read write Attributes: reserve Path: not known Type: reserve Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: 10000	success or wait	1577171497
System info queried	Type: BasicInformation	success or wait	1577176599
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577178822
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	1577180618
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bfgbhk.ex.exe Access: generic read	object name not found	1577181525
Section opened	Access: map read Baseaddress: 00070000 Size: 15DF4 Mapped to pid: own pid Path: \NLS\NlsSectionUnicode	success or wait	1577181768
Section opened	Access: map read Baseaddress: 00090000 Size: 40EDC Mapped to pid: own pid Path: \NLS\NlsSectionLocale	success or wait	1577183116
Section opened	Access: query and map read Baseaddress: 000E0000 Size: 40004 Mapped to pid: own pid Path: \NLS\NlsSectionSortkey	success or wait	1577183852
Section opened	Access: map read Baseaddress: 00130000 Size: 5A04 Mapped to pid: own pid Path: \NLS\NlsSectionSortTbls	success or wait	1577184520
Section opened	Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409	object name not found	1577186634
Section opened	Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409	object name not found	1577186876
Section opened	Access: map write and map read and map execute Baseaddress: 77DD0000 Size: 9B000 Mapped to pid: own pid Path: \KnownDlls\ADVAPI32.dll	success or wait	1577190363
Section opened	Access: map write and map read and map execute Baseaddress: 77E70000 Size: 92000 Mapped to pid: own pid Path: \KnownDlls\RPCRT4.dll	success or wait	1577193788
Section opened	Access: map write and map read and map execute Baseaddress: 77FE0000 Size: 11000 Mapped to pid: own pid Path: \KnownDlls\Secur32.dll	success or wait	1577197341
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1577203553
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 773D0000 Entrypoint: 773D4256 Mapped to pid: own pid Size: 103000	success or wait	1577206652
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write	object name not found	1577207579
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1577207814
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	1577208410
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	object name not found	1577209394
Section opened	Access: map write and map read and map execute Baseaddress: 77C10000 Size: 58000 Mapped to pid: own pid Path: \KnownDlls\msvcrt.dll	success or wait	1577210894
Section opened	Access: map write and map read and map execute Baseaddress: 77F10000 Size: 49000 Mapped to pid: own pid Path: \KnownDlls\GDI32.dll	success or wait	1577215795
Section opened	Access: map write and map read and map execute Baseaddress: 7E410000 Size: 91000 Mapped to pid: own pid Path: \KnownDlls\USER32.dll	success or wait	1577218772
Section opened	Access: map write and map read and map execute Baseaddress: 77F60000 Size: 76000 Mapped to pid: own pid Path: \KnownDlls\SHLWAPI.dll	success or wait	1577224946
Section opened	Access: map write and map read and map execute Baseaddress: 763B0000 Size: 49000 Mapped to pid: own pid Path: \KnownDlls\COMDLG32.dll	success or wait	1577231049
Section opened	Access: map write and map read and map execute Baseaddress: 7C9C0000 Size: 817000 Mapped to pid: own pid Path: \KnownDlls\SHELL32.dll	success or wait	1577234708
Section opened	Access: map write and map read and map execute Baseaddress: 71B20000 Size: 12000 Mapped to pid: own pid Path: \KnownDlls\MPR.dll	success or wait	1577245966
Section opened	Access: map write and map read and map execute Baseaddress: 774E0000 Size: 13D000 Mapped to pid: own pid Path: \KnownDlls\ole32.dll	success or wait	1577249745
Section opened	Access: map write and map read and map execute Baseaddress: 77120000 Size: 8B000 Mapped to pid: own pid Path: \KnownDlls\OLEAUT32.dll	success or wait	1577255895
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\PSAPI.DLL	object name not found	1577261027
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76BF0000 Entrypoint: 76BF10F1 Mapped to pid: own pid Size: B000	success or wait	1577262321
Section opened	Access: map write and map read and map execute Baseaddress: 769C0000 Size: B4000 Mapped to pid: own pid Path: \KnownDlls\USERENV.dll	success or wait	1577267429
Section opened	Access: map write and map read and map execute Baseaddress: 77C00000 Size: 8000 Mapped to pid: own pid Path: \KnownDlls\VERSION.dll	success or wait	1577273778
Section opened	Access: map write and map read and map execute Baseaddress: 3D930000 Size: E6000 Mapped to pid: own pid Path: \KnownDlls\WININET.dll	success or wait	1577276788
Section opened	Access: map write and map read and map execute Baseaddress: 00140000 Size: 9000 Mapped to pid: own pid Path: \KnownDlls\Normaliz.dll	success or wait	1577281884
Section opened	Access: map write and map read and map execute Baseaddress: 78130000 Size: 132000 Mapped to pid: own pid Path: \KnownDlls\urlmon.dll	success or wait	1577287597
Section opened	Access: map write and map read and map execute Baseaddress: 3DFD0000 Size: 1E8000 Mapped to pid: own pid Path: \KnownDlls\iertutil.dll	success or wait	1577295476
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WINMM.dll	object name not found	1577304952
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76B40000 Entrypoint: 76B42B61 Mapped to pid: own pid Size: 2D000	success or wait	1577306337
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WSOCK32.dll	object name not found	1577312417
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 71AD0000 Entrypoint: 71AD1039 Mapped to pid: own pid Size: 9000	success or wait	1577313767
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WS2_32.dll	object name not found	1577315852
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 71AB0000 Entrypoint: 71AB1273 Mapped to pid: own pid Size: 17000	success or wait	1577317024
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WS2HELP.dll	object name not found	1577320975
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 71AA0000 Entrypoint: 71AA1638 Mapped to pid: own pid Size: 8000	success or wait	1577322361
File read	Path: C:\bfgbhk.ex.exe	success or wait	1577329255
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll Access: generic read	object name not found	1577337612
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll Access: generic read	object name not found	1577338429
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll Access: generic read	object name not found	1577338699
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577339239
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack	object name not found	1577339642
Key opened	Path: HKEY_LOCAL_MACHINE Access: maximum allowed	success or wait	1577340063
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577340431
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll Access: generic read	object name not found	1577340810
System info queried	Type: BasicInformation	success or wait	1577341390
Section opened	Access: map read Baseaddress: 00160000 Size: 20C2 Mapped to pid: own pid Path: \NLS\NlsSectionCType	success or wait	1577342984
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll Access: generic read	object name not found	1577346584
System info queried	Type: BasicInformation	success or wait	1577347130
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: query value and read or execute	success or wait	1577348396
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode	object name not found	1577348667
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00240000 Entrypoint: not known Mapped to pid: own pid Size: 1AE00	success or wait	1577350070
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00240000 Entrypoint: not known Mapped to pid: own pid Size: 1AE00	success or wait	1577352307
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76390000 Entrypoint: 763912C0 Mapped to pid: own pid Size: 1D000	success or wait	1577354123
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL Access: generic read	object name not found	1577358557
System info queried	Type: BasicInformation	success or wait	1577358730
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll Access: generic read	object name not found	1577359715
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll Access: generic read	object name not found	1577360021
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll Access: generic read	object name not found	1577360313
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll Access: generic read	object name not found	1577360558
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMCTL32.dll Access: generic read	object name not found	1577360792
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll Access: generic read	object name not found	1577361066
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMDLG32.dll Access: generic read	object name not found	1577361303
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPR.dll Access: generic read	object name not found	1577361541
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll Access: generic read	object name not found	1577361812
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll Access: generic read	object name not found	1577362178
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL Access: generic read	object name not found	1577362416
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll Access: generic read	object name not found	1577362652
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll Access: generic read	object name not found	1577362889
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll Access: generic read	object name not found	1577363125
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll Access: generic read	object name not found	1577363363
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll Access: generic read	object name not found	1577363713
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll Access: generic read	object name not found	1577363951
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll Access: generic read	object name not found	1577364813
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll Access: generic read	object name not found	1577365049
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll Access: generic read	object name not found	1577365282
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WSOCK32.dll Access: generic read	object name not found	1577365652
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577366320
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577366750
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	1577367100
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577369764
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs	success or wait	1577369984
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance Access: maximum allowed	object name not found	1577372006
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00370000 Entrypoint: not known Mapped to pid: own pid Size: 2ED	success or wait	1577374875
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1577376631
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00370000 Entrypoint: not known Mapped to pid: own pid Size: 2ED	success or wait	1577376961
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00370000 Entrypoint: not known Mapped to pid: own pid Size: 2ED	success or wait	1577378732
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577392337
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577393297
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Name: SmoothScroll	object name not found	1577393554
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577394763
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: EnableBalloonTips	object name not found	1577395058
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\LanguagePack Access: query value and read or execute	success or wait	1577395823
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Access: query value and read or execute	success or wait	1577400037
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	1577400373
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00FF0000 Entrypoint: not known Mapped to pid: own pid Size: 811C00	success or wait	1577401784
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1577418482
Key opened	Path: HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577421712
System info queried	Type: BasicInformation	success or wait	1577425515
System info queried	Type: ProcessorInformation	success or wait	1577425661
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577426083
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout	success or wait	1577426320
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Ole Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577426724
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: RWLockResourceTimeOut	object name not found	1577427030
System info queried	Type: BasicInformation	success or wait	1577427369
System info queried	Type: ProcessorInformation	success or wait	1577427606
System info queried	Type: BasicInformation	success or wait	1577427743
System info queried	Type: ProcessorInformation	success or wait	1577427893
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577428138
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll	object name not found	1577428530
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32	object name not found	1577428702
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib	object name not found	1577428870
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577429167
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAll	object name not found	1577429473
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAllForOle32	object name not found	1577429643
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute	object name not found	1577430195
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra Access: query value and enumerate sub key and read or execute	object name not found	1577430900
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute	object name not found	1577431510
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1577432481
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	1577432708
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1577433150
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: ChkAccDebugLevel	object name not found	1577433445
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577433957
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions Name: ProductType	success or wait	1577434268
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577438957
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577439209
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Personal	success or wait	1577439469
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Local Settings	success or wait	1577439855
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1577440904
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopDebugLevel	object name not found	1577441117
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1577441530
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	1577441738
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopLogging	object name not found	1577442004
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System Access: maximum allowed	success or wait	1577442486
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	1577442789
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: RsopLogging	object name not found	1577443090
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1577443506
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	1577443720
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System Access: maximum allowed	success or wait	1577444180
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	1577444392
Performance counter queried	Count: 1577445104 Frequency: 3579545	success or wait	1577445082
Performance counter queried	Count: 1577446724 Frequency: 3579545	success or wait	1577446703
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1577462159
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes Access: maximum allowed	success or wait	1577465574
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\PROTOCOLS\Name-Space Handler\ Access: maximum allowed	object name not found	1577466667
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler Access: maximum allowed	success or wait	1577466886
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\PROTOCOLS\Name-Space Handler Access: maximum allowed	object name not found	1577468324
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: maximum allowed	success or wait	1577470355
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1577470778
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1577470994
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	success or wait	1577471202
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Name: DisableImprovedZoneCheck	object name not found	1577471544
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1577472123
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577474132
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577474395
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577474649
Performance counter queried	Count: 1577475177 Frequency: 3579545	success or wait	1577475153
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Name: bfgbhk.ex.exe	object name not found	1577475384
Performance counter queried	Count: 1577475708 Frequency: 3579545	success or wait	1577475686
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Name: *	object name not found	1577475912
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ Access: query value and read or execute	object name not found	1577476698
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1577476961
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	object name not found	1577477185
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	object name not found	1577477407
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	success or wait	1577477627
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	object name not found	1577477893
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915 Access: query value and read or execute	object name not found	1577478155
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577478498
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577478721
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577478940
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577479159
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577479381
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577479600
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577479901
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577480194
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577480493
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577480752
Performance counter queried	Count: 1577481160 Frequency: 3579545	success or wait	1577481139
System info queried	Type: BasicInformation	success or wait	1577482468
File overwritten	Path: WMIDataDevice Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: normal	success or wait	1577484548
File overwritten	Path: WMIDataDevice Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: normal	success or wait	1577485920
Thread created	Access: terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation PID: 1580 TID: 528 EIP: 7C8106F9 Imagepath: C:\bfgbhk.ex.exe	success or wait	1577489134
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1577508078
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control Options: non volatile	success or wait	1577510478
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32 Access: generic read	success or wait	1577511740
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	1577511968
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	1577513141
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	object name not found	1577513738
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave2	object name not found	1577514263
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave3	object name not found	1577514897
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave4	object name not found	1577515417
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave5	object name not found	1577516005
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave6	object name not found	1577516530
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave7	object name not found	1577517085
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave8	object name not found	1577517604
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave9	object name not found	1577518158
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	1577518679
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	1577519252
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	object name not found	1577519870
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi2	object name not found	1577520393
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi3	object name not found	1577520954
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi4	object name not found	1577521474
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi5	object name not found	1577522034
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi6	object name not found	1577522554
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi7	object name not found	1577523600
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi8	object name not found	1577527147
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi9	object name not found	1577527765
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	1577528611
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	1577529237
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	object name not found	1577529765
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux2	object name not found	1577530502
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux3	object name not found	1577531023
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux4	object name not found	1577531579
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux5	object name not found	1577532099
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux6	object name not found	1577532676
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux7	object name not found	1577533194
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux8	object name not found	1577533795
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux9	object name not found	1577534316
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	success or wait	1577534936
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm Name: wheel	success or wait	1577535340
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	1577535957
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	1577536538
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	object name not found	1577537065
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer2	object name not found	1577538056
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer3	object name not found	1577538577
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer4	object name not found	1577539134
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer5	object name not found	1577539654
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer6	object name not found	1577540209
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer7	object name not found	1577540732
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer8	object name not found	1577541343
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer9	object name not found	1577541862
System info queried	Type: BasicInformation	success or wait	1577542580
System info queried	Type: ProcessorInformation	success or wait	1577542732
Performance counter queried	Count: 1577543016 Frequency: 3579545	success or wait	1577542992
Thread continue	TID: 528 DR0: 0 DR1: 0 DR2: 0 DR3: 0 DR7: 0 EIP: 7C8106F9 EFLAGS: 200	no status	1577543998
Thread continue	TID: 1664 DR0: 0 DR1: 0 DR2: 0 DR3: 0 DR7: 0 EIP: 7C810705 EFLAGS: 200	no status	1577552339
Performance counter queried	Count: 1577603266 Frequency: 3579545	success or wait	1577603244
System info queried	Type: BasicInformation	success or wait	1577603398
System info queried	Type: BasicInformation	success or wait	1577609308
System info queried	Type: ProcessorInformation	success or wait	1577609439
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Mouse Access: query value and read or execute	success or wait	1577611993
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Mouse Name: SwapMouseButtons	success or wait	1577612331
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\AutoIt v3\AutoIt Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1577615829
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\uxtheme.dll	object name not found	1577617642
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 5AD70000 Entrypoint: 5AD71626 Mapped to pid: own pid Size: 38000	success or wait	1577618959
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll Access: generic read	object name not found	1577624044
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	success or wait	1577625346
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager Access: query value and read or execute	success or wait	1577625619
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: Compositing	object name not found	1577625888
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1577627497
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Access: query value and read or execute	success or wait	1577627762
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Name: LameButtonText	object name not found	1577628056
File opened	Path: C:\bfgbhk.ex.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1577631429
File read	Path: C:\bfgbhk.ex.exe	success or wait	1577632021
File other operation	Disposition: PositionInformation Data: 00 00 01 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1577681847
File other operation	Disposition: PositionInformation Data: EC FF 00 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1577681995
File read	Path: C:\bfgbhk.ex.exe	success or wait	1577682176
File other operation	Disposition: PositionInformation Data: EC FF 01 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1577732281
File other operation	Disposition: PositionInformation Data: D8 FF 01 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1577732429
File read	Path: C:\bfgbhk.ex.exe	success or wait	1577732613
File other operation	Disposition: PositionInformation Data: D8 FF 02 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578549395
File other operation	Disposition: PositionInformation Data: C4 FF 02 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578549542
File read	Path: C:\bfgbhk.ex.exe	success or wait	1578549722
File other operation	Disposition: PositionInformation Data: C4 FF 03 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578598755
File other operation	Disposition: PositionInformation Data: B0 FF 03 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578598902
File read	Path: C:\bfgbhk.ex.exe	success or wait	1578599077
File other operation	Disposition: PositionInformation Data: B0 FF 04 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578643725
File other operation	Disposition: PositionInformation Data: 9C FF 04 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578643868
File read	Path: C:\bfgbhk.ex.exe	success or wait	1578644043
File other operation	Disposition: PositionInformation Data: 14 C8 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578688998
File read	Path: C:\bfgbhk.ex.exe	success or wait	1578689688
File other operation	Disposition: PositionInformation Data: 14 D8 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578693530
File other operation	Disposition: PositionInformation Data: 28 C8 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578693678
File read	Path: C:\bfgbhk.ex.exe	success or wait	1578693853
File other operation	Disposition: PositionInformation Data: 28 CA 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578694531
File other operation	Disposition: PositionInformation Data: B9 C8 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578694670
File read	Path: C:\bfgbhk.ex.exe	success or wait	1578694842
File other operation	Disposition: PositionInformation Data: B9 CA 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578695789
File other operation	Disposition: PositionInformation Data: 77 7A 08 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578695938
File read	Path: C:\bfgbhk.ex.exe	success or wait	1578696123
File other operation	Disposition: PositionInformation Data: 77 7C 08 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578696934
File other operation	Disposition: PositionInformation Data: 1A 7B 08 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578697076
File read	Path: C:\bfgbhk.ex.exe	success or wait	1578697250
File other operation	Disposition: PositionInformation Data: 1A 7D 08 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578697899
File other operation	Disposition: PositionInformation Data: 46 C6 08 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1578698038
File read	Path: C:\bfgbhk.ex.exe	success or wait	1578698211
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1578702971
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoNetHood	object name not found	1578703815
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1578704255
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoNetHood	object name not found	1578704616
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1578705278
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoPropertiesMyComputer	object name not found	1578705503
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1578706444
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoPropertiesMyComputer	object name not found	1578707311
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1578707975
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoInternetIcon	object name not found	1578708201
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1578708619
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoInternetIcon	object name not found	1578708846
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1578710384
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoCommonGroups	object name not found	1578710611
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1578711033
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoCommonGroups	object name not found	1578711261
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Access: query value and read or execute	object name not found	1578712184
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1578712849
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoControlPanel	object name not found	1578713119
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1578713635
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoControlPanel	object name not found	1578713909
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1578714740
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoSetFolders	object name not found	1578715004
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1578715601
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoSetFolders	object name not found	1578715874
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Access: query value and read or execute	object name not found	1578716991
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Access: query value and read or execute	success or wait	1578717223
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Access: maximum allowed	object name not found	1578718864
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Name: NULL	success or wait	1578719141
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\SETUPAPI.dll	object name not found	1578721815
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 77920000 Entrypoint: 7792159A Mapped to pid: own pid Size: F3000	success or wait	1578723372
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll Access: generic read	object name not found	1578731062
Key opened	Path: HKEY_LOCAL_MACHINE\System\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578732762
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	1578733241
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	object name not found	1578733875
Key opened	Path: HKEY_LOCAL_MACHINE\System\WPA\PnP Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578734283
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP Name: seed	success or wait	1578734595
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578735129
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: OsLoaderPath	success or wait	1578735392
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: OsLoaderPath	success or wait	1578735728
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578736330
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemPartition	success or wait	1578736597
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemPartition	success or wait	1578736931
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578737919
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: SourcePath	success or wait	1578738359
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: SourcePath	success or wait	1578738696
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578739235
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackSourcePath	success or wait	1578739512
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackSourcePath	success or wait	1578739845
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578740421
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackCachePath	success or wait	1578740696
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackCachePath	success or wait	1578741033
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578741653
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: DriverCachePath	success or wait	1578742701
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: DriverCachePath	success or wait	1578743039
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578743594
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion Name: DevicePath	success or wait	1578743875
Mutant created	Name: no name	success or wait	1578744821
Mutant created	Name: no name	success or wait	1578745415
Mutant created	Name: no name	success or wait	1578745932
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and read or execute	success or wait	1578746369
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogLevel	success or wait	1578746648
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogLevel	success or wait	1578746982
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogPath	object name not found	1578747439
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels Access: query value and read or execute	object name not found	1578747803
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578748979
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName	success or wait	1578749323
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578749869
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Hostname	success or wait	1578750240
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1578750779
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578751059
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Domain	success or wait	1578751337
System info queried	Type: BasicInformation	success or wait	1578752678
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\PagedBuffers Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1578753042
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578753330
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Name: MaxRpcSize	object name not found	1578753720
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bfgbhk.ex.exe\RpcThreadPoolThrottle Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1578754283
System time queried	Time: 129252592686234147	success or wait	1578755152
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1578755937
System info queried	Type: PerformanceInformation	success or wait	1578756166
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578757937
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1578758295
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName	success or wait	1578758582
File opened	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	success or wait	1578764435
File other operation	Disposition: PipeInformation Data: 01 00 00 00 00 00 00 00 Path: \Device\NamedPipe\lsass	success or wait	1578764928
File other operation	Disposition: CompletionInformation Data: EC 00 00 00 00 00 FF FF Path: \Device\NamedPipe\lsass	success or wait	1578765263
File write	Path: \Device\NamedPipe\lsass	success or wait	1578765829
File read	Path: \Device\NamedPipe\lsass	success or wait	1578766378
File opened	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	success or wait	1578775563
File other operation	Disposition: PipeInformation Data: 01 00 00 00 00 00 00 00 Path: \Device\NamedPipe\lsass	success or wait	1578775976
File other operation	Disposition: CompletionInformation Data: EC 00 00 00 00 00 FF FF Path: \Device\NamedPipe\lsass	success or wait	1578776217
File write	Path: \Device\NamedPipe\lsass	success or wait	1578776843
File read	Path: \Device\NamedPipe\lsass	success or wait	1578777301
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1578805900
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1578807912
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1578808304
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f} Name: Data	buffer overflow	1578808884
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f} Name: Data	success or wait	1578809192
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1578810322
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1578810715
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f} Name: Generation	success or wait	1578811123
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1578815364
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1578817177
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1578817504
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f} Name: Data	buffer overflow	1578817910
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f} Name: Data	success or wait	1578818217
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1578819142
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1578819444
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f} Name: Generation	success or wait	1578819959
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1578823285
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1578825277
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1578825708
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f} Name: Data	buffer overflow	1578826248
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f} Name: Data	success or wait	1578826560
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1578827760
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1578828173
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f} Name: Generation	success or wait	1578828586
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1578829376
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1578831907
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb13-b32c-11de-8127-806d6172696f}\ Access: maximum allowed Options: non volatile	success or wait	1578833988
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb13-b32c-11de-8127-806d6172696f} Name: BaseClass Type: String Data: Drive	success or wait	1578834443
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1578835029
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1578837172
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb11-b32c-11de-8127-806d6172696f}\ Access: maximum allowed Options: non volatile	success or wait	1578839414
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb11-b32c-11de-8127-806d6172696f} Name: BaseClass Type: String Data: Drive	success or wait	1578839808
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1578840419
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1578842749
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb10-b32c-11de-8127-806d6172696f}\ Access: maximum allowed Options: non volatile	success or wait	1578844854
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb10-b32c-11de-8127-806d6172696f} Name: BaseClass Type: String Data: Drive	success or wait	1578845442
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1578846319
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1578846634
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f} Name: Generation	success or wait	1578847033
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions Access: enumerate sub key and read or execute	object name not found	1578848005
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions Access: enumerate sub key and read or execute	success or wait	1578848232
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions Access: maximum allowed	object name not found	1579696888
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Access: query value and read or execute	object name not found	1579698454
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Access: query value and read or execute	success or wait	1579698720
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Access: maximum allowed	object name not found	1579700515
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Name: DriveMask	success or wait	1579700711
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579704275
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: AllowFileCLSIDJunctions	object name not found	1579704819
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579705318
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: AllowFileCLSIDJunctions	object name not found	1579705744
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Access: maximum allowed	success or wait	1579708131
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts Access: maximum allowed	success or wait	1579708574
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe Access: maximum allowed	object name not found	1579708947
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe Access: maximum allowed	object name not found	1579709367
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.exe Access: maximum allowed	object name not found	1579711096
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.exe Access: maximum allowed	success or wait	1579711365
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.exe Access: maximum allowed	object name not found	1579713260
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe Name: NULL	success or wait	1579713483
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\exefile Access: maximum allowed	object name not found	1579714563
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\exefile Access: maximum allowed	success or wait	1579714823
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\CurVer Access: query value and read or execute	object name not found	1579716732
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer Access: query value and read or execute	object name not found	1579717001
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile Access: maximum allowed	object name not found	1579718760
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ Access: maximum allowed	success or wait	1579719027
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579719968
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: DontShowSuperHidden	object name not found	1579720249
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579720740
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: DontShowSuperHidden	object name not found	1579721024
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ Access: maximum allowed	success or wait	1579722180
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Name: ShellState	success or wait	1579722451
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Name: ShellState	success or wait	1579722768
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579723839
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: ForceActiveDesktopOn	object name not found	1579724128
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579724636
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: ForceActiveDesktopOn	object name not found	1579725034
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579725865
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoActiveDesktop	object name not found	1579726132
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579726762
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoActiveDesktop	object name not found	1579727035
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System Access: query value and read or execute	object name not found	1579727749
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579728431
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoWebView	object name not found	1579728717
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579729220
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoWebView	object name not found	1579729501
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579730376
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: ClassicShell	object name not found	1579730645
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579731149
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: ClassicShell	object name not found	1579731421
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579732692
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: SeparateProcess	object name not found	1579732964
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579733465
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: SeparateProcess	object name not found	1579733739
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579734554
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoNetCrawling	object name not found	1579734818
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579735316
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoNetCrawling	object name not found	1579735699
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579736581
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoSimpleStartMenu	object name not found	1579736844
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1579737342
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoSimpleStartMenu	object name not found	1579737609
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Access: maximum allowed	success or wait	1579738610
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: Hidden	success or wait	1579738905
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowCompColor	success or wait	1579739572
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: HideFileExt	success or wait	1579739872
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: DontPrettyPath	success or wait	1579740171
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowInfoTip	success or wait	1579740468
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: HideIcons	success or wait	1579740766
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: MapNetDrvBtn	success or wait	1579741064
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: WebView	success or wait	1579741664
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: Filter	success or wait	1579741963
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowSuperHidden	success or wait	1579742262
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: SeparateProcess	success or wait	1579742836
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: NoNetCrawling	success or wait	1579743193
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\ShellEx\IconHandler Access: query value and read or execute	object name not found	1579746661
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler Access: query value and read or execute	object name not found	1579746951
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\SystemFileAssociations\.exe Access: maximum allowed	object name not found	1579747865
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.exe Access: maximum allowed	object name not found	1579748131
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\SystemFileAssociations\application Access: maximum allowed	object name not found	1579749045
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\application Access: maximum allowed	object name not found	1579749313
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile Access: maximum allowed	object name not found	1579751044
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile Name: DocObject	object name not found	1579751264
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile Access: maximum allowed	object name not found	1579752958
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile Name: BrowseInPlace	object name not found	1579753177
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\Clsid Access: query value and read or execute	object name not found	1579755023
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid Access: query value and read or execute	object name not found	1579755294
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\* Access: maximum allowed	object name not found	1579756002
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\* Access: maximum allowed	success or wait	1579756256
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\*\Clsid Access: query value and read or execute	object name not found	1579757990
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\Clsid Access: query value and read or execute	object name not found	1579758256
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile Access: maximum allowed	object name not found	1579759842
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile Name: IsShortcut	object name not found	1579760098
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile Access: maximum allowed	object name not found	1579761835
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile Name: AlwaysShowExt	object name not found	1579762055
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile Access: maximum allowed	object name not found	1579763783
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile Name: NeverShowExt	object name not found	1579764043
File opened	Path: C:\bfgbhk.ex.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1579765396
File read	Path: C:\bfgbhk.ex.exe	success or wait	1579765892
File other operation	Disposition: PositionInformation Data: 00 00 01 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1579817702
File other operation	Disposition: PositionInformation Data: EC FF 00 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1579817854
File read	Path: C:\bfgbhk.ex.exe	success or wait	1579818161
File other operation	Disposition: PositionInformation Data: EC FF 01 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1579867962
File other operation	Disposition: PositionInformation Data: D8 FF 01 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1579868122
File read	Path: C:\bfgbhk.ex.exe	success or wait	1579868310
File other operation	Disposition: PositionInformation Data: D8 FF 02 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1579917464
File other operation	Disposition: PositionInformation Data: C4 FF 02 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1579917615
File read	Path: C:\bfgbhk.ex.exe	success or wait	1579917797
File other operation	Disposition: PositionInformation Data: C4 FF 03 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1579963451
File other operation	Disposition: PositionInformation Data: B0 FF 03 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1579963833
File read	Path: C:\bfgbhk.ex.exe	success or wait	1579964225
File other operation	Disposition: PositionInformation Data: B0 FF 04 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1580687034
File other operation	Disposition: PositionInformation Data: 9C FF 04 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1580735963
File read	Path: C:\bfgbhk.ex.exe	success or wait	1580736191
File other operation	Disposition: PositionInformation Data: 14 C8 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1580781873
File read	Path: C:\bfgbhk.ex.exe	success or wait	1580782076
File other operation	Disposition: PositionInformation Data: 14 D8 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1580793456
File other operation	Disposition: PositionInformation Data: 28 C8 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1580793603
File read	Path: C:\bfgbhk.ex.exe	success or wait	1580793779
File other operation	Disposition: PositionInformation Data: 28 CA 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1580794551
File other operation	Disposition: PositionInformation Data: D5 C8 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1580794692
File read	Path: C:\bfgbhk.ex.exe	success or wait	1580795924
File read	Path: C:\bfgbhk.ex.exe	success or wait	1580922965
Window created	Window Name: AutoIt v3 Class Name: AutoIt v3	success	1584259578
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 01570000 Entrypoint: not known Mapped to pid: own pid Size: 48C00	success or wait	1584260630
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 74720000 Entrypoint: 747213A5 Mapped to pid: own pid Size: 4C000	success or wait	1584263766
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll Access: generic read	object name not found	1584269188
Section created	Access: query and map write and map read Protection: read write Attributes: commit Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-220523388-1935655697-1343024091-1003 Type: commit Baseaddress: 003D0000 Entrypoint: not known Mapped to pid: own pid Size: 1000	object name exists	1584272917
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\bfgbhk.ex.exe Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1584273494
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1584273743
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared Name: CUAS	success or wait	1584274130
Mutant created	Name: \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1584274822
Mutant created	Name: \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1584275407
Mutant created	Name: \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1584275696
Mutant created	Name: \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1584275963
Mutant created	Name: \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1584276222
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1584276479
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Name: Language Hotkey	success or wait	1584276999
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Name: Language Hotkey	success or wait	1584277289
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Name: Layout Hotkey	success or wait	1584277571
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Name: Layout Hotkey	success or wait	1584277847
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1584279692
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF Name: EnableAnchorContext	object name not found	1584280033
Mutant created	Name: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-220523388-1935655697-1343024091-1003MUTEX.DefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1584281061
Section opened	Access: query and map write and map read and map execute and extend size Baseaddress: 01570000 Size: 40000 Mapped to pid: own pid Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-220523388-1935655697-1343024091-1003SFM.DefaultS-1-5-21-220523388-1935655697-1343024091-1003	success or wait	1584281365
Windows hook set	Module: C:\WINDOWS\system32\MSCTF.dll TID: 1664 Hook ID: keyboard	success	1584283257
Windows hook set	Module: C:\WINDOWS\system32\MSCTF.dll TID: 1664 Hook ID: mouse	success	1584283513
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM Access: maximum allowed	success or wait	1584284687
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM Name: Ime File	success or wait	1584285175
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 2B400	success or wait	1584287130
File opened	Path: C:\WINDOWS\system32\msctfime.ime Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1584289216
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 2B400	success or wait	1584289567
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 2B400	success or wait	1584293052
File opened	Path: C:\WINDOWS\system32\msctfime.ime Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1584294724
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 2B400	success or wait	1584295074
Section opened	Access: map write Baseaddress: 003E0000 Size: E000 Mapped to pid: own pid Path: \BaseNamedObjects\ShimSharedMemory	success or wait	1584297833
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1584305293
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 2B400	success or wait	1584306667
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 755C0000 Entrypoint: 755D9FE1 Mapped to pid: own pid Size: 2E000	success or wait	1584308798
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime Access: generic read	object name not found	1584316336
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\CTF Access: maximum allowed	success or wait	1584319392
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\CTF Name: Disable Thread Input Manager	object name not found	1584319730
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared Access: maximum allowed	success or wait	1584321478
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared Name: CUAS	success or wait	1584321723
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1584324275
Window created	Window Name: 6.0.2600.5512!Edit Class Name: edit	success	1584327829
Windows found	Window Name: no string Class Name: Shell_TrayWnd	success	1584330355
Windows found	Window Name: no string Class Name: Shell_TrayWnd	success	1584348216
Performance counter queried	Count: 1584350747 Frequency: 3579545	success or wait	1584350723
File opened	Path: C:\bfgbhk.ex.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1584354068
File read	Path: C:\bfgbhk.ex.exe	success or wait	1584354590
File other operation	Disposition: PositionInformation Data: 00 00 01 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1584402784
File other operation	Disposition: PositionInformation Data: EC FF 00 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1584402932
File read	Path: C:\bfgbhk.ex.exe	success or wait	1584403110
File other operation	Disposition: PositionInformation Data: EC FF 01 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1584450210
File other operation	Disposition: PositionInformation Data: D8 FF 01 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1584450355
File read	Path: C:\bfgbhk.ex.exe	success or wait	1584450532
File other operation	Disposition: PositionInformation Data: D8 FF 02 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1584498088
File other operation	Disposition: PositionInformation Data: C4 FF 02 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1584498232
File read	Path: C:\bfgbhk.ex.exe	success or wait	1584498410
File other operation	Disposition: PositionInformation Data: C4 FF 03 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1585295141
File other operation	Disposition: PositionInformation Data: B0 FF 03 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1585295289
File read	Path: C:\bfgbhk.ex.exe	success or wait	1585295467
File other operation	Disposition: PositionInformation Data: B0 FF 04 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1585549864
File other operation	Disposition: PositionInformation Data: 9C FF 04 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1585550059
File read	Path: C:\bfgbhk.ex.exe	success or wait	1585550242
File other operation	Disposition: PositionInformation Data: 14 C8 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1585593788
File read	Path: C:\bfgbhk.ex.exe	success or wait	1585594723
File other operation	Disposition: PositionInformation Data: 14 D8 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1585598477
File other operation	Disposition: PositionInformation Data: 28 C8 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1585600440
File read	Path: C:\bfgbhk.ex.exe	success or wait	1585600618
File other operation	Disposition: PositionInformation Data: 28 CA 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1585601294
File other operation	Disposition: PositionInformation Data: B9 C8 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1585601433
File read	Path: C:\bfgbhk.ex.exe	success or wait	1585601606
File other operation	Disposition: PositionInformation Data: B9 CA 05 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1585602242
File other operation	Disposition: PositionInformation Data: 77 7A 08 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1585602381
File read	Path: C:\bfgbhk.ex.exe	success or wait	1585602551
File created	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp Access: read attributes and synchronize and generic read Disposition: create Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1585604475
File overwritten	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp Access: read attributes and synchronize and generic write Disposition: overwrite if exists Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1585607956
File read	Path: C:\bfgbhk.ex.exe	success or wait	1585609400
File read	Path: C:\bfgbhk.ex.exe	success or wait	1585621669
File write	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp	success or wait	1585643280
File write	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp	success or wait	1585646519
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1585647773
File created	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa Access: read attributes and synchronize and generic read and generic write Disposition: overwrite if exists Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1585648329
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp	success or wait	1585649879
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp	success or wait	1585654296
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp	end of file	1585696681
File write	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586635078
File write	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586661929
File write	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586680258
File deleted	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut1.tmp	success or wait	1586685518
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa Access: read attributes and synchronize and generic write Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1586687131
File other operation	Disposition: BasicInformation Data: 30 4F 03 65 3C 41 CB 01 00 00 00 00 00 00 00 00 F4 CB C9 67 3C 41 CB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586690800
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1586693478
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586693780
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586700718
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586708737
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586708905
File other operation	Disposition: PositionInformation Data: 4E 86 01 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586802392
File other operation	Disposition: PositionInformation Data: 4E 86 01 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586804489
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586804621
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586804975
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586805397
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1586805646
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1587062641
Windows found	Window Name: no string Class Name: Shell_TrayWnd	success	1590759133
File deleted	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\sugptwa	success or wait	1590787030
Windows found	Window Name: no string Class Name: Shell_TrayWnd	success	1594223863
Windows found	Window Name: no string Class Name: Shell_TrayWnd	success	1595011463
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: query value and read or execute	success or wait	1595035422
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeProcessSearchMode	object name not found	1595036114
Section created	Access: query and map write and map read and map execute and extend size Protection: execute Attributes: image Path: not known Type: image Baseaddress: not known Entrypoint: 4AD05046 Mapped to pid: own pid Size: 61000	success or wait	1595037930
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls Access: query value and read or execute	object name not found	1595038214
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility Access: query value and read or execute	success or wait	1595038457
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility Name: DisableAppCompat	object name not found	1595038844
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 1EC00	success or wait	1595040632
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 77B40000 Entrypoint: 77B41C09 Mapped to pid: own pid Size: 22000	success or wait	1595042548
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll Access: generic read	object name not found	1595045504
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1595046189
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 01D70000 Entrypoint: not known Mapped to pid: own pid Size: 125ED2	success or wait	1595046723
File other operation	Operation: 00000018 Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	object name not found	1595047777
System info queried	Type: ProcessorInformation	success or wait	1595047965
Key opened	Path: HKEY_LOCAL_MACHINE\System\WPA\TabletPC Access: query value and wow64 64key and wow64 resource and read or execute	object name not found	1595048358
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Access: query value and wow64 64key and wow64 resource and read or execute	success or wait	1595048556
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	1595048799
File overwritten	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Disposition: open Options: no options Attributes: normal	object name not found	1595049336
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Access: wow64 64key and wow64 resource and generic read	object name not found	1595062829
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Access: wow64 64key and wow64 resource and generic read	object name not found	1595065750
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\cmd.exe Access: wow64 64key and wow64 resource and generic read	object name not found	1595066026
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 5F000	success or wait	1595075453
File opened	Path: C:\WINDOWS\system32\cmd.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1595077162
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 5F000	success or wait	1595077726
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 5F000	success or wait	1595081735
File opened	Path: C:\WINDOWS\system32\cmd.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1595083241
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 5F000	success or wait	1595083577
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags Access: wow64 64key and wow64 resource and generic read	object name not found	1595085731
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags Access: wow64 64key and wow64 resource and generic read	object name not found	1595086642
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write	object name not found	1595094866
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1595097447
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	1595097753
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: AuthenticodeEnabled	success or wait	1595097993
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595098928
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1595099142
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: Levels	object name not found	1595099355
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595101661
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595102375
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: ItemData	success or wait	1595102605
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: SaferFlags	success or wait	1595102984
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595103905
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595104551
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: ItemData	success or wait	1595104768
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: HashAlg	success or wait	1595105122
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: ItemSize	success or wait	1595105469
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: SaferFlags	success or wait	1595105839
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595106652
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: ItemData	success or wait	1595106869
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: HashAlg	success or wait	1595107242
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: ItemSize	success or wait	1595107589
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: SaferFlags	success or wait	1595107971
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595108814
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: ItemData	success or wait	1595109033
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: HashAlg	success or wait	1595109387
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: ItemSize	success or wait	1595109733
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: SaferFlags	success or wait	1595110083
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595110897
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: ItemData	success or wait	1595111135
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: HashAlg	success or wait	1595111489
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: ItemSize	success or wait	1595111878
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: SaferFlags	success or wait	1595112225
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595113062
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: ItemData	success or wait	1595113279
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: HashAlg	success or wait	1595113631
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: ItemSize	success or wait	1595113977
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: SaferFlags	success or wait	1595114325
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595115374
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595115596
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595115812
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595116025
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595116239
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595116452
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595116667
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595116878
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595117091
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595117303
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595117517
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595117730
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595117945
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595118838
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595119702
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595120504
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595121305
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595122103
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595122942
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595123727
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595125299
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595126143
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595126952
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595127752
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595128554
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595129379
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595130225
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595131024
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595131238
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: DefaultLevel	success or wait	1595131476
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595132740
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1595134055
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: PolicyScope	success or wait	1595134260
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 5F000	success or wait	1595140962
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595142167
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595142465
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cache	buffer overflow	1595142825
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cache	success or wait	1595143134
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1595144193
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: LogFileName	object name not found	1595144406
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write	object name not found	1595145051
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe Access: generic read	object name not found	1595147303
System info queried	Type: WatchdogTimerHandler	success or wait	1595147479
Process created	Access: terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume PID: 1512 Path: C:\WINDOWS\system32\cmd.exe Cmdline: C:\WINDOWS\system32\cmd.exe /c explorer C:\ Createflags: 00000000	success or wait	1595147703
Memory read	PID: 1512 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDB008 Length: 00000004 Value: 00 00 D0 4A	success or wait	1595150117
Memory read	PID: 1512 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD00000 Length: 00001000 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 1D ED D5 EA 59 8C BB B9 59 8C BB B9 59 8C BB B9 9A 83 B4 B9 5F 8C BB B9 59 8C BA B9 80 8C BB B9 9A 83 E6 B9 5E 8C BB B9 E6 83 DB B9 5B 8C BB B9 9A 83 E5 B9 58 8C BB B9 9A 83 E4 B9 6D 8C BB B9 9A 83 E1 B9 58 8C BB B9 52 69 63 68 59 8C BB B9 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 AF 5B 02 48 00 00 00 00 00 00 00 00 E0 00 0F 01 0B 01 07 0A 00 F8 01 00 00 F6 03 00 00 00 00 00 46 50 00 00 00 10 00 00 00 F0 01 00 00 00 D0 4A 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 06 00 00 04 00 00 DB A9 06 00 03 00 00 80 00 00 10 00 00 00 10 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 F6 01 00 50 00 00 00 00 E0 03 00 A0 28 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C4 05 02 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 93 01 00 40 00 00 00 48 02 00 00 58 00 00 00 00 10 00 00 00 03 00 00 08 F3 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 20 F6 01 00 00 10 00 00 00 F8 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 24 CA 01 00 00 10 02 00 00 CA 01 00 00 FC 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 A0 28 02 00 00 E0 03 00 00 2A 02 00 00 C6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2C A1 02 48 28 00 01 00 2C A1 02 48 35 00 00 00 94 A0 02 48 3F 00 00 00 1B A1 02 48 4A 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 4E 54 44 4C 4C 2E 44 4C 4C 00 6D 73 76 63 72 74 2E 64 6C 6C 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1595150938
Memory read	PID: 1512 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD3E000 Length: 00000100 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 03 00 00 00 30 00 00 80 0B 00 00 00 80 00 00 80 0E 00 00 00 98 00 00 80 10 00 00 00 B0 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 01 00 00 00 C8 00 00 80 02 00 00 00 E0 00 00 80 03 00 00 00 F8 00 00 80 04 00 00 00 10 01 00 80 05 00 00 00 28 01 00 80 06 00 00 00 40 01 00 80 07 00 00 00 58 01 00 80 08 00 00 00 70 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 88 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 80 02 00 80 A0 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 B8 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 E0 01 00 00 00 00 00 00 00 00 00 00	success or wait	1595157973
Memory written	PID: 1512 Path: C:\WINDOWS\system32\cmd.exe Base: 00010000 Length: 00000726 Value: null	success or wait	1595164483
Memory written	PID: 1512 Path: C:\WINDOWS\system32\cmd.exe Base: 00020000 Length: 00000684 Value: null	success or wait	1595167069
Memory written	PID: 1512 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDB010 Length: 00000004 Value: null	success or wait	1595167509
Memory written	PID: 1512 Path: C:\WINDOWS\system32\cmd.exe Base: 00030000 Length: 00000184 Value: null	success or wait	1595168171
Memory written	PID: 1512 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDB1E8 Length: 00000004 Value: null	success or wait	1595168566
Memory read	PID: 1512 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDB010 Length: 00000004 Value: 00 00 02 00	success or wait	1595168991
Thread created	Access: terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation PID: 1512 TID: 2044 EIP: 7C810705 Imagepath: C:\WINDOWS\system32\cmd.exe	success or wait	1595170676
Thread delayed	Time: 0 TID: 5732	success or wait	1595557881
Thread delayed	Time: 0 TID: 5732	success or wait	1595649704
Thread delayed	Time: 0 TID: 5732	success or wait	1595662687
Thread delayed	Time: 0 TID: 5732	success or wait	1595700316
Thread delayed	Time: 0 TID: 5732	success or wait	1595734053
Thread delayed	Time: 0 TID: 5732	success or wait	1595774005
Thread delayed	Time: 0 TID: 5732	success or wait	1595805948
Thread delayed	Time: 0 TID: 5732	success or wait	1595841147
Thread delayed	Time: 0 TID: 5732	success or wait	1595877421
Thread delayed	Time: 0 TID: 5732	success or wait	1595912742
Thread delayed	Time: 0 TID: 5732	success or wait	1595949000
Thread delayed	Time: 0 TID: 5732	success or wait	1595989279
Thread delayed	Time: 0 TID: 5732	success or wait	1596020910
Thread delayed	Time: 0 TID: 5732	success or wait	1596056159
Thread delayed	Time: 0 TID: 5732	success or wait	1596092331
Thread delayed	Time: 0 TID: 5732	success or wait	1596127746
Thread delayed	Time: 0 TID: 5732	success or wait	1596166833
Thread delayed	Time: 0 TID: 5732	success or wait	1596201215
Thread delayed	Time: 0 TID: 5732	success or wait	1596236574
Thread delayed	Time: 0 TID: 5732	success or wait	1596271119
Thread delayed	Time: 0 TID: 5732	success or wait	1596307406
Thread delayed	Time: 0 TID: 5732	success or wait	1596343625
Thread delayed	Time: 0 TID: 5732	success or wait	1596379129
Thread delayed	Time: 0 TID: 5732	success or wait	1596419258
Thread delayed	Time: 0 TID: 5732	success or wait	1596483022
Thread delayed	Time: 0 TID: 5732	success or wait	1597449118
Thread delayed	Time: 0 TID: 5732	success or wait	1597460261
Thread delayed	Time: 0 TID: 5732	success or wait	1597490573
Thread delayed	Time: 0 TID: 5732	success or wait	1597526462
Thread delayed	Time: 0 TID: 5732	success or wait	1597561602
Thread delayed	Time: 0 TID: 5732	success or wait	1597597819
Thread delayed	Time: 0 TID: 5732	success or wait	1597634671
Thread delayed	Time: 0 TID: 5732	success or wait	1597672958
Thread delayed	Time: 0 TID: 5732	success or wait	1597705820
Thread delayed	Time: 0 TID: 5732	success or wait	1597741947
Thread delayed	Time: 0 TID: 5732	success or wait	1597780138
Thread delayed	Time: 0 TID: 5732	success or wait	1597815117
Thread delayed	Time: 0 TID: 5732	success or wait	1597850892
Thread delayed	Time: 0 TID: 5732	success or wait	1597885095
Thread delayed	Time: 0 TID: 5732	success or wait	1597920577
Thread delayed	Time: 0 TID: 5732	success or wait	1597956611
Thread delayed	Time: 0 TID: 5732	success or wait	1597993970
Thread delayed	Time: 0 TID: 5732	success or wait	1598031631
Thread delayed	Time: 0 TID: 5732	success or wait	1598064034
Thread delayed	Time: 0 TID: 5732	success or wait	1598099931
Thread delayed	Time: 0 TID: 5732	success or wait	1598136126
Thread delayed	Time: 0 TID: 5732	success or wait	1598171504
Thread delayed	Time: 0 TID: 5732	success or wait	1598206893
Thread delayed	Time: 0 TID: 5732	success or wait	1598243543
Thread delayed	Time: 0 TID: 5732	success or wait	1598278823
Thread delayed	Time: 0 TID: 5732	success or wait	1600238399
Thread delayed	Time: 0 TID: 5732	success or wait	1604068804
Thread delayed	Time: 0 TID: 5732	success or wait	1607080563
Mutant created	Name: \BaseNamedObjects\981dsaf81wae98f19c8v98r1aeg1	success or wait	1609009613
System info queried	Type: CurrentTimeZoneInformation	success or wait	1609083395
File other operation	Operation: 78450000 Path: C:\WINDOWS\system32\csrcs.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	object name not found	1609147839
File other operation	Operation: 78450000 Path: C:\WINDOWS\system32\csrcs.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	object name not found	1609148479
System info queried	Type: ProcessInformation	success or wait	1609359684
Section created	Access: query and map write and map read Protection: read write Attributes: commit Path: not known Type: commit Baseaddress: 015D0000 Entrypoint: not known Mapped to pid: own pid Size: 3000	success or wait	1609366126
System info queried	Type: ProcessInformation	success or wait	1609522719
Section created	Access: query and map write and map read Protection: read write Attributes: commit Path: not known Type: commit Baseaddress: 015D0000 Entrypoint: not known Mapped to pid: own pid Size: 3000	success or wait	1609527679
Thread delayed	Time: 0 TID: 5732	success or wait	1609588814
Thread delayed	Time: 0 TID: 5732	success or wait	1609607247
Thread delayed	Time: 0 TID: 5732	success or wait	1609760650
Thread delayed	Time: 0 TID: 5732	success or wait	1609899250
System info queried	Type: ProcessInformation	success or wait	1610180345
Section created	Access: query and map write and map read Protection: read write Attributes: commit Path: not known Type: commit Baseaddress: 015D0000 Entrypoint: not known Mapped to pid: own pid Size: 3000	success or wait	1610186357
File opened	Path: C:\bfgbhk.ex.exe Access: read attributes and synchronize and generic read Disposition: open Options: sequential only and synchronous io non alert and non directory file Attributes: none	success or wait	1610228983
File created	Path: C:\WINDOWS\system32\csrcs.exe Access: read attributes and delete and synchronize and generic write Disposition: overwrite if exists Options: sequential only and synchronous io non alert and non directory file Attributes: archive	success or wait	1610236611
File other operation	Disposition: EndOfFileInformation Data: 4E C6 08 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1610243334
File read	Path: C:\bfgbhk.ex.exe	success or wait	1610246129
File write	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1611284536
File read	Path: C:\bfgbhk.ex.exe	success or wait	1611287041
File write	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1611390005
File read	Path: C:\bfgbhk.ex.exe	success or wait	1611392095
File write	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1611493400
File read	Path: C:\bfgbhk.ex.exe	success or wait	1611494960
File write	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1614436186
File read	Path: C:\bfgbhk.ex.exe	success or wait	1614439153
File write	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1614550836
File read	Path: C:\bfgbhk.ex.exe	success or wait	1614551664
File write	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1615513095
File read	Path: C:\bfgbhk.ex.exe	success or wait	1615514476
File write	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1615866181
File read	Path: C:\bfgbhk.ex.exe	success or wait	1615868319
File write	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1615961866
File read	Path: C:\bfgbhk.ex.exe	success or wait	1615963548
File write	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1616887435
File read	Path: C:\bfgbhk.ex.exe	end of file	1616888187
File other operation	Disposition: BasicInformation Data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4D 80 8E 87 7A 6C CB 01 35 42 49 5F 8C 32 CB 01 00 00 00 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1616936747
File other operation	Disposition: BasicInformation Data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A7 00 00 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1616952852
Thread delayed	Time: 0 TID: 5732	success or wait	1616962387
File other operation	Disposition: BasicInformation Data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1616998198
File opened	Path: C:\WINDOWS\system32\csrcs.exe Access: read attributes and synchronize and generic write Disposition: open Options: synchronous io non alert and open for backup ident Attributes: normal	success or wait	1617006758
File other operation	Disposition: BasicInformation Data: F0 01 5E A5 B0 3C C6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1617006991
File opened	Path: C:\WINDOWS\system32\csrcs.exe Access: read attributes and synchronize and generic write Disposition: open Options: synchronous io non alert and open for backup ident Attributes: normal	success or wait	1617020614
File other operation	Disposition: BasicInformation Data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 01 EC 35 79 9E C8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1617020891
File other operation	Disposition: BasicInformation Data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A7 00 00 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1617032247
Thread delayed	Time: 0 TID: 5732	success or wait	1617051795
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\DRM\amty Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1617063919
Key value set	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty Name: ilop Type: String Data: 1	success or wait	1617068189
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 015C0000 Entrypoint: not known Mapped to pid: own pid Size: 62000	success or wait	1617070415
System info queried	Type: BasicInformation	success or wait	1617072131
System info queried	Type: BasicInformation	success or wait	1617072310
System info queried	Type: BasicInformation	success or wait	1617072474
Window created	Window Name: no string Class Name: no string	success	1617074640
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Access: query value and read or execute	success or wait	1617075534
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Name: MaximizeApps	object name not found	1617075890
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer Access: query value and read or execute	success or wait	1617076204
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer Name: MaximizeApps	object name not found	1617076559
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\netapi32.dll	object name not found	1617078037
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 5B860000 Entrypoint: 5B868B48 Mapped to pid: own pid Size: 55000	success or wait	1617079522
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netapi32.dll Access: generic read	object name not found	1617085730
File opened	Path: PIPE\wkssvc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	success or wait	1617089407
File other operation	Disposition: PipeInformation Data: 01 00 00 00 00 00 00 00 Path: \Device\NamedPipe\wkssvc	success or wait	1617089799
File other operation	Disposition: CompletionInformation Data: EC 00 00 00 00 00 FF FF Path: \Device\NamedPipe\wkssvc	success or wait	1617090016
File write	Path: \Device\NamedPipe\wkssvc	success or wait	1617090511
File read	Path: \Device\NamedPipe\wkssvc	success or wait	1617091269
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617101729
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{11016101-E366-4D22-BC06-4ADA335C892B} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617102725
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{11016101-E366-4D22-BC06-4ADA335C892B} Name: SuppressionPolicy	object name not found	1617103037
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617103890
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba} Name: SuppressionPolicy	object name not found	1617104146
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617105005
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103} Name: SuppressionPolicy	object name not found	1617105260
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617106040
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E} Name: SuppressionPolicy	object name not found	1617106293
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617107071
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} Name: SuppressionPolicy	object name not found	1617107324
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1617108570
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ Access: maximum allowed	success or wait	1617109829
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\0000000000009559 Access: query value and read or execute Options: volatile	success or wait	1617110196
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\0000000000009559\Desktop\NameSpace Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1617110623
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder Access: maximum allowed	object name not found	1617111591
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder Access: maximum allowed	success or wait	1617111852
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder Access: maximum allowed	object name not found	1617113551
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder Name: WantsParseDisplayName	object name not found	1617113751
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder Access: maximum allowed	object name not found	1617114649
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder Access: maximum allowed	success or wait	1617114884
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder Access: maximum allowed	object name not found	1617116428
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder Name: WantsParseDisplayName	object name not found	1617116628
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder Access: maximum allowed	object name not found	1617117504
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder Access: maximum allowed	success or wait	1617117740
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder Access: maximum allowed	object name not found	1617119349
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder Name: WantsParseDisplayName	success or wait	1617119546
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and read or execute	object name not found	1617120053
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Access: query value and read or execute	object name not found	1617120891
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Access: query value and read or execute	success or wait	1617121142
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Access: maximum allowed	object name not found	1617122805
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Name: NULL	success or wait	1617123020
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Access: maximum allowed	object name not found	1617124641
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Name: LoadWithoutCOM	object name not found	1617124856
Key created	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked Access: query value and enumerate sub key and notify and read or execute and write and read control Options: non volatile	success or wait	1617125539
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked Name: {871C5380-42A0-1069-A2EA-08002B30309D}	object name not found	1617125989
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked Access: query value and enumerate sub key and notify and read or execute and write and read control Options: non volatile	success or wait	1617126451
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked Name: {871C5380-42A0-1069-A2EA-08002B30309D}	object name not found	1617126782
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1617127462
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: EnforceShellExtensionSecurity	object name not found	1617127762
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1617128263
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: EnforceShellExtensionSecurity	object name not found	1617128537
Key created	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached Access: query value and enumerate sub key and notify and read or execute and write and read control Options: non volatile	success or wait	1617129115
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached Name: {871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0x401	object name not found	1617129468
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control Options: non volatile	success or wait	1617129925
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached Name: {871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0x401	success or wait	1617130195
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility Access: query value and read or execute	success or wait	1617130809
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility Name: DisableAppCompat	object name not found	1617131215
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 Access: generic read	success or wait	1617131622
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Name:	success or wait	1617131866
File opened	Path: C:\WINDOWS\system32\ieframe.dll Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1617132719
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1617135434
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617136269
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3 Name: Com+Enabled	success or wait	1617136545
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\CLBCATQ.DLL	object name not found	1617137170
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76FD0000 Entrypoint: 76FD3048 Mapped to pid: own pid Size: 7F000	success or wait	1617138696
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\COMRes.dll	object name not found	1617141635
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 77050000 Entrypoint: 77051055 Mapped to pid: own pid Size: C5000	success or wait	1617143078
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMRes.dll Access: generic read	object name not found	1617149487
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLBCATQ.DLL Access: generic read	object name not found	1617150051
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\Debug Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	object name not found	1617151235
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\Debug Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1617151532
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617151869
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: MinimumFreeMemPercentageToCreateProcess	object name not found	1617152231
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: MinimumFreeMemPercentageToCreateObject	object name not found	1617154140
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617155490
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3 Name: Com+Enabled	success or wait	1617155764
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes Access: maximum allowed	success or wait	1617157234
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes Access: maximum allowed	success or wait	1617157774
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 Access: maximum allowed	success or wait	1617158715
Key opened	Path: HKEY_USERS Access: notify and read or execute	success or wait	1617159591
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes Access: maximum allowed	success or wait	1617160458
Key opened	Path: HKEY_USERS Access: notify and read or execute	success or wait	1617161313
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 Access: maximum allowed	success or wait	1617162647
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 Access: maximum allowed	success or wait	1617163500
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID Access: maximum allowed	success or wait	1617164347
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes Access: maximum allowed	success or wait	1617165197
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 Access: maximum allowed	success or wait	1617166073
Key opened	Path: HKEY_USERS Access: notify and read or execute	success or wait	1617166909
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 Access: maximum allowed	success or wait	1617167745
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 Access: maximum allowed	success or wait	1617168646
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID Access: maximum allowed	success or wait	1617169626
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617171381
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3 Name: REGDBVersion	success or wait	1617171665
System info queried	Type: BasicInformation	success or wait	1617172697
System info queried	Type: ProcessorInformation	success or wait	1617172970
File opened	Path: C:\WINDOWS\Registration\R000000000007.clb Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1617173430
File other operation	Disposition: PositionInformation Data: F0 57 00 00 00 00 00 00 Path: C:\WINDOWS\Registration\R000000000007.clb	success or wait	1617174045
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\WINDOWS\Registration\R000000000007.clb	success or wait	1617174757
File read	Path: C:\WINDOWS\Registration\R000000000007.clb	success or wait	1617176182
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617198410
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3 Name: REGDBVersion	success or wait	1617199267
System info queried	Type: BasicInformation	success or wait	1617199945
System info queried	Type: ProcessorInformation	success or wait	1617200220
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1617202007
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617202312
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs Access: query value and read or execute	object name not found	1617204334
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs Access: query value and read or execute	object name not found	1617204655
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617205448
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1617218721
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617219358
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32 Access: maximum allowed	object name not found	1617228742
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32 Access: maximum allowed	success or wait	1617229105
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Access: maximum allowed	object name not found	1617233658
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Name: InprocServer32	object name not found	1617233908
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86 Access: maximum allowed	object name not found	1617242846
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86 Access: maximum allowed	object name not found	1617243174
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32 Access: maximum allowed	object name not found	1617249944
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32 Access: maximum allowed	object name not found	1617256074
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32 Access: maximum allowed	object name not found	1617264374
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32 Access: maximum allowed	success or wait	1617264709
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Access: maximum allowed	object name not found	1617270400
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Name: NULL	success or wait	1617270654
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32 Access: maximum allowed	object name not found	1617277167
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32 Access: maximum allowed	object name not found	1617277996
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86 Access: maximum allowed	object name not found	1617279757
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86 Access: maximum allowed	object name not found	1617280055
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32 Access: maximum allowed	object name not found	1617281773
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32 Access: maximum allowed	object name not found	1617282068
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer Access: maximum allowed	object name not found	1617283822
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer Access: maximum allowed	object name not found	1617284152
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1617284915
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617285201
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Access: maximum allowed	object name not found	1617287010
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Name: AppID	object name not found	1617287250
Process opened	Access: query information PID: 1580 Path: C:\bfgbhk.ex.exe Cmdline: C:\bfgbhk.ex.exe	success or wait	1617288405
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1617289597
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617289874
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1617292716
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617293009
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32 Access: maximum allowed	object name not found	1617294870
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32 Access: maximum allowed	success or wait	1617295171
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Access: maximum allowed	object name not found	1617296922
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Name: ThreadingModel	success or wait	1617297167
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1617299087
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1617299382
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs Access: query value and read or execute	object name not found	1617301185
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs Access: query value and read or execute	object name not found	1617301476
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 01D70000 Entrypoint: not known Mapped to pid: own pid Size: A8EA00	success or wait	1617303158
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 3E1C0000 Entrypoint: 3E1C8086 Mapped to pid: own pid Size: A93000	success or wait	1617378231
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieframe.dll Access: generic read	object name not found	1617486278
Performance counter queried	Count: 1617486837 Frequency: 3579545	success or wait	1617486811
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE Access: query value and read or execute	success or wait	1617525253
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE Name:	success or wait	1617525805
File opened	Path: C:\Program Files\Internet Explorer\IEXPLORE.EXE Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1617526586
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup Access: query value and read or execute	success or wait	1617527572
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup Name: IExploreLastModifiedLow	success or wait	1617528066
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup Access: query value and read or execute	success or wait	1617530056
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup Name: IExploreLastModifiedHigh	success or wait	1617530347
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1620241090
File opened	Path: C:\WINDOWS\system32\en-US\ieframe.dll.mui Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1620273520
Section created	Access: query and map read Protection: write copy Attributes: commit Path: not known Type: commit Baseaddress: 01D70000 Entrypoint: not known Mapped to pid: own pid Size: 12F000	success or wait	1620274126
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib Access: query value and read or execute	object name not found	1620278754
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib Access: query value and read or execute	success or wait	1620279115
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib Access: maximum allowed	object name not found	1620281484
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib Name: NULL	success or wait	1620281814
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA} Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620283181
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620283478
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup Access: query value and read or execute	success or wait	1620284154
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup Name: InstallStarted	object name not found	1620284591
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32 Access: query value and read or execute	object name not found	1620285734
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32 Access: query value and read or execute	success or wait	1620286029
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32 Access: maximum allowed	object name not found	1620288118
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32 Name: NULL	success or wait	1620288314
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32 Access: query value and read or execute	object name not found	1620292677
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32 Access: query value and read or execute	success or wait	1620293115
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32 Access: maximum allowed	object name not found	1620295041
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32 Name: NULL	success or wait	1620295313
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32 Access: query value and read or execute	object name not found	1620296480
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32 Access: query value and read or execute	success or wait	1620296779
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32 Access: maximum allowed	object name not found	1620298692
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32 Name: NULL	success or wait	1620299018
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32 Access: query value and read or execute	object name not found	1620300207
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32 Access: query value and read or execute	success or wait	1620300502
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32 Access: maximum allowed	object name not found	1620302416
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32 Name: NULL	success or wait	1620302660
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D} Access: query value and read or execute	object name not found	1620304102
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620305901
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620306924
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620307242
Performance counter queried	Count: 1620308398 Frequency: 3579545	success or wait	1620308375
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings Name: CreateUriCacheSize	object name not found	1620308624
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620309000
Performance counter queried	Count: 1620309435 Frequency: 3579545	success or wait	1620309413
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Name: CreateUriCacheSize	object name not found	1620309659
Performance counter queried	Count: 1620311352 Frequency: 3579545	success or wait	1620311327
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings Name: EnablePunycode	object name not found	1620311589
Performance counter queried	Count: 1620312044 Frequency: 3579545	success or wait	1620312021
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Name: EnablePunycode	success or wait	1620312282
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620313069
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620313479
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620316065
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620316380
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	success or wait	1620317087
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562 Access: query value and read or execute	object name not found	1620317474
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder Access: maximum allowed	object name not found	1620319539
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder Access: maximum allowed	success or wait	1620319897
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder Access: maximum allowed	object name not found	1620321836
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder Name: WantsParseDisplayName	object name not found	1620322034
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder Access: maximum allowed	object name not found	1620323000
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder Access: maximum allowed	success or wait	1620323231
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder Access: maximum allowed	object name not found	1620325399
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder Name: WantsParseDisplayName	object name not found	1620325596
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder Access: maximum allowed	object name not found	1620326558
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder Access: maximum allowed	success or wait	1620326788
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder Access: maximum allowed	object name not found	1620328448
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder Name: WantsParseDisplayName	object name not found	1620328734
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder Access: maximum allowed	object name not found	1620329671
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder Access: maximum allowed	success or wait	1620329901
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder Access: maximum allowed	object name not found	1620331587
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder Name: WantsParseDisplayName	object name not found	1620331783
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder Access: maximum allowed	object name not found	1620333050
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder Access: maximum allowed	success or wait	1620333367
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder Access: maximum allowed	object name not found	1620335109
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder Name: WantsParseDisplayName	object name not found	1620335312
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620335962
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32 Access: query value and read or execute	object name not found	1620337229
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32 Access: query value and read or execute	success or wait	1620337491
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32 Access: maximum allowed	object name not found	1620339245
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32 Name: NULL	success or wait	1620339556
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32 Access: maximum allowed	object name not found	1620341325
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32 Name: LoadWithoutCOM	object name not found	1620341616
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\csrcs.exe Access: query value and read or execute	object name not found	1620342827
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Associations Access: query value and read or execute	object name not found	1620348578
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Associations Access: query value and read or execute	object name not found	1620348828
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Associations Access: query value and read or execute	object name not found	1620349534
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Associations Access: query value and read or execute	object name not found	1620349774
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Associations Access: query value and read or execute	object name not found	1620350474
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Associations Access: query value and read or execute	object name not found	1620350715
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Associations Access: query value and read or execute	object name not found	1620351413
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Associations Access: query value and read or execute	object name not found	1620351654
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.exe Access: query value and read or execute	object name not found	1620360892
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.exe Access: query value and read or execute	success or wait	1620361167
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.exe Access: maximum allowed	object name not found	1620373538
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe Name: NULL	success or wait	1620373765
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.ade Access: query value and read or execute	object name not found	1620375070
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.ade Access: query value and read or execute	object name not found	1620375399
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.adp Access: query value and read or execute	object name not found	1620376067
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.adp Access: query value and read or execute	object name not found	1620376382
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.app Access: query value and read or execute	object name not found	1620377036
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.app Access: query value and read or execute	object name not found	1620377349
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.asp Access: query value and read or execute	object name not found	1620378003
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.asp Access: query value and read or execute	success or wait	1620378312
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.asp Access: maximum allowed	object name not found	1620380108
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asp Name: NULL	success or wait	1620380304
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.bas Access: query value and read or execute	object name not found	1620381271
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.bas Access: query value and read or execute	object name not found	1620381504
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.bat Access: query value and read or execute	object name not found	1620382282
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.bat Access: query value and read or execute	success or wait	1620382515
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.bat Access: maximum allowed	object name not found	1620384769
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bat Name: NULL	success or wait	1620385067
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.cer Access: query value and read or execute	object name not found	1620386436
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.cer Access: query value and read or execute	success or wait	1620386667
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.cer Access: maximum allowed	object name not found	1620388338
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cer Name: NULL	success or wait	1620388533
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.chm Access: query value and read or execute	object name not found	1620389532
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.chm Access: query value and read or execute	success or wait	1620389859
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.chm Access: maximum allowed	object name not found	1620391503
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chm Name: NULL	success or wait	1620391700
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.cmd Access: query value and read or execute	object name not found	1620392661
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.cmd Access: query value and read or execute	success or wait	1620392891
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.cmd Access: maximum allowed	object name not found	1620394606
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cmd Name: NULL	success or wait	1620394887
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.com Access: query value and read or execute	object name not found	1620395852
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.com Access: query value and read or execute	success or wait	1620396184
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.com Access: maximum allowed	object name not found	1620398264
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com Name: NULL	success or wait	1620398546
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.cpl Access: query value and read or execute	object name not found	1620399511
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.cpl Access: query value and read or execute	success or wait	1620399740
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.cpl Access: maximum allowed	object name not found	1620401447
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cpl Name: NULL	success or wait	1620401643
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.crt Access: query value and read or execute	object name not found	1620402604
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.crt Access: query value and read or execute	success or wait	1620402919
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.crt Access: maximum allowed	object name not found	1620404769
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.crt Name: NULL	success or wait	1620404967
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.csh Access: query value and read or execute	object name not found	1620405934
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.csh Access: query value and read or execute	object name not found	1620406165
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620406873
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3 Name: REGDBVersion	success or wait	1620407158
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620407979
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3 Name: REGDBVersion	success or wait	1620408242
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620409317
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620409581
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\TreatAs Access: query value and read or execute	object name not found	1620413846
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\TreatAs Access: query value and read or execute	object name not found	1620414249
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620415042
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620416126
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620416472
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Access: maximum allowed	object name not found	1620418437
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Access: maximum allowed	success or wait	1620418715
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Access: maximum allowed	object name not found	1620421116
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Name: InprocServer32	object name not found	1620421352
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServerX86 Access: maximum allowed	object name not found	1620423537
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServerX86 Access: maximum allowed	object name not found	1620423815
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\LocalServer32 Access: maximum allowed	object name not found	1620425667
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\LocalServer32 Access: maximum allowed	object name not found	1620425940
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Access: maximum allowed	object name not found	1620427697
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Access: maximum allowed	success or wait	1620428047
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Access: maximum allowed	object name not found	1620430369
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Name: NULL	success or wait	1620430625
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocHandler32 Access: maximum allowed	object name not found	1620433383
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocHandler32 Access: maximum allowed	object name not found	1620433665
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocHandlerX86 Access: maximum allowed	object name not found	1620435430
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocHandlerX86 Access: maximum allowed	object name not found	1620435842
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\LocalServer32 Access: maximum allowed	object name not found	1620437621
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\LocalServer32 Access: maximum allowed	object name not found	1620437899
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\LocalServer Access: maximum allowed	object name not found	1620440049
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\LocalServer Access: maximum allowed	object name not found	1620440476
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620443056
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620443348
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4} Access: maximum allowed	object name not found	1620445522
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4} Name: AppID	object name not found	1620445857
Process opened	Access: query information PID: 1580 Path: C:\bfgbhk.ex.exe Cmdline: C:\bfgbhk.ex.exe	success or wait	1620447397
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620448612
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620448981
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Access: maximum allowed	object name not found	1620462476
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Access: maximum allowed	success or wait	1620462770
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Access: maximum allowed	object name not found	1620464869
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Name: ThreadingModel	success or wait	1620465130
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620466611
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620466902
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\TreatAs Access: query value and read or execute	object name not found	1620470077
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\TreatAs Access: query value and read or execute	object name not found	1620470367
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InProcServer32 Access: query value and read or execute	object name not found	1620472077
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InProcServer32 Access: query value and read or execute	success or wait	1620472403
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Access: maximum allowed	object name not found	1620474159
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 Name: NULL	success or wait	1620474363
Mutant created	Name: \BaseNamedObjects\Local\ZonesCounterMutex	object name exists	1620475519
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620475899
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	success or wait	1620476357
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001 Access: query value and read or execute	object name not found	1620476665
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620477144
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620477492
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620477793
Key opened	Path: HKEY_LOCAL_MACHINE\Software Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620478149
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1620478429
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1620478722
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620479067
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620479505
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620480928
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620484577
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620485643
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn.com Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620486921
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn.com\related Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620488001
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	success or wait	1620490192
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION Access: query value and read or execute	object name not found	1620490615
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\IETld Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620492532
Performance counter queried	Count: 1620493329 Frequency: 3579545	success or wait	1620493306
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\IETld Name: IETldDllVersionLow	success or wait	1620493594
Performance counter queried	Count: 1620493969 Frequency: 3579545	success or wait	1620493945
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\IETld Name: IETldDllVersionHigh	success or wait	1620494310
Performance counter queried	Count: 1620505447 Frequency: 3579545	success or wait	1620505418
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\IETld Name: IETldVersionLow	success or wait	1620506685
Performance counter queried	Count: 1620507304 Frequency: 3579545	success or wait	1620507281
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\IETld Name: IETldVersionHigh	success or wait	1620507577
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	success or wait	1620508723
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610 Access: query value and read or execute	object name not found	1620509033
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer Access: query value and read or execute	object name not found	1620509842
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Internet Explorer Access: query value and read or execute	object name not found	1620510107
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Security Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620510350
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Security Name: DisableSecuritySettingsCheck	object name not found	1620510722
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620511313
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security Name: DisableSecuritySettingsCheck	object name not found	1620511664
Section created	Access: query and map write and map read Protection: read write Attributes: commit Path: \BaseNamedObjects\Local\UrlZonesSM_Hanuele Baser Type: commit Baseaddress: 015E0000 Entrypoint: not known Mapped to pid: own pid Size: 1000	object name exists	1620515228
Mutant created	Name: \BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex	object name exists	1620515904
Key opened	Path: HKEY_LOCAL_MACHINE\System\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620516301
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	1620516705
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620517198
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620517589
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620518078
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620518614
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620519115
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620519564
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620520236
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620520589
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620520849
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620521107
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620521445
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620521777
Mutant created	Name: \BaseNamedObjects\Local\ZonesCacheCounterMutex	object name exists	1620522607
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620522929
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620523269
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620523630
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620523899
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620524171
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Name: Flags	success or wait	1620524548
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620525798
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620526130
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620526486
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620526754
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620527060
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Name: Flags	success or wait	1620527427
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	success or wait	1620528443
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: ProxyBypass Type: Dword Data: 1	success or wait	1620529042
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: IntranetName Type: Dword Data: 1	success or wait	1620529543
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: UNCAsIntranet Type: Dword Data: 1	success or wait	1620529799
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: AutoDetect Type: Dword Data: 1	success or wait	1620530054
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620531695
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620532099
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620532504
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620532772
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620533041
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Name: Flags	success or wait	1620533409
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620538267
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620538609
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620539041
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620540062
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620540829
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Name: Flags	success or wait	1620541119
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620542297
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620543293
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620543563
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620543826
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620544186
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Name: Flags	success or wait	1620544467
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620545896
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620546200
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620546799
Performance counter queried	Count: 1620547205 Frequency: 3579545	success or wait	1620547181
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Name: bfgbhk.ex.exe	object name not found	1620547444
Performance counter queried	Count: 1620547806 Frequency: 3579545	success or wait	1620547783
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Name: *	object name not found	1620548125
Mutant created	Name: \BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex	object name exists	1620548479
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620548798
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620549146
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620549405
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620549665
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620550002
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620550298
Mutant created	Name: \BaseNamedObjects\Local\ZonesLockedCacheCounterMutex	object name exists	1620551596
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620551906
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620552364
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620552637
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620552904
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620553254
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Name: Flags	success or wait	1620553539
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620554764
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620555182
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620555453
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620555718
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620556070
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Name: Flags	success or wait	1620556352
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	success or wait	1620557146
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: ProxyBypass Type: Dword Data: 1	success or wait	1620557625
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: IntranetName Type: Dword Data: 1	success or wait	1620557884
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: UNCAsIntranet Type: Dword Data: 1	success or wait	1620558140
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: AutoDetect Type: Dword Data: 1	success or wait	1620558476
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620562953
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620563381
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620563653
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620564001
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620564270
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Name: Flags	success or wait	1620564588
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620565848
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620566181
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620566451
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620566795
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620567062
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Name: Flags	success or wait	1620567342
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620568607
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620568937
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620569280
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620569638
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620569906
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Name: Flags	success or wait	1620570186
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	success or wait	1620572938
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000 Access: query value and read or execute	object name not found	1620573259
Performance counter queried	Count: 1620574291 Frequency: 3579545	success or wait	1620574266
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings Name: SpecialFoldersCacheSize	object name not found	1620574632
Performance counter queried	Count: 1620574993 Frequency: 3579545	success or wait	1620574969
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Name: SpecialFoldersCacheSize	object name not found	1620575750
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Access: maximum allowed Options: non volatile	success or wait	1620577496
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Cache	success or wait	1620577810
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Access: maximum allowed Options: non volatile	success or wait	1620579000
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cache Type: String Data: C:\Documents and Settings\Hanuele Baser\Local Settings\Temporary Internet Files	success or wait	1620579973
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Access: maximum allowed Options: non volatile	success or wait	1620581626
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Cookies	success or wait	1620581933
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Access: maximum allowed Options: non volatile	success or wait	1620583079
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cookies Type: String Data: C:\Documents and Settings\Hanuele Baser\Cookies	success or wait	1620583947
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620594650
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Name: 1806	success or wait	1620594925
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620596144
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	1620596373
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Access: query value and read or execute	object name not found	1620597314
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Access: query value and read or execute	object name not found	1620599015
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Access: query value and read or execute	success or wait	1620599483
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Access: maximum allowed	object name not found	1620624227
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Name: NULL	success or wait	1620624578
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1620626792
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1620627296
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f} Name: Generation	success or wait	1620627873
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions Access: enumerate sub key and read or execute	object name not found	1620629057
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions Access: enumerate sub key and read or execute	success or wait	1620629335
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions Access: maximum allowed	object name not found	1620631358
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Access: query value and read or execute	object name not found	1620632615
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Access: query value and read or execute	success or wait	1620632884
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Access: maximum allowed	object name not found	1620634748
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Name: DriveMask	success or wait	1620635054
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Directory Access: maximum allowed	object name not found	1620638792
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Directory Access: maximum allowed	success or wait	1620639085
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory\CurVer Access: query value and read or execute	object name not found	1620641103
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer Access: query value and read or execute	object name not found	1620641392
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory Access: maximum allowed	object name not found	1620643332
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ Access: maximum allowed	success or wait	1620643711
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ Access: maximum allowed	success or wait	1620645382
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Name: ShellState	success or wait	1620645763
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System Access: query value and read or execute	object name not found	1620647745
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Access: maximum allowed	success or wait	1620657187
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: Hidden	success or wait	1620657562
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowCompColor	success or wait	1620658001
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: HideFileExt	success or wait	1620658344
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: DontPrettyPath	success or wait	1620658681
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowInfoTip	success or wait	1620659792
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: HideIcons	success or wait	1620660137
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: MapNetDrvBtn	success or wait	1620660474
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: WebView	success or wait	1620661355
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: Filter	success or wait	1620661786
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowSuperHidden	success or wait	1620662124
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: SeparateProcess	success or wait	1620662470
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: NoNetCrawling	success or wait	1620662888
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory\ShellEx\IconHandler Access: query value and read or execute	object name not found	1620665673
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler Access: query value and read or execute	object name not found	1620665971
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory Access: maximum allowed	object name not found	1620667837
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory Name: DocObject	object name not found	1620668168
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory Access: maximum allowed	object name not found	1620670175
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory Name: BrowseInPlace	object name not found	1620670427
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory\Clsid Access: query value and read or execute	object name not found	1620672410
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid Access: query value and read or execute	object name not found	1620672700
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Folder Access: maximum allowed	object name not found	1620673551
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Folder Access: maximum allowed	success or wait	1620673835
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Folder\Clsid Access: query value and read or execute	object name not found	1620675800
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid Access: query value and read or execute	object name not found	1620676179
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory Access: maximum allowed	object name not found	1620678025
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory Name: IsShortcut	object name not found	1620678273
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory Access: maximum allowed	object name not found	1620680303
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory Name: AlwaysShowExt	success or wait	1620680550
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory Access: maximum allowed	object name not found	1620683132
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory Name: NeverShowExt	object name not found	1620683396
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe Access: maximum allowed	object name not found	1620688142
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe Access: maximum allowed	object name not found	1620688660
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.exe Access: maximum allowed	object name not found	1620689405
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.exe Access: maximum allowed	success or wait	1620689799
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.exe Access: maximum allowed	object name not found	1620691781
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe Name: NULL	success or wait	1620692020
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\exefile Access: maximum allowed	object name not found	1620692947
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\exefile Access: maximum allowed	success or wait	1620693411
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\CurVer Access: query value and read or execute	object name not found	1620695351
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer Access: query value and read or execute	object name not found	1620695636
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile Access: maximum allowed	object name not found	1620698099
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ Access: maximum allowed	success or wait	1620701474
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell Access: maximum allowed	object name not found	1620703562
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell Access: maximum allowed	success or wait	1620703822
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell Access: maximum allowed	object name not found	1620705637
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell Name: NULL	object name not found	1620705932
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell\open Access: maximum allowed	object name not found	1620708163
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open Access: maximum allowed	success or wait	1620708420
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell\open\command Access: query value and read or execute	object name not found	1620710615
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command Access: query value and read or execute	success or wait	1620710963
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell\open\command Access: maximum allowed	object name not found	1620712830
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command Name: NULL	success or wait	1620713050
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1620713762
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell\open\command Access: query value and read or execute	object name not found	1620715530
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command Access: query value and read or execute	success or wait	1620715784
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell\open\command Access: maximum allowed	object name not found	1620717529
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command Name: command	object name not found	1620717738
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\csrcs.exe Access: query value and read or execute	object name not found	1620718358
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell\open\command Access: query value and read or execute	object name not found	1620720911
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command Access: query value and read or execute	success or wait	1620721254
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell\open\command Access: maximum allowed	object name not found	1620723099
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command Name: NULL	success or wait	1620726814
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\shell\open\ddeexec Access: query value and read or execute	object name not found	1620729039
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\ddeexec Access: query value and read or execute	object name not found	1620729395
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Applications\csrcs.exe Access: maximum allowed	object name not found	1620730151
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Applications\csrcs.exe Access: maximum allowed	object name not found	1620730505
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam Access: maximum allowed	success or wait	1620732091
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620734453
Key opened	Path: HKEY_USERS Access: maximum allowed	success or wait	1620735320
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620743596
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620750126
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1620751249
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003 Name: Flags	success or wait	1620751621
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003 Name: State	success or wait	1620752154
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003 Name: UserPreference	object name not found	1620752563
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003 Name: CentralProfile	success or wait	1620752888
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003 Name: ProfileImagePath	success or wait	1620753205
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003 Name: ProfileLoadTimeLow	success or wait	1620753620
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-220523388-1935655697-1343024091-1003 Name: ProfileLoadTimeHigh	success or wait	1620754056
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache Access: maximum allowed	success or wait	1620755316
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache Name: LangID	success or wait	1620756344
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ Access: maximum allowed	success or wait	1620756685
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache Name: C:\WINDOWS\system32\csrcs.exe	object name not found	1620757038
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 01EA0000 Entrypoint: not known Mapped to pid: own pid Size: 8C64E	success or wait	1620760675
File opened	Path: C:\WINDOWS\system32\csrcs.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1620763737
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 01EA0000 Entrypoint: not known Mapped to pid: own pid Size: 8C64E	success or wait	1620764150
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 01EA0000 Entrypoint: not known Mapped to pid: own pid Size: 8C64E	success or wait	1620769456
File opened	Path: C:\WINDOWS\system32\csrcs.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1620772781
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 01EA0000 Entrypoint: not known Mapped to pid: own pid Size: 8C64E	success or wait	1620773163
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation Access: query value and read or execute	success or wait	1620796913
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation Name: CutList	success or wait	1620797333
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation Access: query value and read or execute	success or wait	1620798428
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation Name: CutList	success or wait	1620798709
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ Access: maximum allowed	success or wait	1620799540
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache Name: C:\WINDOWS\system32\csrcs.exe Type: String Data: f*[+]4a	success or wait	1620800000
File opened	Path: C:\WINDOWS\system32\csrcs.exe Access: read attributes and write attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1620802222
File other operation	Disposition: BasicInformation Data: 00 00 00 00 00 00 00 00 6B 55 A8 61 8C 32 CB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1620802803
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1620803114
File other operation	Disposition: PositionInformation Data: 10 01 00 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1620803387
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1620803665
File other operation	Disposition: PositionInformation Data: 58 01 00 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1620804445
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1620804643
File other operation	Disposition: PositionInformation Data: 6C 01 00 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1620804928
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1620805120
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\csrcs.exe Access: query value and read or execute	object name not found	1620805620
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1620806249
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: InheritConsoleHandles	object name not found	1620806581
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1620807900
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: InheritConsoleHandles	object name not found	1620808213
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1620809131
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: RestrictRun	object name not found	1620809378
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1620809916
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: RestrictRun	object name not found	1620810168
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1620811045
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: DisallowRun	object name not found	1620811384
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1620811837
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: DisallowRun	object name not found	1620812170
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\csrcs.exe Access: query value and read or execute	object name not found	1620812630
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\csrcs.exe Access: query value and read or execute	object name not found	1620812941
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1620813549
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoRunasInstallPrompt	object name not found	1620813798
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1620814345
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoRunasInstallPrompt	object name not found	1620815038
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\csrcs.exe Access: query value and read or execute	object name not found	1620815605
Section created	Access: query and map write and map read and map execute and extend size Protection: execute Attributes: image Path: not known Type: image Baseaddress: not known Entrypoint: 4CBBB0 Mapped to pid: own pid Size: E7000	success or wait	1620816545
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1621090695
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 01EA0000 Entrypoint: not known Mapped to pid: own pid Size: 125ED2	success or wait	1621091287
File other operation	Operation: 00000018 Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	object name not found	1621092675
Key opened	Path: HKEY_LOCAL_MACHINE\System\WPA\TabletPC Access: query value and wow64 64key and wow64 resource and read or execute	object name not found	1621093079
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Access: query value and wow64 64key and wow64 resource and read or execute	success or wait	1621093419
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	1621093756
File overwritten	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Disposition: open Options: no options Attributes: normal	object name not found	1621094594
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Access: wow64 64key and wow64 resource and generic read	object name not found	1621101714
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Access: wow64 64key and wow64 resource and generic read	object name not found	1621103487
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\csrcs.exe Access: wow64 64key and wow64 resource and generic read	object name not found	1621103768
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write	object name not found	1621112368
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: maximum allowed	success or wait	1621114571
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1621116615
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: maximum allowed	object name not found	1621117068
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 01EA0000 Entrypoint: not known Mapped to pid: own pid Size: 8C64E	success or wait	1621124748
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1621125727
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: LogFileName	object name not found	1621126206
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrcs.exe Access: generic read	object name not found	1621133506
System info queried	Type: WatchdogTimerHandler	success or wait	1621133978
Process created	Access: terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume PID: 488 Path: C:\WINDOWS\system32\csrcs.exe Cmdline: C:\WINDOWS\system32\csrcs.exe Createflags: 00000000	success or wait	1621134250
Memory read	PID: 488 Path: C:\WINDOWS\system32\csrcs.exe Base: 7FFD6008 Length: 00000004 Value: 00 00 40 00	success or wait	1621137538
Memory read	PID: 488 Path: C:\WINDOWS\system32\csrcs.exe Base: 00400000 Length: 00001000 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 2D 82 C1 ED 69 E3 AF BE 69 E3 AF BE 69 E3 AF BE D4 AC 39 BE 6B E3 AF BE 60 9B 3A BE 77 E3 AF BE 60 9B 2C BE DB E3 AF BE 60 9B 2B BE 50 E3 AF BE 4E 25 C2 BE 63 E3 AF BE 4E 25 D4 BE 48 E3 AF BE 69 E3 AE BE 64 E1 AF BE 60 9B 20 BE 2F E3 AF BE 77 B1 3A BE 6B E3 AF BE 77 B1 3B BE 68 E3 AF BE 69 E3 38 BE 68 E3 AF BE 60 9B 3E BE 68 E3 AF BE 52 69 63 68 69 E3 AF BE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 15 16 C8 4B 00 00 00 00 00 00 00 00 E0 00 23 01 0B 01 09 00 00 20 04 00 00 B0 01 00 00 90 08 00 B0 BB 0C 00 00 A0 08 00 00 C0 0C 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 0E 00 00 10 00 00 00 00 00 00 02 00 00 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 D8 61 0E 00 B0 03 00 00 00 C0 0C 00 D8 A1 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 90 08 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 E0 55 50 58 31 00 00 00 00 00 20 04 00 00 A0 08 00 00 1E 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 E0 2E 72 73 72 63 00 00 00 00 B0 01 00 00 C0 0C 00 00 A6 01 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 2E 30 33 00 55 50 58 21 0D 09 08 0A 26 00 88 9D EB 10 16 A4 9B 91 0C 00 A2 1B 04 00 4E 0C 0E 00 26 11 00 D9 FB DF FF FF 33 C0 81 EC AC 03 00 00 38 05 92 72 49 00 74 43 68 A4 18 50 8D 54 24 0C 52 A2 23 FF BF BF BD 89 81 8C 01 20 E8 11 01 21 EC A1 C0 1E 83 C4 0C 8D 0C 24 51 6A 02 C7 44 FE DF 6B EF 24 08 A8 56 89 0E 0C 16 10 4A 00 FF 15 8C 24 48 00 81 C4 B7 FF FF ED A1 C3 CC 01 8B 46 24 53 33 DB 3B C3 0F 85 4A 85 02 00 1A 2C 89 5E 6F DA 73 90 24 89 5E 30 04 34 38 88 5E 10 FB 36 DB BB 5B 65 80 7E 09 00 3A 95 82 6A 08 EA 07 16 E0 70 FF B7 7F 04 85 C0 74 10 8B 17 89 06 4E 04 89 48 04 FF 06 89 46 04 C3 16 1E BC 6C 4C 74 1B D7 DF 14 8B 4C B0 ED 82 0B 24 53 8B 5C 3E 57 8B 7C 1A 50 51 8E 06 FF DB 2F 1C EC 5F 5B C2 10 00 3E 55 8B EC 83 E4 F8 51 56 3B 1D 9B 6E FF 6F F6 75 50 81 FF C8 3A 73 28 83 FF 12 72 23 3B 3D 80 93 4A FC 84 72 D6 37 0B FE 0F 54 55 0C 8B 45 08 52 50 57 53 AA 84 26 5E 8B E5 DB 7E 9F F6 5D C2 08 00 5E 13 75 23 36 68 B8 84 58 8B F3 BA 07 0F 9B E0 02 2C 16 3F 49 60 A7 FF 6F B6 DB EB BE A4 10 77 39 98 A5 D5 8D 47 FF 83 F8 06 77 9F FF 24 85 14 BF 7B 5E C1 12 40 B4 01 A8 D0 B9 85 E8 78 FE FF FF 6A 36 BB ED B4 00 22 CC 91 D1 12 03 77 61 07 A7 B5 D3 80 C9 96 11 10 90 5F 66 DB 6F 0F 42 51 64 FF E9 11 02 D7 1D 70 68 EE 2C A5 76 9F F7 67 DC 68 68 48 48 96 D8 83 3D BD 00 A3 EE 69 E7 0D A8 62 59 2E D4 A3 2D F0 91 DD 6B D1 01 04 A3 FF FE AD 90 C1 11 9C EF 93 57 44 75 06 0D E7 E6 42 0F D6 2C 5A FB 74 5A A8 83 E8 DC 57 64 84 E6 70 77 C3 77 61 58 01 8D F2 14 50 C7 08 41 FE F0 B8 FF 61 8B 84 24 C0 16 64 46 0E 6C 80 3D BC D2 3A 3C A1 C6 3A 10 94 8B BC 24 B4 81 AB 68 7A 81 74 89 58 10 75 90 C1 1E DB 83 12 C9 97 0E 80 7F 0F 0A 98 E2 19 3E 81 72 38 9F 84 64 16 53 56 6F 43 71 BA 05 E9 1D DC B6 3F 3E B4 9D E6 EB C2 04 A8 03 F8 09 50 74 02 EB 1C D8 BF 3F 56 8D B3 EC A6 57 C7 06 70 A0 4E 0C F8 27 38 E6 50 AA 5E 3D 8D 06 3A 1D 69 BE 7F 2C 16 1C 8D 7B 78 0E 03 5C 34 4B 24 F7 45 EE F6 2F 5F 10 14 5E E9 13 9F 0C FF 08 08 CD F4 7B C3 83 38 44 14 8B 0E 51 93 8B 56 5A A5 CD BB 5B D1 08 17 01 56 8B F7 AC 00 77 70 58 7B 95 14 2C 1D 0C 5E 4D 8B 06 30 81 F2 41 5F 57 8D BE 03 8E 93 4C D2 46 39 14 AC 9C 8C BE D8 EF 21 7E 08 0E F4 9C 5F FD CC 6A 04 D5 66 43 9A 8B 86 C2 82 C7 00 55 6C 9F 60 93 6A 0C C3 3F F1 40 33 C9 1A 08 BA BF C7 8A 3B F7 F7 E2 0F FA C7 46 1E 16 D9 0B C8 ED BB EF BD 51 79 3E 06 80 66 89 C7 03 DC 8B C6 5E CB BF 9F 85 23 1E 69 2E 17 CC 84 C0 6E AE 02 2A 47 36 77 19 04 EC 85 85 61 C5 CC 54 57 39 7E 7F 8B 94 24 18 5A 8D 04 24 60 46 08 51 68 3C CC 8A 83 04 14 52 86 20 23 7C 2F D3 4E 57 2E B8 E8 7F 1E C8 11 C8 B3 6F DB D8 B8 D8 1B 62 33 D2 FE 50 FE 66 39 54 6E CC 18 72 D3 4C 11 60 54 52 B8 F8 1D CA 22 EB D8 1C 28 B6 D4 7F 1E 14 81 D9 6D 9E 02 08 40 04 FB B4 81 69 AF 3D 7C FB 83 EC 74 3A 53 55 56 57 BD 0B E8 18 06 2C 3C CF F3 3C 30 24 20 1C 28 34 9F E6 F3 60 64 88 68 69 89 54 3E CD A7 F9 58 88 5C 5D 89 48 4C 88 82 4F F3 69 50 51 89 78 7C 88 10 69 BE D9 BB 80 B4 0C 81 C3 3C 06 40 88 44 D3 7C 9A EF 45 16 6C 89 70 74 88 75 EF 0F 5E FD 14 3B 2D 90 8E 42 8F D4 24 85 ED 0F 8E CC 0E 8B EF 20 F8 FE DD C1 E3 04 03 1D C4 30 85 DB E0 6D 45 8D 45 FF 27 C5 FF EB A3 14 80 E6 53 04 8B 02 0F B7 70 08 30 68 DF FE FF CF 34 00 66 83 FE 7F 74 16 8B C2 90 8B 78 04 83 C0 04 41 1E 7F 08 7F 75 F2 00 8E FF 4D 94 76 01 49 66 85 F6 75 9C 8B 32 D2 36 ED 5A BB 04 04 74 7F 08 0D 9C 47 C2 10 0E E9 00 EB 6D A5 55 08 22 5F E8 05 16 1C 0F 87 6C 0C 02 A8 FE 50 0F B6 88 94 19 E4 60 CC 80 0D A6 FD 0C 8B 4A 04 A2 79 90 15 9A E6 59 D1 70 18 6C 5A 01 A2 BE 9A 54 1A F0 A6 01 E4 1C 14 52 50 51 E8 34 1F AF 6A 03 E6 38 8B A6 2C 34 30 2E D9 E2 9D 00 CF 3C 85 19 5D A0 65 3A 34 1D 82 DB A8 00 66 E8 6E 74 BA 04 8A F2 47 F8 DF 0A BB 89 26 BC 92 75 E8 44 A1 2F 83 3E 05 75 E3 AF 6D 80 AB FE 8A E3 D2 83 39 1C 1E C6 14 E9 E2 7B 8A FF 59 38 40 8D C2 8D 74 1B 60 30 B4 DB A9 00 8C FA EC 43 28 C2 0E 9E 03 6C F3 78 08 9A A8 8B B4 23 CD 29 78 D9 F6 9D FE 9F EC 8B 4F 99 FF 3D 5F ED 6B 68 20 06 14 83 9A 3C BC CD 80 7D DD 77 AF 14 45 76 CC 14 E0 40 8B CB 3C C2 B2 4C 91 D6 DE E6 48 20 8C F5 6E 39 14 14 A8 48 B8 CA 73 C1 A1 23 33 20 34 34 67 77 F7 AF 11 33 70 05 80 33 DB 0D 9F 8B 52 FC D7 1C 74 95 7A BE C1 5C A2 4C 4B B4 37 52 70 8E 54 4C 1A 06 39 5D FB 06 79 70 5A 58 4C 32 07 54 18 19 59 F0 79 68 3B DF 02 C6 FD 1A 79 1A 4E C5 06 4C F8 28 2C 6D C5 45 E7 20 2A 51 6A 00 01 96 7D 3D 5D 1B 3D 39 CA 12 07 7E D8 6C 83 0C F2 5A 4D DC 10 3C 78 48 C5 32 C8 20 54 60 6E C3 F0 ED 7A 5F 5E 5D 5B 12 74 C3 E4 30 40 B8 3A BD C1 B9 08 8F B9 98 8C E0 1C 05 34 49 1E 38 0C 1B 12 E0 06 4A 19 90 19 CE CD 97 51 1C 6C 64 40 6E 09 45 24 78 07 83 33 2C 6D 1C 4B 85 6B 21 0B CC 2F F4 FA 6C AE A2 95 F9 0C F2 E1 FA 5C 6D 6C 1C 1C 98 C1 24 7F 1C 8F FC 1B A1 05 41 3A E4 40 2A B7 AF 24 78 52 7C 06 99 64 78 78 24 D0 97 A7 FD 9F 8C 37 11 8B FF 58 B0 42 00 A8 AF 06 B6 F9 9E E7 F9 8D 18 40 00 FA 5C B0 0A 36 10 AE BE E7 BD A7 4E 80 0E 47 06 E7 36 36 26 16 77 5F B5 D9 06 84 15 00 01 BA 03 04 05 06 0F 01 07 07 08 70 42 1E F9 09 0A 0B 0C 0F 0D 0E CC 8D 4E 4C 79 D2 8E 4D 0E 14 04 E9 3F 74 93 49 31 57 F8 7A 82 DC 7C 4A FC F7 B7 79 B0 4D A6 BF CC 14 51 52 8B C6 5C 32 5C B0 01 5F C3 86 D9 69 2A 98 34 10 2A 51 26 7F 65 6B 41 4D 9F AE 00 77 08 C0 A6 FF D9 C7 47 0A 00 C3 53 56 33 F6 8B 47 F0 1C B0 08 0F 2A 21 48 46 CB 05 53 23 84 BD BD 99 46 3B 52 72 E0 5E 5B 5B DF FB 3B FE 7F 10 3B 50 1C 7D 19 56 8D 72 01 89 30 8B 40 6E 04 90 5E 3B C8 74 05 CC 05 16 E2 E6 30 7C C3 68 E8 7C 8B C1 A5 EE C2 15 B8 32 C0 C3 5E 38 A1 9C 5A 53 55 8B 2E EC A6 BB EA 44 56 57 96 BF 98 77 42 0A 38 C5 79 80 05 48 FE 30 01 62 08 76 E0 CF 34 0B 6C 6A 01 B2 2C 51 6E EE 07 1F 1C 7D 79 8B CE 2D 8B 3D 98 8E D8 F6 D7 F7 70 28 1C 82 BC E8 28 BF AC 95 8D 07 90 66 58 85 54 52 85 2C 5E E0 43 7C 4A 88 1D 7C 89 9D F8 BD 4C 6D EE F7 31 9C 42 CB 02 B5 C7 85 2B 95 51 08 31 93 C8 5F 38 2E 1F 76 31 4E 87 39 D1 6C 83 C0 01 0A 41 13 A1 01 F6 81 38 16 07 E8 85 44 05 77 03 03 C0 03 1F FE 02 31 46 11 E8 34 09 02 52 57 50 89 06 E4 33 54 F8 BE FF 6C BB 14 43 81 85 98 41 90 7C DF C6 E8 1A 15 7E F4 9B DC 3B F8 0F 83 BF 89 D2 06 8D 04 78 81 03 16 3C 0C 51 B0 E9 AE 64 FB 5C ED BB D8 7D 48 04 C7 84 29 13 5C A0 06 95 27 42 E2 88 29 46 BB 77 11 89 8C 28 60 1F 85 4C CE 0C FE D4 10 79 A5 D2 48 03 68 14 77 31 C0 E6 27 E6 88 27 BD 14 2E BE 7B DF C0 78 0B 0F 87 FA 8A 02 22 E4 64 18 33 8B B9 BC 8C 54 F4 93 04 FD AE D9 31 C5 F9 8D B5 1C 35 7E C0 06 00 A5 79 CE F8 8D 5D EC BF 24 7B 03 5D 38 3F 02 55 83 BC 29 68 98 29 1F EE 37 D0 74 43 00 3B FF 05 3D 04 10 73 A7 E0 0B F0 8C 89 BC 28 5B 28 ED 93 E7 FB CB FC 8B 8D 85 51 2A 2A 75 C7 FE 64 76 1A 6C 66 41 D6 45 D8 BF 5F FD C7 BB E6 FB 8D 75 CC 0E F7 EC BC 43 AC 8D 4D 9C 21 C4 69 2F DB 68 60 FE 03 7C 14 44 55 13 BC E0 CF 9D 3C B9 02 60 8D 64 5B C1 BD 2C 15 7A E5 7A 0C FD 9D D9 96 27 4E 04 51 32 FC FC 86 A5 E4 E4 81 39 56 04 52 EC C1 96 92 B7 EF 38 DC AD 29 C1 49 7B F9 85 D0 FC F8 BC 14 C0 8C 3E D6 4E DA 64 B0 FC 2A 98 5C 96 8C 15 20 2D 48 73 D6 AC 80 56 3C A2 20 93 B4 14 2C 1C FE 1B C0 C9 6C 86 EC FB 0B 2F CF 0C 1B 4E FC 41 FF 81 EC B8 C6 D6 A2 C8 91 21 9A 74 E3 79 F0 28 46 87 27 1E 6C 32 A3 FC B0 C4 A3 FD 4D 01 38 F8 8A FC BE DE 0A B8 D6 10 18 50 08 0C 41 DE CA 8E D3 42 91 9A 85 03 7E 60 12 E7 DA DD AA EA 56 D2 F8 70 4A 8F C3 2C 40 45 F7 06 43 8D 8C 24 20 B8 56 51 F5 85 76 E0 35 A8 8B 15 56 6A 7F 50 1A E9 4B F4 63 F4 05 A5 94 74 77 DE B9 98 14 22 38 04 15 3C DF FB BE F3 04 7C 22 66 B6 30 50 A4 4C 62 33 D2 81 E9 49 CF 51 66 36 4D B8 D2 B9 C6 10 63 20 8D CE B2 92 A0 C3 82 27 23 A5 1E C6 63 8C E9 E6 F7 1F 50 FA C1 B9 30 1A D1 D6 7C 30 64 33 ED 50 D3 19 9F ED E0 89 6C 86 22 19 3C 48 C2 CF 35 5B C1 7D A2 55 9A 1C 23 B8 17 34 EF 66 F0 4F B8 8C 6A 4C 28 8A D8 C7 05 E5 31 1F E0 01 FE F7 AC BF A8 47 B1 18 A1 33 C0 1E A0 01 44 5E A7 28 96 09 DC B0 1D 06 4C 11 BF C0 57 66 70 7B 1B 09 F2 28 6F B9 FB 73 E0 7B 90 AD AF AC 14 51 3A 68 52 55 20 C8 13 62 40 B3 52 58 7B 2E B8 DD 36 49 B0 5C 11 CB 0A 6C 8B 74 4A F3 00 F7 56 68 D0 E0 6E 05 CC 08 2F 17 D2 CC EC A0 2A EC F4 14 48 0F E4 32 21 FC 3C 75 45 3A 0D 66 C5 84 DB F2 3C A1 0C FC 1E 3E 12 F3 51 ED 72 52 85 47 F0 B0 2B 43 08 3D 83 ED 02 31 66 D5 B8 0F DD 83 3D 44 D4 00 94 10 8C 5B F1 8D B8 22 0E A2 64 8D 45 01 50 96 8B C7 54 B5 AF 1D E0 D7 DC E0 01 06 57 16 C0 2C 92 18 B7 0F 7F 10 6A 8B C7 46 08 77 2E 6E 7E 2F 33 3E 5B 0C EC DB 43 53 49 10 48 51 D6 3C 8B CF 0D 83 F6 08 2D 3B DD C4 B6 9E 57 01 BA B7 8A 27 5E 50 45 2C B0 C4 1D 7C CA 3C 0E 50 EC E9 28 60 69 A9 6A DE 54 8B 78 40 9E B0 4D 7E D7 50 01 6C 08 42 F3 81 39 BE F8 9E 84 A7 83 55 FE 44 E8 32 01 0E 0C 07 39 01 7F 21 8B F8 17 C0 3E BF 72 30 1C 8B 16 9E 48 51 55 52 BE 53 C9 03 BD 72 AA A2 FF 09 15 32 C2 85 F3 67 CA 83 74 97 80 08 61 C7 06 EB A7 0E B7 C2 41 DF 68 95 7C 56 BE 5F 7B E9 83 44 F0 8A B4 24 92 C4 2B D8 41 CD CC BC 7B 8B 4F 14 94 2B 48 53 21 D1 08 28 18 24 5D 97 DE EA 34 89 77 45 00 2B C6 72 20 06 71 AF F1 0B 72 4C 8B 04 91 F2 33 C7 9E 05 B7 F3 6B FE 12 2C D2 02 08 8B 50 06 4C 32 D1 AD 40 24 48 12 40 0C 01 C2 D9 EE F7 8E BE 98 3C 74 14 76 44 3C 40 52 8D AB 14 2A 91 D3 CE 50 A5 97 24 85 FE 62 93 7D AC 64 8A 93 2E 8B D6 8D 43 01 7D 61 2E 08 DA 65 20 F3 63 DB 20 3F 1B 09 DC 14 94 4B 01 85 14 DC F0 F1 83 7B 08 05 B8 7C 68 B5 D1 02 AC 57 75 4A C1 D2 84 5E 82 7D 54 E5 EB EC A0 36 24 56 FF 31 6A FF B8 1C 11 7E 7A 25 B8 51 57 A7 9B 4C 20 1A 1C F0 D4 46 92 00 17 0C EA 60 41 1A 45 F7 E6 14 39 00 DB 7E 54 38 0F 10 0B D5 A1 F5 D4 82 05 2B 38 8D 0A 5C A9 38 3A 88 3C 9C FA 02 68 96 B8 DE 59 CD 4C 75 70 68 E0 4E 04 C1 77	success or wait	1621138661
Memory read	PID: 488 Path: C:\WINDOWS\system32\csrcs.exe Base: 004CC000 Length: 00000100 Value: 00 00 00 00 00 00 00 00 04 00 00 00 00 00 07 00 03 00 00 00 48 00 00 80 04 00 00 00 08 02 00 80 05 00 00 00 48 02 00 80 06 00 00 00 88 02 00 80 0E 00 00 00 E8 03 00 80 10 00 00 00 B8 04 00 80 18 00 00 00 F8 04 00 80 00 00 00 00 00 00 00 00 04 00 00 00 00 00 09 00 01 00 00 00 A0 00 00 80 02 00 00 00 C8 00 00 80 03 00 00 00 F0 00 00 80 04 00 00 00 18 01 00 80 05 00 00 00 40 01 00 80 06 00 00 00 68 01 00 80 07 00 00 00 90 01 00 80 08 00 00 00 B8 01 00 80 09 00 00 00 E0 01 00 80 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 09 08 00 00 B8 00 00 00 3C C5 0C 00 28 01 00 00 E4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 09 08 00 00 E0 00 00 00 68 C6 0C 00 28 01 00 00 E4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00	success or wait	1621145493
Memory read	PID: 488 Path: C:\WINDOWS\system32\csrcs.exe Base: 004CC4F8 Length: 00000018 Value: 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 01 00 00 00 10 05 00 80	success or wait	1621194067
Memory read	PID: 488 Path: C:\WINDOWS\system32\csrcs.exe Base: 004CC510 Length: 00000018 Value: 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 0C 0C 00 00 28 05 00 00	success or wait	1621194285
Memory read	PID: 488 Path: C:\WINDOWS\system32\csrcs.exe Base: 004CC528 Length: 00000010 Value: CC 5E 0E 00 0A 03 00 00 E4 04 00 00 00 00 00 00	success or wait	1621194587
Memory written	PID: 488 Path: C:\WINDOWS\system32\csrcs.exe Base: 00010000 Length: 00000726 Value: null	success or wait	1621217125
Memory written	PID: 488 Path: C:\WINDOWS\system32\csrcs.exe Base: 00020000 Length: 00000678 Value: null	success or wait	1621220236
Memory written	PID: 488 Path: C:\WINDOWS\system32\csrcs.exe Base: 7FFD6010 Length: 00000004 Value: null	success or wait	1621229128
Memory written	PID: 488 Path: C:\WINDOWS\system32\csrcs.exe Base: 7FFD61E8 Length: 00000004 Value: null	success or wait	1621229369
Thread created	Access: terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation PID: 488 TID: 1600 EIP: 7C810705 Imagepath: C:\WINDOWS\system32\csrcs.exe	success or wait	1621233263
Thread delayed	Time: 0 TID: 1320	success or wait	1623468501
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1623540039
Key value set	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Name: csrcs Type: String Data: C:\WINDOWS\system32\csrcs.exe	success or wait	1623541964
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1623543226
Key value set	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run Name: csrcs Type: String Data: C:\WINDOWS\system32\csrcs.exe	success or wait	1623544075
Key created	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1623547872
Key value set	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: Shell Type: String Data: Explorer.exe csrcs.exe	success or wait	1623548291
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623550048
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system Name: EnableLUA	object name not found	1623554199
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1623554972
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: Hidden Type: Dword Data: 2	success or wait	1623555380
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1623555953
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: SuperHidden Type: Dword Data: 0	success or wait	1623560096
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1623560600
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowSuperHidden Type: Dword Data: 0	success or wait	1623561160
Key created	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1623562310
Key value set	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL Name: CheckedValue Type: Dword Data: 1	success or wait	1623564784
Thread delayed	Time: 0 TID: 5732	success or wait	1623565099
Key created	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\DRM\amty Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1623597243
Key value set	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty Name: fix Type: String Data:	success or wait	1623597577
Key created	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\DRM\amty Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1623598319
Key value set	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty Name: fix1 Type: String Data: 1	success or wait	1623598620
Thread delayed	Time: 0 TID: 5732	success or wait	1623600627
Thread delayed	Time: 0 TID: 5732	success or wait	1623625132
Thread delayed	Time: 0 TID: 5732	success or wait	1623658174
Thread delayed	Time: 0 TID: 5732	success or wait	1623694058
Thread delayed	Time: 0 TID: 5732	success or wait	1623730913
Thread delayed	Time: 0 TID: 5732	success or wait	1623771704
Thread delayed	Time: 0 TID: 5732	success or wait	1623805208
Thread delayed	Time: 0 TID: 5732	success or wait	1623839315
Thread delayed	Time: 0 TID: 5732	success or wait	1623873643
Thread delayed	Time: 0 TID: 5732	success or wait	1623909167
Thread delayed	Time: 0 TID: 5732	success or wait	1623945229
Thread delayed	Time: 0 TID: 5732	success or wait	1624071085
Thread delayed	Time: 0 TID: 5732	success or wait	1625414649
Thread delayed	Time: 0 TID: 5732	success or wait	1625516960
Thread delayed	Time: 0 TID: 5732	success or wait	1625571555
Thread delayed	Time: 0 TID: 5732	success or wait	1625594026
Thread delayed	Time: 0 TID: 5732	success or wait	1625631682
Thread delayed	Time: 0 TID: 5732	success or wait	1625667899
Thread delayed	Time: 0 TID: 5732	success or wait	1625701727
Thread delayed	Time: 0 TID: 5732	success or wait	1625743455
Thread delayed	Time: 0 TID: 5732	success or wait	1625776216
Thread delayed	Time: 0 TID: 5732	success or wait	1625809082
Thread delayed	Time: 0 TID: 5732	success or wait	1626832568
Thread delayed	Time: 0 TID: 5732	success or wait	1626856397
Thread delayed	Time: 0 TID: 5732	success or wait	1626887422
Thread delayed	Time: 0 TID: 5732	success or wait	1626928395
Thread delayed	Time: 0 TID: 5732	success or wait	1626956224
Thread delayed	Time: 0 TID: 5732	success or wait	1626997153
Thread delayed	Time: 0 TID: 5732	success or wait	1627029348
Thread delayed	Time: 0 TID: 5732	success or wait	1627075059
Thread delayed	Time: 0 TID: 5732	success or wait	1627136919
Thread delayed	Time: 0 TID: 5732	success or wait	1627176480
Thread delayed	Time: 0 TID: 5732	success or wait	1627249406
Thread delayed	Time: 0 TID: 5732	success or wait	1627295985
Thread delayed	Time: 0 TID: 5732	success or wait	1627350877
Thread delayed	Time: 0 TID: 5732	success or wait	1627401443
File other operation	Disposition: BasicInformation Data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 Path: C:\bfgbhk.ex.exe	success or wait	1629827409
File deleted	Path: C:\bfgbhk.ex.exe	cannot delete	1632304667
Thread delayed	Time: 0 TID: 5732	success or wait	1632355330
Thread delayed	Time: 0 TID: 5732	success or wait	1632372001
Thread delayed	Time: 0 TID: 5732	success or wait	1632415278
Thread delayed	Time: 0 TID: 5732	success or wait	1632446982
Thread delayed	Time: 0 TID: 5732	success or wait	1632478238
Thread delayed	Time: 0 TID: 5732	success or wait	1632512695
Thread delayed	Time: 0 TID: 5732	success or wait	1632549956
Thread delayed	Time: 0 TID: 5732	success or wait	1632584304
Thread delayed	Time: 0 TID: 5732	success or wait	1632623595
Thread delayed	Time: 0 TID: 5732	success or wait	1632656163
Thread delayed	Time: 0 TID: 5732	success or wait	1632695986
Thread delayed	Time: 0 TID: 5732	success or wait	1632731271
Thread delayed	Time: 0 TID: 5732	success or wait	1632765559
Thread delayed	Time: 0 TID: 5732	success or wait	1632802381
Thread delayed	Time: 0 TID: 5732	success or wait	1632835536
Thread delayed	Time: 0 TID: 5732	success or wait	1632874182
Thread delayed	Time: 0 TID: 5732	success or wait	1632906844
Thread delayed	Time: 0 TID: 5732	success or wait	1632942677
Thread delayed	Time: 0 TID: 5732	success or wait	1632978907
Thread delayed	Time: 0 TID: 5732	success or wait	1633229587
Thread delayed	Time: 0 TID: 5732	success or wait	1633301402
Thread delayed	Time: 0 TID: 5732	success or wait	1633517257
Thread delayed	Time: 0 TID: 5732	success or wait	1633588027
Thread delayed	Time: 0 TID: 5732	success or wait	1633803316
Thread delayed	Time: 0 TID: 5732	success or wait	1633997644
Thread delayed	Time: 0 TID: 5732	success or wait	1634198710
Thread delayed	Time: 0 TID: 5732	success or wait	1634269343
Thread delayed	Time: 0 TID: 5732	success or wait	1634441263
Thread delayed	Time: 0 TID: 5732	success or wait	1634448773
File created	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read and generic write Disposition: open if exists Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1634509982
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1634524854
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1634597433
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1634597809
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1634598076
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1634630734
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	end of file	1634631006
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1634675933
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1634676242
File write	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1634701011
Section created	Access: query and map write and map read and map execute and extend size Protection: execute Attributes: image Path: not known Type: image Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: not known	invalid image not mz	1634719690
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1634844229
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 01D70000 Entrypoint: not known Mapped to pid: own pid Size: 125ED2	success or wait	1634844927
File other operation	Operation: 00000018 Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	object name not found	1634849477
Key opened	Path: HKEY_LOCAL_MACHINE\System\WPA\TabletPC Access: query value and wow64 64key and wow64 resource and read or execute	object name not found	1634849738
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Access: query value and wow64 64key and wow64 resource and read or execute	success or wait	1634850018
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	1634850372
File overwritten	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Disposition: open Options: no options Attributes: normal	object name not found	1634851944
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Access: wow64 64key and wow64 resource and generic read	object name not found	1634889307
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Access: wow64 64key and wow64 resource and generic read	object name not found	1634892542
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\s.cmd Access: wow64 64key and wow64 resource and generic read	object name not found	1634892805
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write	object name not found	1634950654
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: maximum allowed	success or wait	1635027940
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1636008483
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: maximum allowed	object name not found	1636010856
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 015D0000 Entrypoint: not known Mapped to pid: own pid Size: 72	success or wait	1636289001
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1636313543
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: LogFileName	object name not found	1636314148
Section created	Access: query and map write and map read and map execute and extend size Protection: execute Attributes: image Path: not known Type: image Baseaddress: not known Entrypoint: 4AD05046 Mapped to pid: own pid Size: 61000	success or wait	1637387625
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe Access: generic read	object name not found	1637394736
System info queried	Type: WatchdogTimerHandler	success or wait	1637471932
Process created	Access: terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume PID: 492 Path: C:\WINDOWS\system32\cmd.exe Cmdline: cmd /c C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Createflags: 00000000	success or wait	1637472372
Memory read	PID: 492 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDE008 Length: 00000004 Value: 00 00 D0 4A	success or wait	1637476057
Memory read	PID: 492 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD00000 Length: 00001000 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 1D ED D5 EA 59 8C BB B9 59 8C BB B9 59 8C BB B9 9A 83 B4 B9 5F 8C BB B9 59 8C BA B9 80 8C BB B9 9A 83 E6 B9 5E 8C BB B9 E6 83 DB B9 5B 8C BB B9 9A 83 E5 B9 58 8C BB B9 9A 83 E4 B9 6D 8C BB B9 9A 83 E1 B9 58 8C BB B9 52 69 63 68 59 8C BB B9 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 AF 5B 02 48 00 00 00 00 00 00 00 00 E0 00 0F 01 0B 01 07 0A 00 F8 01 00 00 F6 03 00 00 00 00 00 46 50 00 00 00 10 00 00 00 F0 01 00 00 00 D0 4A 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 06 00 00 04 00 00 DB A9 06 00 03 00 00 80 00 00 10 00 00 00 10 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 F6 01 00 50 00 00 00 00 E0 03 00 A0 28 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C4 05 02 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 93 01 00 40 00 00 00 48 02 00 00 58 00 00 00 00 10 00 00 00 03 00 00 08 F3 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 20 F6 01 00 00 10 00 00 00 F8 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 24 CA 01 00 00 10 02 00 00 CA 01 00 00 FC 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 A0 28 02 00 00 E0 03 00 00 2A 02 00 00 C6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2C A1 02 48 28 00 01 00 2C A1 02 48 35 00 00 00 94 A0 02 48 3F 00 00 00 1B A1 02 48 4A 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 4E 54 44 4C 4C 2E 44 4C 4C 00 6D 73 76 63 72 74 2E 64 6C 6C 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1637477008
Memory read	PID: 492 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD3E000 Length: 00000100 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 03 00 00 00 30 00 00 80 0B 00 00 00 80 00 00 80 0E 00 00 00 98 00 00 80 10 00 00 00 B0 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 01 00 00 00 C8 00 00 80 02 00 00 00 E0 00 00 80 03 00 00 00 F8 00 00 80 04 00 00 00 10 01 00 80 05 00 00 00 28 01 00 80 06 00 00 00 40 01 00 80 07 00 00 00 58 01 00 80 08 00 00 00 70 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 88 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 80 02 00 80 A0 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 B8 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 E0 01 00 00 00 00 00 00 00 00 00 00	success or wait	1637574226
Memory written	PID: 492 Path: C:\WINDOWS\system32\cmd.exe Base: 00010000 Length: 00000726 Value: null	success or wait	1637659159
Memory written	PID: 492 Path: C:\WINDOWS\system32\cmd.exe Base: 00020000 Length: 0000068C Value: null	success or wait	1637661666
Memory written	PID: 492 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDE010 Length: 00000004 Value: null	success or wait	1637662259
Memory written	PID: 492 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDE1E8 Length: 00000004 Value: null	success or wait	1637663943
Memory read	PID: 492 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDE010 Length: 00000004 Value: 00 00 02 00	success or wait	1637989445
Thread created	Access: terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation PID: 492 TID: 1424 EIP: 7C810705 Imagepath: C:\WINDOWS\system32\cmd.exe	success or wait	1637992669
Performance counter queried	Count: 1639377893 Frequency: 3579545	success or wait	1639373454
Performance counter queried	Count: 1639380762 Frequency: 0	success or wait	1639380741
Performance counter queried	Count: 1639381254 Frequency: 0	success or wait	1639381232
Performance counter queried	Count: 1639390548 Frequency: 0	success or wait	1639388792
Performance counter queried	Count: 1639394702 Frequency: 0	success or wait	1639394677
Performance counter queried	Count: 1639445102 Frequency: 0	success or wait	1639445075
Performance counter queried	Count: 1639445369 Frequency: 0	success or wait	1639445345
Performance counter queried	Count: 1639459267 Frequency: 0	success or wait	1639455639
Performance counter queried	Count: 1639462067 Frequency: 0	success or wait	1639462042
Performance counter queried	Count: 1639467688 Frequency: 0	success or wait	1639467667
Performance counter queried	Count: 1639467866 Frequency: 0	success or wait	1639467845
Performance counter queried	Count: 1639471872 Frequency: 0	success or wait	1639470571
Performance counter queried	Count: 1639474566 Frequency: 0	success or wait	1639474541
Performance counter queried	Count: 1639538775 Frequency: 0	success or wait	1639538748
Performance counter queried	Count: 1639539036 Frequency: 0	success or wait	1639539012
Performance counter queried	Count: 1639539943 Frequency: 0	success or wait	1639539920
Performance counter queried	Count: 1639540202 Frequency: 0	success or wait	1639540179
Performance counter queried	Count: 1639552694 Frequency: 0	success or wait	1639552671
Performance counter queried	Count: 1639557042 Frequency: 0	success or wait	1639557019
Performance counter queried	Count: 1639603872 Frequency: 0	success or wait	1639603846
Performance counter queried	Count: 1639604141 Frequency: 0	success or wait	1639604116
Performance counter queried	Count: 1639604941 Frequency: 0	success or wait	1639604919
Performance counter queried	Count: 1639610851 Frequency: 0	success or wait	1639607860
Performance counter queried	Count: 1639631157 Frequency: 0	success or wait	1639631132
Performance counter queried	Count: 1639632836 Frequency: 0	success or wait	1639632811
Performance counter queried	Count: 1639637105 Frequency: 0	success or wait	1639637084
Performance counter queried	Count: 1639638766 Frequency: 0	success or wait	1639638745
Performance counter queried	Count: 1639650507 Frequency: 0	success or wait	1639650482
Performance counter queried	Count: 1639651380 Frequency: 0	success or wait	1639651354
Performance counter queried	Count: 1639653479 Frequency: 0	success or wait	1639653455
Performance counter queried	Count: 1639654911 Frequency: 0	success or wait	1639654886
Performance counter queried	Count: 1639655782 Frequency: 0	success or wait	1639655757
Performance counter queried	Count: 1639661093 Frequency: 0	success or wait	1639658577
Performance counter queried	Count: 1639669219 Frequency: 0	success or wait	1639669195
Performance counter queried	Count: 1639669777 Frequency: 0	success or wait	1639669753
Performance counter queried	Count: 1639686351 Frequency: 0	success or wait	1639672880
Performance counter queried	Count: 1639689127 Frequency: 0	success or wait	1639689105
Performance counter queried	Count: 1639691646 Frequency: 0	success or wait	1639691619
Performance counter queried	Count: 1639693645 Frequency: 0	success or wait	1639693618
Performance counter queried	Count: 1639702960 Frequency: 0	success or wait	1639700347
Performance counter queried	Count: 1639706080 Frequency: 0	success or wait	1639706057
Performance counter queried	Count: 1639709192 Frequency: 0	success or wait	1639708696
Performance counter queried	Count: 1639711099 Frequency: 0	success or wait	1639711073
Performance counter queried	Count: 1640556769 Frequency: 0	success or wait	1640556744
Performance counter queried	Count: 1640557882 Frequency: 0	success or wait	1640557857
Performance counter queried	Count: 1640566853 Frequency: 0	success or wait	1640566828
Performance counter queried	Count: 1640570223 Frequency: 0	success or wait	1640568367
Performance counter queried	Count: 1640574220 Frequency: 0	success or wait	1640574197
Performance counter queried	Count: 1640577305 Frequency: 0	success or wait	1640575764
Performance counter queried	Count: 1640586292 Frequency: 0	success or wait	1640586266
Performance counter queried	Count: 1640590337 Frequency: 0	success or wait	1640587999
Performance counter queried	Count: 1640594577 Frequency: 0	success or wait	1640594554
Performance counter queried	Count: 1640597653 Frequency: 0	success or wait	1640596522
Performance counter queried	Count: 1640604904 Frequency: 0	success or wait	1640603319
Performance counter queried	Count: 1640606821 Frequency: 0	success or wait	1640606795
Performance counter queried	Count: 1640608631 Frequency: 0	success or wait	1640608605
Performance counter queried	Count: 1640611400 Frequency: 0	success or wait	1640610444
Performance counter queried	Count: 1640614588 Frequency: 0	success or wait	1640614563
Performance counter queried	Count: 1640614851 Frequency: 0	success or wait	1640614827
Performance counter queried	Count: 1640622401 Frequency: 0	success or wait	1640622377
Performance counter queried	Count: 1640623074 Frequency: 0	success or wait	1640623049
Performance counter queried	Count: 1640627266 Frequency: 0	success or wait	1640627243
Performance counter queried	Count: 1640628148 Frequency: 0	success or wait	1640628126
Performance counter queried	Count: 1640636439 Frequency: 0	success or wait	1640636413
Performance counter queried	Count: 1640637157 Frequency: 0	success or wait	1640637133
Performance counter queried	Count: 1640640324 Frequency: 0	success or wait	1640640301
Performance counter queried	Count: 1640642355 Frequency: 0	success or wait	1640642330
Performance counter queried	Count: 1640643671 Frequency: 0	success or wait	1640643645
Performance counter queried	Count: 1640649105 Frequency: 0	success or wait	1640646500
Performance counter queried	Count: 1640658855 Frequency: 0	success or wait	1640658829
Performance counter queried	Count: 1640663753 Frequency: 0	success or wait	1640661116
Performance counter queried	Count: 1640666778 Frequency: 0	success or wait	1640666755
Performance counter queried	Count: 1640667696 Frequency: 0	success or wait	1640667670
Performance counter queried	Count: 1640672191 Frequency: 0	success or wait	1640672168
Performance counter queried	Count: 1640673998 Frequency: 0	success or wait	1640673976
Performance counter queried	Count: 1640689511 Frequency: 0	success or wait	1640689485
Performance counter queried	Count: 1640690543 Frequency: 0	success or wait	1640690518
Performance counter queried	Count: 1640700403 Frequency: 0	success or wait	1640700379
Performance counter queried	Count: 1640701190 Frequency: 0	success or wait	1640701165
Performance counter queried	Count: 1640711944 Frequency: 0	success or wait	1640709573
Performance counter queried	Count: 1640714239 Frequency: 0	success or wait	1640714214
Performance counter queried	Count: 1640717327 Frequency: 0	success or wait	1640716980
Performance counter queried	Count: 1640719507 Frequency: 0	success or wait	1640719482
Performance counter queried	Count: 1640722215 Frequency: 0	success or wait	1640722195
Performance counter queried	Count: 1640722384 Frequency: 0	success or wait	1640722363
Performance counter queried	Count: 1640723010 Frequency: 0	success or wait	1640722987
Performance counter queried	Count: 1640730413 Frequency: 0	success or wait	1640727619
Performance counter queried	Count: 1640735634 Frequency: 0	success or wait	1640735608
Performance counter queried	Count: 1640737876 Frequency: 0	success or wait	1640737850
Performance counter queried	Count: 1640746892 Frequency: 0	success or wait	1640746869
Performance counter queried	Count: 1640747497 Frequency: 0	success or wait	1640747475
Performance counter queried	Count: 1640752617 Frequency: 0	success or wait	1640752591
Performance counter queried	Count: 1640758931 Frequency: 0	success or wait	1640755244
Performance counter queried	Count: 1640766678 Frequency: 0	success or wait	1640764639
Performance counter queried	Count: 1640769474 Frequency: 0	success or wait	1640769450
Performance counter queried	Count: 1640772577 Frequency: 0	success or wait	1640772552
Performance counter queried	Count: 1640773996 Frequency: 0	success or wait	1640773972
Performance counter queried	Count: 1640774784 Frequency: 0	success or wait	1640774762
Performance counter queried	Count: 1640779999 Frequency: 0	success or wait	1640777358
Performance counter queried	Count: 1640783076 Frequency: 0	success or wait	1640783055
Performance counter queried	Count: 1640783952 Frequency: 0	success or wait	1640783931
Performance counter queried	Count: 1640793444 Frequency: 0	success or wait	1640791715
Performance counter queried	Count: 1640795641 Frequency: 0	success or wait	1640795617
Performance counter queried	Count: 1640800630 Frequency: 0	success or wait	1640799653
Performance counter queried	Count: 1640802465 Frequency: 0	success or wait	1640802439
Performance counter queried	Count: 1640807762 Frequency: 0	success or wait	1640806552
Performance counter queried	Count: 1640809317 Frequency: 0	success or wait	1640809295
Performance counter queried	Count: 1640815775 Frequency: 0	success or wait	1640815751
Performance counter queried	Count: 1640817737 Frequency: 0	success or wait	1640817713
Performance counter queried	Count: 1640824430 Frequency: 0	success or wait	1640824408
Performance counter queried	Count: 1640828857 Frequency: 0	success or wait	1640825731
Performance counter queried	Count: 1640835449 Frequency: 0	success or wait	1640835078
Performance counter queried	Count: 1640836667 Frequency: 0	success or wait	1640836643
Performance counter queried	Count: 1640837585 Frequency: 0	success or wait	1640837561
Performance counter queried	Count: 1640837845 Frequency: 0	success or wait	1640837821
Performance counter queried	Count: 1640847015 Frequency: 0	success or wait	1640839661
Performance counter queried	Count: 1640849251 Frequency: 0	success or wait	1640849225
Performance counter queried	Count: 1640849987 Frequency: 0	success or wait	1640849965
Performance counter queried	Count: 1640850161 Frequency: 0	success or wait	1640850140
Performance counter queried	Count: 1640858185 Frequency: 0	success or wait	1640858162
Performance counter queried	Count: 1640858359 Frequency: 0	success or wait	1640858338
Performance counter queried	Count: 1640865603 Frequency: 0	success or wait	1640865575
Performance counter queried	Count: 1640865970 Frequency: 0	success or wait	1640865945
Performance counter queried	Count: 1640866580 Frequency: 0	success or wait	1640866555
Performance counter queried	Count: 1640866843 Frequency: 0	success or wait	1640866818
Performance counter queried	Count: 1640867345 Frequency: 0	success or wait	1640867323
Performance counter queried	Count: 1640871298 Frequency: 0	success or wait	1640869085
Performance counter queried	Count: 1640873659 Frequency: 0	success or wait	1640873633
Performance counter queried	Count: 1640874022 Frequency: 0	success or wait	1640873998
Performance counter queried	Count: 1640874624 Frequency: 0	success or wait	1640874599
Performance counter queried	Count: 1640874887 Frequency: 0	success or wait	1640874862
Performance counter queried	Count: 1640875463 Frequency: 0	success or wait	1640875438
Performance counter queried	Count: 1640880392 Frequency: 0	success or wait	1640876686
Performance counter queried	Count: 1640883226 Frequency: 0	success or wait	1640883200
Performance counter queried	Count: 1640883489 Frequency: 0	success or wait	1640883465
Performance counter queried	Count: 1640884388 Frequency: 0	success or wait	1640884364
Performance counter queried	Count: 1640888830 Frequency: 0	success or wait	1640885715
Performance counter queried	Count: 1640890887 Frequency: 0	success or wait	1640890862
Performance counter queried	Count: 1640892285 Frequency: 0	success or wait	1640892207
Performance counter queried	Count: 1640892967 Frequency: 0	success or wait	1640892942
Performance counter queried	Count: 1640893228 Frequency: 0	success or wait	1640893204
Performance counter queried	Count: 1640900150 Frequency: 0	success or wait	1640900129
Performance counter queried	Count: 1640900475 Frequency: 0	success or wait	1640900333
Performance counter queried	Count: 1640907995 Frequency: 0	success or wait	1640907970
Performance counter queried	Count: 1640908357 Frequency: 0	success or wait	1640908332
Performance counter queried	Count: 1640909617 Frequency: 0	success or wait	1640909592
Performance counter queried	Count: 1640915786 Frequency: 0	success or wait	1640910961
Performance counter queried	Count: 1640918922 Frequency: 0	success or wait	1640918900
Performance counter queried	Count: 1640919181 Frequency: 0	success or wait	1640919157
Performance counter queried	Count: 1640927710 Frequency: 0	success or wait	1640927684
Performance counter queried	Count: 1640928019 Frequency: 0	success or wait	1640927993
Performance counter queried	Count: 1640935532 Frequency: 0	success or wait	1640935507
Performance counter queried	Count: 1640935794 Frequency: 0	success or wait	1640935770
Performance counter queried	Count: 1640943476 Frequency: 0	success or wait	1640943451
Performance counter queried	Count: 1640943738 Frequency: 0	success or wait	1640943714
Performance counter queried	Count: 1640950489 Frequency: 0	success or wait	1640950468
Performance counter queried	Count: 1640950750 Frequency: 0	success or wait	1640950726
Performance counter queried	Count: 1640954986 Frequency: 0	success or wait	1640952547
Performance counter queried	Count: 1640957200 Frequency: 0	success or wait	1640957176
Performance counter queried	Count: 1640958018 Frequency: 0	success or wait	1640957996
Performance counter queried	Count: 1640958190 Frequency: 0	success or wait	1640958169
Performance counter queried	Count: 1640964515 Frequency: 0	success or wait	1640964491
Performance counter queried	Count: 1640964876 Frequency: 0	success or wait	1640964852
Performance counter queried	Count: 1640966018 Frequency: 0	success or wait	1640965995
Performance counter queried	Count: 1640969760 Frequency: 0	success or wait	1640967192
Performance counter queried	Count: 1640973057 Frequency: 0	success or wait	1640973035
Performance counter queried	Count: 1640973331 Frequency: 0	success or wait	1640973310
Performance counter queried	Count: 1640974429 Frequency: 0	success or wait	1640974407
Performance counter queried	Count: 1640980070 Frequency: 0	success or wait	1640976444
Performance counter queried	Count: 1640983219 Frequency: 0	success or wait	1640983196
Performance counter queried	Count: 1640983482 Frequency: 0	success or wait	1640983458
Performance counter queried	Count: 1640994218 Frequency: 0	success or wait	1640989272
Performance counter queried	Count: 1640996278 Frequency: 0	success or wait	1640996256
Performance counter queried	Count: 1640997392 Frequency: 0	success or wait	1640997371
Performance counter queried	Count: 1640997661 Frequency: 0	success or wait	1640997637
Performance counter queried	Count: 1640998321 Frequency: 0	success or wait	1640998296
Performance counter queried	Count: 1640998589 Frequency: 0	success or wait	1640998565
Performance counter queried	Count: 1641003540 Frequency: 0	success or wait	1641000115
Performance counter queried	Count: 1641006069 Frequency: 0	success or wait	1641006044
Performance counter queried	Count: 1641022324 Frequency: 0	success or wait	1641022300
Performance counter queried	Count: 1641023610 Frequency: 0	success or wait	1641023586
Performance counter queried	Count: 1641031847 Frequency: 0	success or wait	1641031823
Performance counter queried	Count: 1641034060 Frequency: 0	success or wait	1641034036
Performance counter queried	Count: 1641035365 Frequency: 0	success or wait	1641035342
Performance counter queried	Count: 1641035626 Frequency: 0	success or wait	1641035602
Performance counter queried	Count: 1641045458 Frequency: 0	success or wait	1641045438
Performance counter queried	Count: 1641045633 Frequency: 0	success or wait	1641045612
Performance counter queried	Count: 1641046226 Frequency: 0	success or wait	1641046202
Performance counter queried	Count: 1641046485 Frequency: 0	success or wait	1641046462
Performance counter queried	Count: 1641046985 Frequency: 0	success or wait	1641046964
Performance counter queried	Count: 1641051780 Frequency: 0	success or wait	1641051752
Performance counter queried	Count: 1641052782 Frequency: 0	success or wait	1641052761
Performance counter queried	Count: 1641052953 Frequency: 0	success or wait	1641052932
Performance counter queried	Count: 1641053513 Frequency: 0	success or wait	1641053489
Performance counter queried	Count: 1641056455 Frequency: 0	success or wait	1641056429
Performance counter queried	Count: 1641058546 Frequency: 0	success or wait	1641058521
Performance counter queried	Count: 1641059211 Frequency: 0	success or wait	1641059186
Performance counter queried	Count: 1641069343 Frequency: 0	success or wait	1641069322
Performance counter queried	Count: 1641069607 Frequency: 0	success or wait	1641069584
Performance counter queried	Count: 1641070798 Frequency: 0	success or wait	1641070774
Performance counter queried	Count: 1641074013 Frequency: 0	success or wait	1641073988
Performance counter queried	Count: 1641075520 Frequency: 0	success or wait	1641075496
Performance counter queried	Count: 1641075781 Frequency: 0	success or wait	1641075758
Performance counter queried	Count: 1641076617 Frequency: 0	success or wait	1641076593
Performance counter queried	Count: 1641076917 Frequency: 0	success or wait	1641076891
Performance counter queried	Count: 1641084516 Frequency: 0	success or wait	1641084492
Performance counter queried	Count: 1641087615 Frequency: 0	success or wait	1641087589
Performance counter queried	Count: 1641089945 Frequency: 0	success or wait	1641089924
Performance counter queried	Count: 1641090208 Frequency: 0	success or wait	1641090184
Performance counter queried	Count: 1641095578 Frequency: 0	success or wait	1641095556
Performance counter queried	Count: 1641095840 Frequency: 0	success or wait	1641095816
Performance counter queried	Count: 1641096392 Frequency: 0	success or wait	1641096369
Performance counter queried	Count: 1641096653 Frequency: 0	success or wait	1641096630
Performance counter queried	Count: 1641101363 Frequency: 0	success or wait	1641101342
Performance counter queried	Count: 1641101625 Frequency: 0	success or wait	1641101601
Performance counter queried	Count: 1641108020 Frequency: 0	success or wait	1641107997
Performance counter queried	Count: 1641108280 Frequency: 0	success or wait	1641108257
Performance counter queried	Count: 1641113863 Frequency: 0	success or wait	1641113839
Performance counter queried	Count: 1641114124 Frequency: 0	success or wait	1641114100
Performance counter queried	Count: 1641114585 Frequency: 0	success or wait	1641114564
Performance counter queried	Count: 1641114845 Frequency: 0	success or wait	1641114821
Performance counter queried	Count: 1641122927 Frequency: 0	success or wait	1641122900
Performance counter queried	Count: 1641134547 Frequency: 0	success or wait	1641131605
Performance counter queried	Count: 1641140594 Frequency: 0	success or wait	1641140571
Performance counter queried	Count: 1641140859 Frequency: 0	success or wait	1641140834
Performance counter queried	Count: 1641141443 Frequency: 0	success or wait	1641141421
Performance counter queried	Count: 1641141706 Frequency: 0	success or wait	1641141681
Performance counter queried	Count: 1641148090 Frequency: 0	success or wait	1641145545
Performance counter queried	Count: 1641150997 Frequency: 0	success or wait	1641150970
Performance counter queried	Count: 1641153185 Frequency: 0	success or wait	1641153163
Performance counter queried	Count: 1641158449 Frequency: 0	success or wait	1641155875
Performance counter queried	Count: 1641161871 Frequency: 0	success or wait	1641161846
Performance counter queried	Count: 1641162132 Frequency: 0	success or wait	1641162108
Performance counter queried	Count: 1641171392 Frequency: 0	success or wait	1641171371
Performance counter queried	Count: 1641171560 Frequency: 0	success or wait	1641171539
Performance counter queried	Count: 1641180434 Frequency: 0	success or wait	1641180402
Performance counter queried	Count: 1641180809 Frequency: 0	success or wait	1641180785
Performance counter queried	Count: 1641190038 Frequency: 0	success or wait	1641187750
Performance counter queried	Count: 1641193186 Frequency: 0	success or wait	1641193164
Performance counter queried	Count: 1641194249 Frequency: 0	success or wait	1641194225
Performance counter queried	Count: 1641194504 Frequency: 0	success or wait	1641194482
Performance counter queried	Count: 1641199706 Frequency: 0	success or wait	1641197603
Performance counter queried	Count: 1641201946 Frequency: 0	success or wait	1641201921
Performance counter queried	Count: 1641203402 Frequency: 0	success or wait	1641203379
Performance counter queried	Count: 1641207625 Frequency: 0	success or wait	1641205505
Performance counter queried	Count: 1641212490 Frequency: 0	success or wait	1641212465
Performance counter queried	Count: 1641212757 Frequency: 0	success or wait	1641212732
Performance counter queried	Count: 1641216844 Frequency: 0	success or wait	1641214723
Performance counter queried	Count: 1641220333 Frequency: 0	success or wait	1641220307
Performance counter queried	Count: 1641222616 Frequency: 0	success or wait	1641222593
Performance counter queried	Count: 1641225174 Frequency: 0	success or wait	1641222854
Performance counter queried	Count: 1641228386 Frequency: 0	success or wait	1641228363
Performance counter queried	Count: 1641228655 Frequency: 0	success or wait	1641228630
Performance counter queried	Count: 1641233498 Frequency: 0	success or wait	1641233473
Performance counter queried	Count: 1641233767 Frequency: 0	success or wait	1641233742
Performance counter queried	Count: 1641239642 Frequency: 0	success or wait	1641239619
Performance counter queried	Count: 1641239822 Frequency: 0	success or wait	1641239801
Performance counter queried	Count: 1641244586 Frequency: 0	success or wait	1641244560
Performance counter queried	Count: 1641244958 Frequency: 0	success or wait	1641244933
Performance counter queried	Count: 1641245837 Frequency: 0	success or wait	1641245813
Performance counter queried	Count: 1641246110 Frequency: 0	success or wait	1641246086
Performance counter queried	Count: 1641250700 Frequency: 0	success or wait	1641250675
Performance counter queried	Count: 1641250971 Frequency: 0	success or wait	1641250947
Performance counter queried	Count: 1641255742 Frequency: 0	success or wait	1641255716
Performance counter queried	Count: 1641256144 Frequency: 0	success or wait	1641256119
Performance counter queried	Count: 1641259369 Frequency: 0	success or wait	1641257467
Performance counter queried	Count: 1641260917 Frequency: 0	success or wait	1641260896
Performance counter queried	Count: 1641265496 Frequency: 0	success or wait	1641262940
Performance counter queried	Count: 1641266795 Frequency: 0	success or wait	1641266769
Performance counter queried	Count: 1641268356 Frequency: 0	success or wait	1641268300
Performance counter queried	Count: 1641270720 Frequency: 0	success or wait	1641268693
Performance counter queried	Count: 1641273339 Frequency: 0	success or wait	1641273317
Performance counter queried	Count: 1641273511 Frequency: 0	success or wait	1641273490
Performance counter queried	Count: 1641280820 Frequency: 0	success or wait	1641280795
Performance counter queried	Count: 1641280994 Frequency: 0	success or wait	1641280972
Performance counter queried	Count: 1641287118 Frequency: 0	success or wait	1641287095
Performance counter queried	Count: 1641287293 Frequency: 0	success or wait	1641287269
Performance counter queried	Count: 1641293465 Frequency: 0	success or wait	1641293441
Performance counter queried	Count: 1641293822 Frequency: 0	success or wait	1641293799
Process terminated	PID: 1580 Path: C:\bfgbhk.ex.exe	success or wait	1648889554
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1649050332
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	1649050716
Process terminated	PID: 1580 Path: C:\bfgbhk.ex.exe	success or wait	1649065732

Analysis File: cmd.exe PID: 1512 Parent PID: 1580 Run ID: 0

Sections

General
Start time:	23:47:54
Start date:	02/08/2010
Path:	C:\WINDOWS\system32\cmd.exe
Commandline:	C:\WINDOWS\system32\cmd.exe /c explorer C:\
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

File Activities:

File opened
Reputation	File Path	Access	Options	Completion	Count
20685	C:\WINDOWS\AppPatch\sysmain.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	2
2394	C:\WINDOWS\AppPatch\systest.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	object name not found	2
1712	C:\WINDOWS\AppPatch\AcGenral.DLL	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
1343	C:\WINDOWS\WindowsShell.Manifest	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
320	C:\WINDOWS\explorer.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
320	C:\WINDOWS\explorer.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1

File created
Reputation	File Path	Access	Attributes	Options	Completion	Count

File overwritten
Reputation	File Path	Access	Options	Completion	Count
34933	\Device\NamedPipe\ShimViewer	write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize	no options	object name not found	4
2276	\Device\KsecDD	read data or list directory and synchronize	synchronous io alert	success or wait	1
1796	C:\WINDOWS\system32\SHELL32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
1663	C:\WINDOWS\system32\comctl32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1

File deleted
Reputation	File Path	Completion	Count

File renamed
Reputation	Old File Path	New File Path	Completion	Count

File written
Reputation	File Path	Completion	Count

Other file operations
Reputation	File Path	Disposition	Data	Completion	Count

Section Activities:

Section opened
Reputation	File Path	Access	Base	Entrypoint	Size	Mapped to pid	Completion	Count
40475	\KnownDlls\kernel32.dll	map write and map read and map execute	7C800000	7C80B64E	F6000	own pid	success or wait	1
412	\NLS\NlsSectionUnicode	map read	00270000	not known	15DF4	own pid	success or wait	1
407	\NLS\NlsSectionLocale	map read	00290000	not known	40EDC	own pid	success or wait	1
422	\NLS\NlsSectionSortkey	query and map read	002E0000	not known	40004	own pid	success or wait	1
399	\NLS\NlsSectionSortTbls	map read	00330000	not known	5A04	own pid	success or wait	1
82482	\NLS\NlsSectionSortkey00000409	map read	not known	not known	not known	own pid	object name not found	2
14883	\KnownDlls\msvcrt.dll	map write and map read and map execute	77C10000	77C1F2A1	58000	own pid	success or wait	1
33945	\KnownDlls\USER32.dll	map write and map read and map execute	7E410000	7E41B217	91000	own pid	success or wait	1
37497	\KnownDlls\GDI32.dll	map write and map read and map execute	77F10000	77F16587	49000	own pid	success or wait	1
11494	\KnownDlls\ShimEng.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
35518	\KnownDlls\ADVAPI32.dll	map write and map read and map execute	77DD0000	77DD710B	9B000	own pid	success or wait	1
40913	\KnownDlls\RPCRT4.dll	map write and map read and map execute	77E70000	77E7628F	92000	own pid	success or wait	1
40856	\KnownDlls\Secur32.dll	map write and map read and map execute	77FE0000	77FE2146	11000	own pid	success or wait	1
18656	\KnownDlls\WINMM.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
4087	\KnownDlls\ole32.dll	map write and map read and map execute	774E0000	774FD0B9	13D000	own pid	success or wait	1
3896	\KnownDlls\OLEAUT32.dll	map write and map read and map execute	77120000	77121560	8B000	own pid	success or wait	1
5940	\KnownDlls\MSACM32.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
25391	\KnownDlls\VERSION.dll	map write and map read and map execute	77C00000	77C01135	8000	own pid	success or wait	1
25613	\KnownDlls\SHELL32.dll	map write and map read and map execute	7C9C0000	7C9E74E6	817000	own pid	success or wait	1
18615	\KnownDlls\SHLWAPI.dll	map write and map read and map execute	77F60000	77F651FB	76000	own pid	success or wait	1
18938	\KnownDlls\USERENV.dll	map write and map read and map execute	769C0000	769C15E4	B4000	own pid	success or wait	1
2257	\KnownDlls\UxTheme.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
154	\NLS\NlsSectionCType	map read	00490000	not known	20C2	own pid	success or wait	1
3188	\KnownDlls\comctl32.dll	map write and map read and map execute	5D090000	5D0934BA	9A000	own pid	success or wait	1
23	\BaseNamedObjects\ShimSharedMemory	map write	00980000	not known	E000	own pid	success or wait	1

Section created
Reputation	File Path	Access	Attributes	Base	Entrypoint	Size	Protection	Mapped to pid	Completion	Count
2466	not known	query and map write and map read and map execute and extend size	reserve	not known	not known	10000	read write	own pid	success or wait	1
423	C:\WINDOWS\system32\shimeng.dll	query and map write and map read and map execute	image	5CB70000	5CB78E55	26000	execute	own pid	success or wait	1
196	C:\WINDOWS\AppPatch\sysmain.sdb	map read	commit	00340000	not known	125ED2	readonly	own pid	success or wait	2
310	C:\WINDOWS\AppPatch\acgenral.dll	map write and map read and map execute	commit	00480000	not known	1C4600	execute	own pid	success or wait	2
11424	C:\WINDOWS\AppPatch\acgenral.dll	query and map write and map read and map execute	image	6F880000	6F8A606E	1CA000	execute	own pid	success or wait	1
20195	C:\WINDOWS\system32\winmm.dll	query and map write and map read and map execute	image	76B40000	76B42B61	2D000	execute	own pid	success or wait	1
11615	C:\WINDOWS\system32\msacm32.dll	query and map write and map read and map execute	image	77BE0000	77BE1292	15000	execute	own pid	success or wait	1
9375	C:\WINDOWS\system32\uxtheme.dll	query and map write and map read and map execute	image	5AD70000	5AD71626	38000	execute	own pid	success or wait	1
482	C:\WINDOWS\system32\imm32.dll	map write and map read and map execute	commit	00410000	not known	1AE00	execute	own pid	success or wait	2
39628	C:\WINDOWS\system32\imm32.dll	query and map write and map read and map execute	image	76390000	763912C0	1D000	execute	own pid	success or wait	1
161	C:\WINDOWS\system32\shell32.dll	map read	commit	00970000	not known	811C00	readonly	own pid	success or wait	1
161	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	map write and map read and map execute	commit	00970000	not known	101600	execute	own pid	success or wait	1
33522	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	query and map write and map read and map execute	image	773D0000	773D4256	103000	execute	own pid	success or wait	1
128	C:\WINDOWS\WindowsShell.Manifest	map write and map read and map execute	commit	00440000	not known	2ED	execute	own pid	success or wait	1
128	C:\WINDOWS\WindowsShell.Manifest	query and map read	commit	00440000	not known	2ED	readonly	own pid	success or wait	1
130	C:\WINDOWS\WindowsShell.Manifest	map read	commit	00440000	not known	2ED	readonly	own pid	success or wait	1
148	C:\WINDOWS\system32\comctl32.dll	map read	commit	00970000	not known	96C00	readonly	own pid	success or wait	1
216	C:\WINDOWS\explorer.exe	query and map write and map read and map execute and extend size	image	not known	101A55F	FF000	execute	own pid	success or wait	1
25	C:\WINDOWS\system32\apphelp.dll	map write and map read and map execute	commit	00990000	not known	1EC00	execute	own pid	success or wait	1
1734	C:\WINDOWS\system32\apphelp.dll	query and map write and map read and map execute	image	77B40000	77B41C09	22000	execute	own pid	success or wait	1
0	C:\WINDOWS\explorer.exe	map write and map read and map execute	commit	00AC0000	not known	FC600	execute	own pid	success or wait	2
0	C:\WINDOWS\explorer.exe	query and map read	commit	00AC0000	not known	FC600	readonly	own pid	success or wait	2
0	C:\WINDOWS\explorer.exe	query and map read	commit	00990000	not known	FC600	readonly	own pid	success or wait	1

Registry Activities:

Key opened
Reputation	Key Path	Access	Completion	Count
11176	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	generic read	object name not found	2
91200	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
96399	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option	query value and set value and read or execute and write	object name not found	3
26786	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and read or execute	success or wait	5
39584	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and read or execute	object name not found	1
30384	HKEY_LOCAL_MACHINE\System\WPA\TabletPC	query value and wow64 64key and wow64 resource and read or execute	object name not found	2
30378	HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	query value and wow64 64key and wow64 resource and read or execute	success or wait	2
11467	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcGenral.DLL	generic read	object name not found	1
20955	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll	generic read	object name not found	1
39992	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll	generic read	object name not found	1
4417	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll	generic read	object name not found	1
39197	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll	generic read	object name not found	1
33679	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll	generic read	object name not found	1
11435	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ShimEng.dll	generic read	object name not found	1
6164	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll	generic read	object name not found	1
40564	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll	generic read	object name not found	1
707	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll	generic read	object name not found	1
2621	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll	generic read	object name not found	1
14067	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll	generic read	object name not found	1
3843	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll	generic read	object name not found	1
11460	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACM32.dll	generic read	object name not found	1
25266	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll	generic read	object name not found	1
33789	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll	generic read	object name not found	1
25673	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll	generic read	object name not found	1
18911	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll	generic read	object name not found	1
16171	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UxTheme.dll	generic read	object name not found	1
71638	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager	query value and read or execute	success or wait	1
39518	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL	generic read	object name not found	1
52210	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
81554	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
24208	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
51069	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
77159	HKEY_LOCAL_MACHINE	maximum allowed	success or wait	1
5318	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
20677	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32	generic read	success or wait	1
20174	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	success or wait	1
43104	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
45275	HKEY_LOCAL_MACHINE\Software\Microsoft\Ole	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
18722	HKEY_LOCAL_MACHINE\Software\Classes\Interface	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
4967	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
86612	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT	query value and read or execute	object name not found	2
42185	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra	query value and enumerate sub key and read or execute	object name not found	1
10969	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	maximum allowed	success or wait	4
43869	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	generic read	success or wait	1
5960	HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache	maximum allowed	success or wait	10
1829	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	maximum allowed	success or wait	1
1830	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	maximum allowed	success or wait	1
11576	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	maximum allowed	success or wait	1
11596	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	maximum allowed	success or wait	1
11599	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	maximum allowed	success or wait	1
11546	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	maximum allowed	success or wait	1
11542	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	maximum allowed	success or wait	1
9239	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	maximum allowed	success or wait	1
1867	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	maximum allowed	success or wait	1
11544	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	maximum allowed	success or wait	1
11581	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\acm	query value and enumerate sub key and read or execute	object name not found	1
36549	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance	maximum allowed	object name not found	1
35640	HKEY_LOCAL_MACHINE\SYSTEM\Setup	query value and read or execute	success or wait	1
153794	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots	enumerate sub key and read or execute	object name not found	1
55462	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll	generic read	object name not found	2
167058	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	5
59427	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
32768	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
33471	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\LanguagePack	query value and read or execute	success or wait	1
13835	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon	maximum allowed	success or wait	5
20258	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
23213	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
40321	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System	maximum allowed	success or wait	2
5159	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17546	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager	query value and read or execute	success or wait	1
18065	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	query value and read or execute	success or wait	1
3690	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\System	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
3871	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	maximum allowed	success or wait	1
3690	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	maximum allowed	success or wait	1
1350	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
13402	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
13416	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
8628	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls	query value and read or execute	object name not found	1
20542	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility	query value and read or execute	success or wait	1
9874	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll	generic read	object name not found	1
2937	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers	wow64 64key and wow64 resource and generic read	object name not found	1
14941	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers	wow64 64key and wow64 resource and generic read	object name not found	1
249	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\explorer.exe	wow64 64key and wow64 resource and generic read	object name not found	1
1660	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags	wow64 64key and wow64 resource and generic read	object name not found	2
10141	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags	wow64 64key and wow64 resource and generic read	object name not found	2
17347	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1844	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17103	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
3362	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
1840	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
1901	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17108	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
1840	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
2593	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
4216	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
14565	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
2637	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17320	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17349	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17342	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17358	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17299	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1862	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17306	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
8514	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1848	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17317	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17121	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1845	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17112	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1765	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
13111	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1754	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17105	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17073	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17100	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1844	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1828	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17104	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1829	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17134	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17069	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
2738	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17089	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
11150	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
420	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	generic read	object name not found	1

Key created
Reputation	Key Path	Access	Options	Completion	Count
8296	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio	query value and set value and create sub key and read or execute and write and read control	non volatile	success or wait	1
22069	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\	set value and create sub key and read or execute and write and read control	non volatile	success or wait	2
11033	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM	query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	non volatile	success or wait	1
11053	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00	query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	non volatile	success or wait	1

Key deleted
Reputation	Key Path	Completion	Count

Key value deleted
Reputation	Key Path	Key Value Name	Completion	Count

Key value set
Reputation	Key Path	Name	Type	Data	Completion	Count

Key value replaced with new
Reputation	Key Path	Name	Type	Old Data	New Data	Completion	Count

Key value replaced with same
Reputation	Key Path	Name	Type	Data	Completion	Count

Key value queried
Reputation	Key Path	Name	Completion	Count
83709	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSAppCompat	success or wait	1
59209	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1
30305	HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1
54359	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeDllSearchMode	object name not found	1
553	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1
39787	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs	success or wait	1
51204	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LeakTrack	object name not found	1
41537	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1
41537	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1
2812	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	object name not found	1
21255	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave2	object name not found	1
21240	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave3	object name not found	1
4270	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave4	object name not found	1
21261	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave5	object name not found	1
21209	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave6	object name not found	1
21218	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave7	object name not found	1
21223	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave8	object name not found	1
21210	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave9	object name not found	1
40478	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1
40478	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1
17523	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	object name not found	1
2725	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi2	object name not found	1
20470	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi3	object name not found	1
20480	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi4	object name not found	1
20484	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi5	object name not found	1
20477	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi6	object name not found	1
11356	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi7	object name not found	1
2722	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi8	object name not found	1
20444	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi9	object name not found	1
40474	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1
40474	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1
20271	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	object name not found	1
176	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux2	object name not found	1
2713	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux3	object name not found	1
4096	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux4	object name not found	1
20244	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux5	object name not found	1
20249	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux6	object name not found	1
2712	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux7	object name not found	1
20233	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux8	object name not found	1
20196	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux9	object name not found	1
20238	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	success or wait	1
40583	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1
40583	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1
20237	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	object name not found	1
2715	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer2	object name not found	1
15856	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer3	object name not found	1
2722	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer4	object name not found	1
20235	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer5	object name not found	1
20266	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer6	object name not found	1
20222	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer7	object name not found	1
20246	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer8	object name not found	1
20283	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer9	object name not found	1
43256	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CriticalSectionTimeout	success or wait	1
18328	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole	RWLockResourceTimeOut	object name not found	1
43293	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAll	object name not found	1
43246	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAllForOle32	object name not found	1
13463	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableTypeLib	object name not found	1
26538	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAll	object name not found	1
43272	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAllForOle32	object name not found	1
11070	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio	SystemFormats	success or wait	1
1828	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	buffer overflow	1
9693	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	success or wait	1
1815	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	success or wait	1
1830	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	success or wait	1
11623	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	success or wait	1
2354	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	success or wait	1
1843	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	buffer overflow	1
11617	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	success or wait	1
6818	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	success or wait	1
11611	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	success or wait	1
11644	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	success or wait	1
1833	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	success or wait	1
11641	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	buffer overflow	1
9345	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	success or wait	1
11660	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	success or wait	1
2220	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	success or wait	1
11563	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	success or wait	1
11632	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	success or wait	1
11617	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	buffer overflow	1
6585	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	success or wait	1
1829	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	success or wait	1
11660	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	success or wait	1
2201	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	success or wait	1
1828	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	success or wait	1
8029	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	buffer overflow	1
11634	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	success or wait	1
11655	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	success or wait	1
9143	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	success or wait	1
10608	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	success or wait	1
11630	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	success or wait	1
11605	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	buffer overflow	1
1829	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	success or wait	1
1603	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	success or wait	1
11623	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	success or wait	1
11626	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	success or wait	1
11649	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	success or wait	1
11654	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	buffer overflow	1
11614	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	success or wait	1
11624	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	success or wait	1
1830	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	success or wait	1
8917	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	success or wait	1
11642	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	success or wait	1
1813	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	buffer overflow	1
11604	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	success or wait	1
5540	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	success or wait	1
11618	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	success or wait	1
1828	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	success or wait	1
596	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	success or wait	1
11637	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	buffer overflow	1
11635	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	success or wait	1
11584	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	success or wait	1
11587	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	success or wait	1
11639	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	success or wait	1
11596	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	success or wait	1
11608	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	buffer overflow	1
11593	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	success or wait	1
11595	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	success or wait	1
11635	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	success or wait	1
1840	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	success or wait	1
1833	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	success or wait	1
11019	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM	NoPCMConverter	object name not found	1
11049	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00	Priority1	object name not found	1
110591	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1
60053	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	SmoothScroll	object name not found	1
27240	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	EnableBalloonTips	object name not found	1
60053	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	SmoothScroll	object name not found	1
60778	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1
20236	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	ChkAccDebugLevel	object name not found	1
21395	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions	ProductType	success or wait	1
24760	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	success or wait	1
19612	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	success or wait	1
14577	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopDebugLevel	object name not found	1
60778	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1
2754	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopLogging	object name not found	1
40492	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1
8125	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	RsopLogging	object name not found	1
60778	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1
40492	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1
17643	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager	Compositing	object name not found	1
17652	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	LameButtonText	object name not found	1
4004	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DisableUNCCheck	object name not found	1
3998	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	EnableExtensions	success or wait	1
4006	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DelayedExpansion	object name not found	1
4018	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DefaultColor	success or wait	1
4011	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	CompletionChar	success or wait	1
4021	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	PathCompletionChar	success or wait	1
407	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	AutoRun	success or wait	1
415	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	DisableUNCCheck	object name not found	1
3189	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	EnableExtensions	success or wait	1
3694	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	DelayedExpansion	object name not found	1
3696	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	DefaultColor	success or wait	1
3694	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	CompletionChar	success or wait	1
3680	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	PathCompletionChar	object name not found	1
3700	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	AutoRun	object name not found	1
17039	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale	00000409	success or wait	1
13112	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups	1	success or wait	1
20635	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility	DisableAppCompat	object name not found	1
30305	HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1
59209	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1
1636	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	success or wait	1
17163	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	Levels	object name not found	1
17125	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	success or wait	1
17170	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	success or wait	1
17173	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	success or wait	1
17187	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	success or wait	1
1836	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	success or wait	1
6713	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	success or wait	1
17132	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	success or wait	1
17177	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	success or wait	1
17158	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	success or wait	1
17151	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	success or wait	1
17177	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	success or wait	1
17160	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	success or wait	1
9133	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	success or wait	1
17158	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	success or wait	1
17186	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	success or wait	1
13416	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	success or wait	1
8727	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	success or wait	1
17123	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	success or wait	1
17163	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	success or wait	1
17158	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	success or wait	1
17192	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	success or wait	1
17142	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	success or wait	1
17147	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	success or wait	1
9120	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	success or wait	1
4605	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	buffer overflow	1
9255	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	success or wait	1
27376	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	LogFileName	object name not found	1
553	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1

Mutant Activities:

Mutant opened
Reputation	Name	Completion	Count

Mutant created
Reputation	Name	Completion	Count
11504	\BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	1

Mutant released
Reputation	Name	Completion	Count

Process Activities:

Process started
Reputation	PID	Filepath	Cmdline	Flags	Completion	Count
24	1592	C:\WINDOWS\explorer.exe	explorer C:\	suspended	success or wait	1

Process opened
Reputation	PID	Access	Filepath	Cmdline	Completion	Count
24	1512	query information	C:\WINDOWS\system32\cmd.exe	C:\WINDOWS\system32\cmd.exe /c explorer C:\	success or wait	1

Process suspended
Reputation	PID	Filepath	Cmdline	Completion	Count

Process terminated
Reputation	PID	Filepath	Completion	Count
5386	1512	C:\WINDOWS\system32\cmd.exe	success or wait	1
5386	1512	C:\WINDOWS\system32\cmd.exe	success or wait	1

Thread Activities:

Thread opened
Reputation	TID	PID	Filepath	Access	Completion	Count

Thread created
Reputation	TID	PID	EIP	Filepath	Access	Completion	Count
140	788	1592	7C810705	C:\WINDOWS\explorer.exe	terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation	success or wait	1

Thread APC queued
Reputation	TID	PID	Path	Completion	Count

Thread context set
Reputation	TID	PID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count

Thread continue
Reputation	TID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count
29735	2044	0	0	0	0	0	200	7C810705	no status	1

Thread context got
Reputation	TID	PID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count

Thread delayed
Reputation	TID	Delay	Completion	Count

Thread terminated
Reputation	TID	PID	Completion	Count

Memory Activities:

Memory read
Reputation	PID	Path	Base	Completion	Count
26	1592	C:\WINDOWS\explorer.exe	7FFD9008	success or wait	1
352	1592	C:\WINDOWS\explorer.exe	01000000	success or wait	1
350	1592	C:\WINDOWS\explorer.exe	01048000	success or wait	1
351	1592	C:\WINDOWS\explorer.exe	01048718	success or wait	1

Memory written
Reputation	PID	Filepath	Base	Completion	Count
2	1592	C:\WINDOWS\explorer.exe	00010000	success or wait	1
0	1592	C:\WINDOWS\explorer.exe	00020000	success or wait	1
25	1592	C:\WINDOWS\explorer.exe	7FFD9010	success or wait	1
356	1592	C:\WINDOWS\explorer.exe	00030000	success or wait	1
25	1592	C:\WINDOWS\explorer.exe	7FFD91E8	success or wait	1

Driver Activities:

Driver loaded
Reputation	Service name path	Completion	Count

Driver unloaded
Reputation	Service name path	Completion	Count

System Activities:

System information set
Reputation	System info class	Data	Completion	Count

System information queried
Reputation	System info class	Completion	Count
1881168	BasicInformation	success or wait	8
47532	RangeStartInformation	success or wait	1
1881168	BasicInformation	success or wait	1
41192	ProcessorInformation	success or wait	6
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	2
25123	WatchdogTimerHandler	success or wait	1

Time Activities:

Performance counter queried
Reputation	Count	Frequency	Completion	Count
1585156	1595719031	3579545	success or wait	1
1585156	1596065527	3579545	success or wait	1

System resolution queried
Reputation	Minimum resolution	Maximum resolution	Current resolution	Completion	Count
3300	5622782205462320	5576704752533645104	430115204990768	success or wait	1

System time queried
Reputation	Time	Completion	Count

User Activities:

Window created
Reputation	Window name	Class name	Completion	Count

Window found
Reputation	Window name	Class name	Completion	Count

Window hook set
Reputation	Module	Thread id	Hook code	Completion	Count

Key async got
Reputation	Virtual key code	Key state	Count

Keyboard state got
Reputation	Completion	Count

Key state got
Reputation	Virtual key code	State	Count

Debug Activities:

System debug info set
Reputation	Debug info class	Input data	Output data	Completion	Count

Exception Activities:

Exception raised
Reputation	Exception code	Address	Completion	Count

Chronological sections
Operation	Data	Completion	Time
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe Access: generic read	object name not found	1595495525
System info queried	Type: BasicInformation	success or wait	1595496945
System info queried	Type: BasicInformation	success or wait	1595611717
Section opened	Access: map write and map read and map execute Baseaddress: 7C800000 Size: F6000 Mapped to pid: own pid Path: \KnownDlls\kernel32.dll	success or wait	1595661359
System info queried	Type: RangeStartInformation	success or wait	1595665316
System info queried	Type: BasicInformation	success or wait	1595665437
Section created	Access: query and map write and map read and map execute and extend size Protection: read write Attributes: reserve Path: not known Type: reserve Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: 10000	success or wait	1595665701
System info queried	Type: BasicInformation	success or wait	1595670347
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595672479
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	1595672861
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe Access: generic read	object name not found	1595673723
Section opened	Access: map read Baseaddress: 00270000 Size: 15DF4 Mapped to pid: own pid Path: \NLS\NlsSectionUnicode	success or wait	1595673953
Section opened	Access: map read Baseaddress: 00290000 Size: 40EDC Mapped to pid: own pid Path: \NLS\NlsSectionLocale	success or wait	1595675282
Section opened	Access: query and map read Baseaddress: 002E0000 Size: 40004 Mapped to pid: own pid Path: \NLS\NlsSectionSortkey	success or wait	1595675933
Section opened	Access: map read Baseaddress: 00330000 Size: 5A04 Mapped to pid: own pid Path: \NLS\NlsSectionSortTbls	success or wait	1595676598
Section opened	Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409	object name not found	1595677960
Section opened	Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409	object name not found	1595678171
Section opened	Access: map write and map read and map execute Baseaddress: 77C10000 Size: 58000 Mapped to pid: own pid Path: \KnownDlls\msvcrt.dll	success or wait	1595702272
Section opened	Access: map write and map read and map execute Baseaddress: 7E410000 Size: 91000 Mapped to pid: own pid Path: \KnownDlls\USER32.dll	success or wait	1595705414
Section opened	Access: map write and map read and map execute Baseaddress: 77F10000 Size: 49000 Mapped to pid: own pid Path: \KnownDlls\GDI32.dll	success or wait	1595706417
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\ShimEng.dll	object name not found	1595712892
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 5CB70000 Entrypoint: 5CB78E55 Mapped to pid: own pid Size: 26000	success or wait	1595714133
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write	object name not found	1595714875
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1595715131
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	1595715485
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	object name not found	1595716468
Performance counter queried	Count: 1595719031 Frequency: 3579545	success or wait	1595719009
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1595719984
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00340000 Entrypoint: not known Mapped to pid: own pid Size: 125ED2	success or wait	1595720498
File other operation	Operation: 00000018 Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	object name not found	1595721528
System info queried	Type: ProcessorInformation	success or wait	1595721836
Key opened	Path: HKEY_LOCAL_MACHINE\System\WPA\TabletPC Access: query value and wow64 64key and wow64 resource and read or execute	object name not found	1595722215
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Access: query value and wow64 64key and wow64 resource and read or execute	success or wait	1595722415
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	1595722653
File overwritten	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Disposition: open Options: no options Attributes: normal	object name not found	1595723217
System info queried	Type: BasicInformation	success or wait	1595723843
File overwritten	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Disposition: open Options: no options Attributes: normal	object name not found	1595724884
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1595727510
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00480000 Entrypoint: not known Mapped to pid: own pid Size: 1C4600	success or wait	1595728532
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00480000 Entrypoint: not known Mapped to pid: own pid Size: 1C4600	success or wait	1595730169
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 6F880000 Entrypoint: 6F8A606E Mapped to pid: own pid Size: 1CA000	success or wait	1595731713
Section opened	Access: map write and map read and map execute Baseaddress: 77DD0000 Size: 9B000 Mapped to pid: own pid Path: \KnownDlls\ADVAPI32.dll	success or wait	1595735561
Section opened	Access: map write and map read and map execute Baseaddress: 77E70000 Size: 92000 Mapped to pid: own pid Path: \KnownDlls\RPCRT4.dll	success or wait	1595738375
Section opened	Access: map write and map read and map execute Baseaddress: 77FE0000 Size: 11000 Mapped to pid: own pid Path: \KnownDlls\Secur32.dll	success or wait	1595741986
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WINMM.dll	object name not found	1595747043
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76B40000 Entrypoint: 76B42B61 Mapped to pid: own pid Size: 2D000	success or wait	1595747961
Section opened	Access: map write and map read and map execute Baseaddress: 774E0000 Size: 13D000 Mapped to pid: own pid Path: \KnownDlls\ole32.dll	success or wait	1595752516
Section opened	Access: map write and map read and map execute Baseaddress: 77120000 Size: 8B000 Mapped to pid: own pid Path: \KnownDlls\OLEAUT32.dll	success or wait	1595757721
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\MSACM32.dll	object name not found	1595761951
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 77BE0000 Entrypoint: 77BE1292 Mapped to pid: own pid Size: 15000	success or wait	1595762804
Section opened	Access: map write and map read and map execute Baseaddress: 77C00000 Size: 8000 Mapped to pid: own pid Path: \KnownDlls\VERSION.dll	success or wait	1595778359
Section opened	Access: map write and map read and map execute Baseaddress: 7C9C0000 Size: 817000 Mapped to pid: own pid Path: \KnownDlls\SHELL32.dll	success or wait	1595780806
Section opened	Access: map write and map read and map execute Baseaddress: 77F60000 Size: 76000 Mapped to pid: own pid Path: \KnownDlls\SHLWAPI.dll	success or wait	1595787146
Section opened	Access: map write and map read and map execute Baseaddress: 769C0000 Size: B4000 Mapped to pid: own pid Path: \KnownDlls\USERENV.dll	success or wait	1595798576
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\UxTheme.dll	object name not found	1595803507
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 5AD70000 Entrypoint: 5AD71626 Mapped to pid: own pid Size: 38000	success or wait	1595804584
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcGenral.DLL Access: generic read	object name not found	1595811138
System info queried	Type: BasicInformation	success or wait	1595811692
Section opened	Access: map read Baseaddress: 00490000 Size: 20C2 Mapped to pid: own pid Path: \NLS\NlsSectionCType	success or wait	1595814487
Mutant created	Name: \BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	1595817517
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll Access: generic read	object name not found	1595818193
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll Access: generic read	object name not found	1595818438
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll Access: generic read	object name not found	1595818676
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll Access: generic read	object name not found	1595818913
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll Access: generic read	object name not found	1595819222
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ShimEng.dll Access: generic read	object name not found	1595819464
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll Access: generic read	object name not found	1595819702
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll Access: generic read	object name not found	1595819936
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll Access: generic read	object name not found	1595820171
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll Access: generic read	object name not found	1595820407
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll Access: generic read	object name not found	1595820851
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll Access: generic read	object name not found	1595821295
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACM32.dll Access: generic read	object name not found	1595821669
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll Access: generic read	object name not found	1595821939
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll Access: generic read	object name not found	1595822176
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll Access: generic read	object name not found	1595822411
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll Access: generic read	object name not found	1595822811
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UxTheme.dll Access: generic read	object name not found	1595823053
File overwritten	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Disposition: open Options: no options Attributes: normal	object name not found	1595823578
System info queried	Type: BasicInformation	success or wait	1595823838
System info queried	Type: BasicInformation	success or wait	1595825104
System info queried	Type: ProcessorInformation	success or wait	1595825263
System info queried	Type: BasicInformation	success or wait	1595833135
System info queried	Type: BasicInformation	success or wait	1595837071
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: query value and read or execute	success or wait	1595838448
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode	object name not found	1595838792
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00410000 Entrypoint: not known Mapped to pid: own pid Size: 1AE00	success or wait	1595840016
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00410000 Entrypoint: not known Mapped to pid: own pid Size: 1AE00	success or wait	1595850256
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76390000 Entrypoint: 763912C0 Mapped to pid: own pid Size: 1D000	success or wait	1595851828
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL Access: generic read	object name not found	1595856482
System info queried	Type: BasicInformation	success or wait	1595856675
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595857787
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595858234
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	1595858583
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595861296
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs	success or wait	1595861549
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595863368
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack	object name not found	1595863585
Key opened	Path: HKEY_LOCAL_MACHINE Access: maximum allowed	success or wait	1595864055
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1595864533
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32 Access: generic read	success or wait	1595865801
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	1595866028
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	1595867184
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	object name not found	1595868187
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave2	object name not found	1595868710
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave3	object name not found	1595869223
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave4	object name not found	1595869738
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave5	object name not found	1595870248
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave6	object name not found	1595870762
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave7	object name not found	1595871273
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave8	object name not found	1595871947
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave9	object name not found	1595872459
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	1595872974
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	1595873507
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	object name not found	1595874025
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi2	object name not found	1595874572
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi3	object name not found	1595875123
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi4	object name not found	1595875635
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi5	object name not found	1595876149
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi6	object name not found	1595877573
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi7	object name not found	1595878093
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi8	object name not found	1595878609
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi9	object name not found	1595879125
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	1595879870
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	1595880406
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	object name not found	1595880923
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux2	object name not found	1595881436
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux3	object name not found	1595881947
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux4	object name not found	1595882504
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux5	object name not found	1595883021
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux6	object name not found	1595883536
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux7	object name not found	1595884045
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux8	object name not found	1595884555
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux9	object name not found	1595885064
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	success or wait	1595885993
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm Name: wheel	success or wait	1595886305
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	1595886949
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	1595887478
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	object name not found	1595887998
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer2	object name not found	1595888512
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer3	object name not found	1595889027
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer4	object name not found	1595889580
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer5	object name not found	1595890098
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer6	object name not found	1595890611
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer7	object name not found	1595891127
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer8	object name not found	1595891642
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer9	object name not found	1595892157
System info queried	Type: BasicInformation	success or wait	1595895301
System info queried	Type: ProcessorInformation	success or wait	1595895449
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595895709
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout	success or wait	1595895942
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Ole Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595896381
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: RWLockResourceTimeOut	object name not found	1595896616
System info queried	Type: BasicInformation	success or wait	1595896994
System info queried	Type: ProcessorInformation	success or wait	1595897174
System info queried	Type: BasicInformation	success or wait	1595897307
System info queried	Type: ProcessorInformation	success or wait	1595897454
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595897661
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll	object name not found	1595897915
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32	object name not found	1595898088
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib	object name not found	1595898255
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1595898552
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAll	object name not found	1595898818
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAllForOle32	object name not found	1595898989
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute	object name not found	1595899546
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra Access: query value and enumerate sub key and read or execute	object name not found	1595899953
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute	object name not found	1595900408
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: maximum allowed	success or wait	1595901373
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Access: query value and set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1595901733
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Name: SystemFormats	success or wait	1595901989
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Access: generic read	success or wait	1595903267
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	buffer overflow	1595934307
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	success or wait	1595934499
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1595935165
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Access: maximum allowed	success or wait	1595935711
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: fdwSupport	success or wait	1595935939
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFormatTags	success or wait	1595936238
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: aFormatTagCache	success or wait	1595936517
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFilterTags	success or wait	1595936788
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	buffer overflow	1595937681
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	success or wait	1595937899
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1595938265
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Access: maximum allowed	success or wait	1595938522
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: fdwSupport	success or wait	1595938830
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFormatTags	success or wait	1595939104
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: aFormatTagCache	success or wait	1595939415
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFilterTags	success or wait	1595939687
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	buffer overflow	1595940582
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	success or wait	1595940772
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1595941139
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Access: maximum allowed	success or wait	1595941398
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: fdwSupport	success or wait	1595941618
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFormatTags	success or wait	1595941894
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: aFormatTagCache	success or wait	1595942170
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFilterTags	success or wait	1595942441
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	buffer overflow	1595943471
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	success or wait	1595943664
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1595944057
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Access: maximum allowed	success or wait	1595944318
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: fdwSupport	success or wait	1595944539
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFormatTags	success or wait	1595944814
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: aFormatTagCache	success or wait	1595945091
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFilterTags	success or wait	1595945364
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	buffer overflow	1595946255
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	success or wait	1595946499
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1595946866
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Access: maximum allowed	success or wait	1595947124
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: fdwSupport	success or wait	1595947347
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFormatTags	success or wait	1595947622
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: aFormatTagCache	success or wait	1595947901
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFilterTags	success or wait	1595948174
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	buffer overflow	1595949841
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	success or wait	1595950043
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1595950417
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Access: maximum allowed	success or wait	1595950681
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: fdwSupport	success or wait	1595950906
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFormatTags	success or wait	1595951182
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: aFormatTagCache	success or wait	1595951461
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFilterTags	success or wait	1595951736
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	buffer overflow	1595952635
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	success or wait	1595952833
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1595953206
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Access: maximum allowed	success or wait	1595953517
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: fdwSupport	success or wait	1595953750
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFormatTags	success or wait	1595954028
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: aFormatTagCache	success or wait	1595954303
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFilterTags	success or wait	1595954575
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	buffer overflow	1595955464
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	success or wait	1595955661
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1595956037
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Access: maximum allowed	success or wait	1595956296
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: fdwSupport	success or wait	1595956515
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFormatTags	success or wait	1595956789
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: aFormatTagCache	success or wait	1595957392
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFilterTags	success or wait	1595957668
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	buffer overflow	1595958950
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	success or wait	1595959148
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1595959547
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Access: maximum allowed	success or wait	1595959809
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: fdwSupport	success or wait	1595960031
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFormatTags	success or wait	1595960307
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: aFormatTagCache	success or wait	1595960584
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFilterTags	success or wait	1595960913
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	buffer overflow	1595961805
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	success or wait	1595962001
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1595962400
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Access: maximum allowed	success or wait	1595962657
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: fdwSupport	success or wait	1595962880
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFormatTags	success or wait	1595963157
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: aFormatTagCache	success or wait	1595963434
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFilterTags	success or wait	1595963709
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: maximum allowed	success or wait	1595964972
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\ Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1595965344
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control Options: non volatile	success or wait	1595965795
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM Name: NoPCMConverter	object name not found	1595966135
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: maximum allowed	success or wait	1595967685
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\ Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1595968083
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control Options: non volatile	success or wait	1595968531
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 Name: Priority1	object name not found	1595968883
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\acm Access: query value and enumerate sub key and read or execute	object name not found	1595969296
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance Access: maximum allowed	object name not found	1595969737
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Access: query value and read or execute	success or wait	1595973235
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	1595973483
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00970000 Entrypoint: not known Mapped to pid: own pid Size: 811C00	success or wait	1595975317
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1595991320
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00970000 Entrypoint: not known Mapped to pid: own pid Size: 101600	success or wait	1595993854
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 773D0000 Entrypoint: 773D4256 Mapped to pid: own pid Size: 103000	success or wait	1595995523
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll Access: generic read	object name not found	1596002681
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00440000 Entrypoint: not known Mapped to pid: own pid Size: 2ED	success or wait	1596004658
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1596006600
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00440000 Entrypoint: not known Mapped to pid: own pid Size: 2ED	success or wait	1596006977
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00440000 Entrypoint: not known Mapped to pid: own pid Size: 2ED	success or wait	1596008528
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596023044
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596024241
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Name: SmoothScroll	object name not found	1596024501
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596025760
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: EnableBalloonTips	object name not found	1596026088
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\LanguagePack Access: query value and read or execute	success or wait	1596027000
Section opened	Access: map write and map read and map execute Baseaddress: 5D090000 Size: 9A000 Mapped to pid: own pid Path: \KnownDlls\comctl32.dll	success or wait	1596029501
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll Access: generic read	object name not found	1596034205
System info queried	Type: BasicInformation	success or wait	1596034871
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00970000 Entrypoint: not known Mapped to pid: own pid Size: 96C00	success or wait	1596039065
Process opened	Access: query information PID: 1512 Path: C:\WINDOWS\system32\cmd.exe Cmdline: C:\WINDOWS\system32\cmd.exe /c explorer C:\	success or wait	1596045417
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596046837
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596047817
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Name: SmoothScroll	object name not found	1596048061
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1596050876
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	1596051129
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1596051575
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: ChkAccDebugLevel	object name not found	1596051791
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596052264
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions Name: ProductType	success or wait	1596052528
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596053977
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596054228
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Personal	success or wait	1596054494
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Local Settings	success or wait	1596054775
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1596055330
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopDebugLevel	object name not found	1596055577
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1596056399
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	1596057229
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopLogging	object name not found	1596057504
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System Access: maximum allowed	success or wait	1596057914
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	1596058313
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: RsopLogging	object name not found	1596058582
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1596059060
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	1596059287
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System Access: maximum allowed	success or wait	1596059716
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	1596059930
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	success or wait	1596061561
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager Access: query value and read or execute	success or wait	1596061815
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: Compositing	object name not found	1596062040
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596063296
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Access: query value and read or execute	success or wait	1596063456
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Name: LameButtonText	object name not found	1596063668
Thread continue	TID: 2044 DR0: 0 DR1: 0 DR2: 0 DR3: 0 DR7: 0 EIP: 7C810705 EFLAGS: 200	no status	1596064616
Performance counter queried	Count: 1596065527 Frequency: 3579545	success or wait	1596065505
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: maximum allowed	success or wait	1596068080
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\System Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596068429
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor Access: maximum allowed	success or wait	1596071704
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DisableUNCCheck	object name not found	1596072044
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: EnableExtensions	success or wait	1596072320
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DelayedExpansion	object name not found	1596072591
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DefaultColor	success or wait	1596072850
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: CompletionChar	success or wait	1596073107
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: PathCompletionChar	success or wait	1596073366
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: AutoRun	success or wait	1596073622
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Access: maximum allowed	success or wait	1596074018
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: DisableUNCCheck	object name not found	1596074244
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: EnableExtensions	success or wait	1596074509
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: DelayedExpansion	object name not found	1596074769
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: DefaultColor	success or wait	1596075028
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: CompletionChar	success or wait	1596075285
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: PathCompletionChar	object name not found	1596075542
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: AutoRun	object name not found	1596075797
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596080386
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596082319
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596082686
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale Name: 00000409	success or wait	1596082956
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups Name: 1	success or wait	1596083462
Section created	Access: query and map write and map read and map execute and extend size Protection: execute Attributes: image Path: not known Type: image Baseaddress: not known Entrypoint: 101A55F Mapped to pid: own pid Size: FF000	success or wait	1596097823
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls Access: query value and read or execute	object name not found	1596098084
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility Access: query value and read or execute	success or wait	1596098324
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility Name: DisableAppCompat	object name not found	1596098611
Section opened	Access: map write Baseaddress: 00980000 Size: E000 Mapped to pid: own pid Path: \BaseNamedObjects\ShimSharedMemory	success or wait	1596099872
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00990000 Entrypoint: not known Mapped to pid: own pid Size: 1EC00	success or wait	1596101590
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 77B40000 Entrypoint: 77B41C09 Mapped to pid: own pid Size: 22000	success or wait	1596103347
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll Access: generic read	object name not found	1596106940
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1596107511
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00990000 Entrypoint: not known Mapped to pid: own pid Size: 125ED2	success or wait	1596108055
File other operation	Operation: 00000018 Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	object name not found	1596108941
System info queried	Type: ProcessorInformation	success or wait	1596109147
Key opened	Path: HKEY_LOCAL_MACHINE\System\WPA\TabletPC Access: query value and wow64 64key and wow64 resource and read or execute	object name not found	1596109515
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Access: query value and wow64 64key and wow64 resource and read or execute	success or wait	1596109732
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	1596109962
File overwritten	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Disposition: open Options: no options Attributes: normal	object name not found	1596110533
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Access: wow64 64key and wow64 resource and generic read	object name not found	1596117881
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Access: wow64 64key and wow64 resource and generic read	object name not found	1596118961
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\explorer.exe Access: wow64 64key and wow64 resource and generic read	object name not found	1596119227
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00AC0000 Entrypoint: not known Mapped to pid: own pid Size: FC600	success or wait	1596237062
File opened	Path: C:\WINDOWS\explorer.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1596265949
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00AC0000 Entrypoint: not known Mapped to pid: own pid Size: FC600	success or wait	1596266357
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00AC0000 Entrypoint: not known Mapped to pid: own pid Size: FC600	success or wait	1596299892
File opened	Path: C:\WINDOWS\explorer.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1596301693
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00AC0000 Entrypoint: not known Mapped to pid: own pid Size: FC600	success or wait	1596302072
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags Access: wow64 64key and wow64 resource and generic read	object name not found	1596305746
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags Access: wow64 64key and wow64 resource and generic read	object name not found	1596307814
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags Access: wow64 64key and wow64 resource and generic read	object name not found	1596308744
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags Access: wow64 64key and wow64 resource and generic read	object name not found	1596309731
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write	object name not found	1596315839
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1596316089
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	1596316338
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: AuthenticodeEnabled	success or wait	1596316572
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596317248
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1596317482
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: Levels	object name not found	1596317709
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596318644
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596319282
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: ItemData	success or wait	1596319522
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: SaferFlags	success or wait	1596319892
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596320880
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596321493
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: ItemData	success or wait	1596321725
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: HashAlg	success or wait	1596322088
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: ItemSize	success or wait	1596322449
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: SaferFlags	success or wait	1596322808
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596323665
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: ItemData	success or wait	1596323898
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: HashAlg	success or wait	1596324263
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: ItemSize	success or wait	1596324741
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: SaferFlags	success or wait	1596325118
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596325975
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: ItemData	success or wait	1596326212
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: HashAlg	success or wait	1596326576
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: ItemSize	success or wait	1596326934
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: SaferFlags	success or wait	1596327293
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596328185
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: ItemData	success or wait	1596328418
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: HashAlg	success or wait	1596328779
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: ItemSize	success or wait	1596329137
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: SaferFlags	success or wait	1596329496
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596330349
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: ItemData	success or wait	1596330583
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: HashAlg	success or wait	1596330946
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: ItemSize	success or wait	1596331307
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: SaferFlags	success or wait	1596331988
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596332991
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596333237
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596333472
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596333757
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596333991
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596334222
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596334456
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596334687
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596334922
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596335153
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596335383
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596335986
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596336227
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596337285
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596338182
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596339132
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596340023
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596340902
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596341780
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596342525
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596344308
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596345188
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596346103
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596346978
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596347862
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596348746
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596349675
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596350563
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596350796
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: DefaultLevel	success or wait	1596351056
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1596352406
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1596353995
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: PolicyScope	success or wait	1596354218
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00990000 Entrypoint: not known Mapped to pid: own pid Size: FC600	success or wait	1596359538
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596360825
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1596361102
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cache	buffer overflow	1596361464
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cache	success or wait	1596361752
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1596362836
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: LogFileName	object name not found	1596363056
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write	object name not found	1596363759
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe Access: generic read	object name not found	1596366155
System info queried	Type: WatchdogTimerHandler	success or wait	1596366443
Process created	Access: terminate and create thread and set session id and vm operation and vm read and vm write and dupclicate handle and create process and set quota and set information and query information and set port or suspend or resume PID: 1592 Path: C:\WINDOWS\explorer.exe Cmdline: explorer C:\ Createflags: suspended	success or wait	1596366708
Memory read	PID: 1592 Path: C:\WINDOWS\explorer.exe Base: 7FFD9008 Length: 00000004 Value: 00 00 00 01	success or wait	1596369072
Memory read	PID: 1592 Path: C:\WINDOWS\explorer.exe Base: 01000000 Length: 00001000 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 97 A6 B0 91 D3 C7 DE C2 D3 C7 DE C2 D3 C7 DE C2 10 C8 D1 C2 D7 C7 DE C2 D3 C7 DF C2 48 C5 DE C2 10 C8 83 C2 C8 C7 DE C2 10 C8 80 C2 D2 C7 DE C2 10 C8 BE C2 FA C7 DE C2 10 C8 81 C2 CE C7 DE C2 10 C8 84 C2 D2 C7 DE C2 52 69 63 68 D3 C7 DE C2 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 30 5C 02 48 00 00 00 00 00 00 00 00 E0 00 0E 01 0B 01 07 0A 00 4E 04 00 00 7A 0B 00 00 00 00 00 5F A5 01 00 00 10 00 00 00 40 04 00 00 00 00 01 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 F0 0F 00 00 04 00 00 2C 2B 10 00 02 00 00 80 00 00 04 00 00 E0 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 30 04 00 18 01 00 00 00 80 04 00 68 22 0B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B0 0F 00 4C 37 00 00 A8 5B 04 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 AC 02 00 40 00 00 00 70 02 00 00 10 01 00 00 00 10 00 00 84 09 00 00 EC 2C 04 00 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 09 4C 04 00 00 10 00 00 00 4E 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 B4 1D 00 00 00 60 04 00 00 18 00 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 68 22 0B 00 00 80 04 00 00 24 0B 00 00 6A 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2E 72 65 6C 6F 63 00 00 4C 37 00 00 00 B0 0F 00 00 38 00 00 00 8E 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 B2 A0 02 48 78 00 00 00 A8 A0 02 48 85 00 00 00 BE A0 02 48 92 00 00 00 2C A1 02 48 9C 00 01 00 2C A1 02 48 A9 00 00 00 94 A0 02 48 B3 00 00 00 2C A1 02 48 A9 00 00 00 11 A1 02 48 BE 00 00 00 12 A1 02 48 C8 00 00 00 10 A1 02 48 D5 00 00 00 11 A1 02 48 E1 00 00 00 16 A1 02 48 ED 00 00 00 1B A1 02 48 F9 00 00 00 1E A1 02 48 04 01 00 00 00 00 00 00 00 00 00 00 41 44 56 41 50 49 33 32 2E 64 6C 6C 00 42 52 4F 57 53 45 55 49 2E 64 6C 6C 00 47 44 49 33 32 2E 64 6C 6C 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 4E 54 44 4C 4C 2E 44 4C 4C 00 6D 73 76 63 72 74 2E 64 6C 6C 00 6F 6C 65 33 32 2E 64 6C 6C 00 4F 4C 45 41 55 54 33 32 2E 64 6C 6C 00 53 48 44 4F 43 56 57 2E 64 6C 6C 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 53 48 4C 57 41 50 49 2E 64 6C 6C 00 55 53 45 52 33 32 2E 64 6C 6C 00 55 78 54 68 65 6D 65 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1596369938
Memory read	PID: 1592 Path: C:\WINDOWS\explorer.exe Base: 01048000 Length: 00000100 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 02 00 00 00 60 00 00 80 03 00 00 00 70 01 00 80 04 00 00 00 08 05 00 80 05 00 00 00 40 05 00 80 06 00 00 00 88 05 00 80 09 00 00 00 48 06 00 80 0E 00 00 00 60 06 00 80 10 00 00 00 00 07 00 80 18 00 00 00 18 07 00 80 F0 00 00 00 30 07 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 8F 00 00 00 48 07 00 80 91 00 00 00 60 07 00 80 92 00 00 00 78 07 00 80 93 00 00 00 90 07 00 80 94 00 00 00 A8 07 00 80 95 00 00 00 C0 07 00 80 96 00 00 00 D8 07 00 80 97 00 00 00 F0 07 00 80 98 00 00 00 08 08 00 80 99 00 00 00 20 08 00 80 9E 00 00 00 38 08 00 80 A2 00 00 00 50 08 00 80 A3 00 00 00 68 08 00 80 A4 00 00 00 80 08 00 80 A5 00 00 00 98 08 00 80 A6 00 00 00 B0 08 00 80 A7 00 00 00 C8 08 00 80 AA 00 00 00 E0 08 00 80	success or wait	1596373842
Memory read	PID: 1592 Path: C:\WINDOWS\explorer.exe Base: 01048718 Length: 00000018 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 7B 00 00 00 F0 19 00 80	success or wait	1596374560
Memory written	PID: 1592 Path: C:\WINDOWS\explorer.exe Base: 00010000 Length: 0000074E Value: null	success or wait	1596377822
Memory written	PID: 1592 Path: C:\WINDOWS\explorer.exe Base: 00020000 Length: 00000610 Value: null	success or wait	1596380829
Memory written	PID: 1592 Path: C:\WINDOWS\explorer.exe Base: 7FFD9010 Length: 00000004 Value: null	success or wait	1596381298
Memory written	PID: 1592 Path: C:\WINDOWS\explorer.exe Base: 00030000 Length: 00000184 Value: null	success or wait	1596382045
Memory written	PID: 1592 Path: C:\WINDOWS\explorer.exe Base: 7FFD91E8 Length: 00000004 Value: null	success or wait	1596382397
Thread created	Access: terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation PID: 1592 TID: 788 EIP: 7C810705 Imagepath: C:\WINDOWS\explorer.exe	success or wait	1596384119
Process terminated	PID: 1512 Path: C:\WINDOWS\system32\cmd.exe	success or wait	1609042814
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1609253867
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	1609254423
Process terminated	PID: 1512 Path: C:\WINDOWS\system32\cmd.exe	success or wait	1609273039

Analysis File: explorer.exe PID: 1592 Parent PID: 1512 Run ID: 0

Sections

General
Start time:	23:47:54
Start date:	02/08/2010
Path:	C:\WINDOWS\explorer.exe
Commandline:	explorer C:\
File size:	1033728 bytes
MD5 hash:	12896823FB95BFB3DC9B46BCAEDC9923

File Activities:

File opened
Reputation	File Path	Access	Options	Completion	Count
20685	C:\WINDOWS\AppPatch\sysmain.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
2394	C:\WINDOWS\AppPatch\systest.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	object name not found	1
1712	C:\WINDOWS\AppPatch\AcGenral.DLL	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	2
1343	C:\WINDOWS\WindowsShell.Manifest	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
205380	PIPE\lsarpc	read attributes and synchronize and generic read and generic write	non directory file	pipe not available	1613
8607	PIPE\lsarpc	read attributes and synchronize and generic read and generic write	non directory file	success or wait	2

File created
Reputation	File Path	Access	Attributes	Options	Completion	Count

File overwritten
Reputation	File Path	Access	Options	Completion	Count
34933	\Device\NamedPipe\ShimViewer	write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize	no options	object name not found	4
20901	WMIDataDevice	read attributes and synchronize and generic read and generic write	non directory file	success or wait	1
20901	WMIDataDevice	read attributes and synchronize and generic read and generic write	non directory file	success or wait	1
20901	WMIDataDevice	read attributes and synchronize and generic read and generic write	non directory file	success or wait	1
62040	MountPointManager	read attributes and synchronize	synchronous io non alert and non directory file	success or wait	3
62040	MountPointManager	read attributes and synchronize	synchronous io non alert and non directory file	success or wait	6
116	C:\WINDOWS\system32\CRYPTUI.dll.2.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
2276	\Device\KsecDD	read data or list directory and synchronize	synchronous io alert	success or wait	1
82	C:\WINDOWS\system32\BROWSEUI.dll.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
1153	C:\WINDOWS\system32\urlmon.dll.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
817	C:\WINDOWS\system32\WININET.dll.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
85	C:\WINDOWS\system32\SHDOCVW.dll.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
1796	C:\WINDOWS\system32\SHELL32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
1663	C:\WINDOWS\system32\comctl32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
80	C:\WINDOWS\explorer.exe.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
442	IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io non alert and non directory file	success or wait	1
284	IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io alert	success or wait	1
441	STORAGE#Volume#1&30a96598&0&Signature94389438Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io non alert and non directory file	success or wait	1
438	STORAGE#Volume#1&30a96598&0&Signature94389438Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io alert	success or wait	1

File deleted
Reputation	File Path	Completion	Count

File renamed
Reputation	Old File Path	New File Path	Completion	Count

File written
Reputation	File Path	Completion	Count
155362	\Device\NamedPipe\lsass	success or wait	2

Other file operations
Reputation	File Path	Disposition	Data	Completion	Count
15856	\Device\NamedPipe\lsass	PipeInformation	01 00 00 00 00 00 00 00	success or wait	2
49	\Device\NamedPipe\lsass	CompletionInformation	F4 06 00 00 00 00 FF FF	success or wait	2

Section Activities:

Section opened
Reputation	File Path	Access	Base	Entrypoint	Size	Mapped to pid	Completion	Count
40475	\KnownDlls\kernel32.dll	map write and map read and map execute	7C800000	7C80B64E	F6000	own pid	success or wait	1
842	\NLS\NlsSectionUnicode	map read	001B0000	not known	15DF4	own pid	success or wait	1
844	\NLS\NlsSectionLocale	map read	001D0000	not known	40EDC	own pid	success or wait	1
840	\NLS\NlsSectionSortkey	query and map read	00220000	not known	40004	own pid	success or wait	1
830	\NLS\NlsSectionSortTbls	map read	00270000	not known	5A04	own pid	success or wait	1
82482	\NLS\NlsSectionSortkey00000409	map read	not known	not known	not known	own pid	object name not found	2
35518	\KnownDlls\ADVAPI32.dll	map write and map read and map execute	77DD0000	77DD710B	9B000	own pid	success or wait	1
40913	\KnownDlls\RPCRT4.dll	map write and map read and map execute	77E70000	77E7628F	92000	own pid	success or wait	1
40856	\KnownDlls\Secur32.dll	map write and map read and map execute	77FE0000	77FE2146	11000	own pid	success or wait	1
140	\KnownDlls\BROWSEUI.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
37497	\KnownDlls\GDI32.dll	map write and map read and map execute	77F10000	77F16587	49000	own pid	success or wait	1
33945	\KnownDlls\USER32.dll	map write and map read and map execute	7E410000	7E41B217	91000	own pid	success or wait	1
14883	\KnownDlls\msvcrt.dll	map write and map read and map execute	77C10000	77C1F2A1	58000	own pid	success or wait	1
4087	\KnownDlls\ole32.dll	map write and map read and map execute	774E0000	774FD0B9	13D000	own pid	success or wait	1
18615	\KnownDlls\SHLWAPI.dll	map write and map read and map execute	77F60000	77F651FB	76000	own pid	success or wait	1
3896	\KnownDlls\OLEAUT32.dll	map write and map read and map execute	77120000	77121560	8B000	own pid	success or wait	1
534	\KnownDlls\SHDOCVW.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
9536	\KnownDlls\CRYPT32.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
16604	\KnownDlls\MSASN1.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
1045	\KnownDlls\CRYPTUI.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
15145	\KnownDlls\NETAPI32.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
25391	\KnownDlls\VERSION.dll	map write and map read and map execute	77C00000	77C01135	8000	own pid	success or wait	1
13922	\KnownDlls\WININET.dll	map write and map read and map execute	3D930000	3D931744	E6000	own pid	success or wait	1
994	\KnownDlls\Normaliz.dll	map write and map read and map execute	00400000	401782	9000	own pid	success or wait	1
19227	\KnownDlls\urlmon.dll	map write and map read and map execute	78130000	78131AFA	132000	own pid	success or wait	1
18908	\KnownDlls\iertutil.dll	map write and map read and map execute	3DFD0000	3E0E7B59	1E8000	own pid	success or wait	1
2452	\KnownDlls\WINTRUST.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
4153	\KnownDlls\IMAGEHLP.dll	map write and map read and map execute	76C90000	76C9126D	28000	own pid	success or wait	1
8226	\KnownDlls\WLDAP32.dll	map write and map read and map execute	76F60000	76F61130	2C000	own pid	success or wait	1
25613	\KnownDlls\SHELL32.dll	map write and map read and map execute	7C9C0000	7C9E74E6	817000	own pid	success or wait	1
2257	\KnownDlls\UxTheme.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
11494	\KnownDlls\ShimEng.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
18656	\KnownDlls\WINMM.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
5940	\KnownDlls\MSACM32.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
18938	\KnownDlls\USERENV.dll	map write and map read and map execute	769C0000	769C15E4	B4000	own pid	success or wait	1
114	\NLS\NlsSectionCType	map read	003E0000	not known	20C2	own pid	success or wait	1
1159	\KnownDlls\RichEd20.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
3188	\KnownDlls\comctl32.dll	map write and map read and map execute	5D090000	5D0934BA	9A000	own pid	success or wait	1
10059	\KnownDlls\SETUPAPI.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1

Section created
Reputation	File Path	Access	Attributes	Base	Entrypoint	Size	Protection	Mapped to pid	Completion	Count
2466	not known	query and map write and map read and map execute and extend size	reserve	not known	not known	10000	read write	own pid	success or wait	1
171	C:\WINDOWS\system32\browseui.dll	query and map write and map read and map execute	image	75F80000	75F836FA	FD000	execute	own pid	success or wait	1
175	C:\WINDOWS\system32\shdocvw.dll	query and map write and map read and map execute	image	7E290000	7E2A5ED1	171000	execute	own pid	success or wait	1
2128	C:\WINDOWS\system32\crypt32.dll	query and map write and map read and map execute	image	77A80000	77A81632	95000	execute	own pid	success or wait	1
16540	C:\WINDOWS\system32\msasn1.dll	query and map write and map read and map execute	image	77B20000	77B233A1	12000	execute	own pid	success or wait	1
215	C:\WINDOWS\system32\cryptui.dll	query and map write and map read and map execute	image	754D0000	754D16AB	80000	execute	own pid	success or wait	1
18093	C:\WINDOWS\system32\netapi32.dll	query and map write and map read and map execute	image	5B860000	5B868B48	55000	execute	own pid	success or wait	1
1699	C:\WINDOWS\system32\wintrust.dll	query and map write and map read and map execute	image	76C30000	76C31529	2E000	execute	own pid	success or wait	1
9375	C:\WINDOWS\system32\uxtheme.dll	query and map write and map read and map execute	image	5AD70000	5AD71626	38000	execute	own pid	success or wait	1
423	C:\WINDOWS\system32\shimeng.dll	query and map write and map read and map execute	image	5CB70000	5CB78E55	26000	execute	own pid	success or wait	1
140	C:\WINDOWS\AppPatch\sysmain.sdb	map read	commit	00290000	not known	125ED2	readonly	own pid	success or wait	1
170	C:\WINDOWS\AppPatch\acgenral.dll	map write and map read and map execute	commit	00410000	not known	1C4600	execute	own pid	success or wait	2
11424	C:\WINDOWS\AppPatch\acgenral.dll	query and map write and map read and map execute	image	6F880000	6F8A606E	1CA000	execute	own pid	success or wait	1
20195	C:\WINDOWS\system32\winmm.dll	query and map write and map read and map execute	image	76B40000	76B42B61	2D000	execute	own pid	success or wait	1
11615	C:\WINDOWS\system32\msacm32.dll	query and map write and map read and map execute	image	77BE0000	77BE1292	15000	execute	own pid	success or wait	1
480	C:\WINDOWS\system32\imm32.dll	map write and map read and map execute	commit	00360000	not known	1AE00	execute	own pid	success or wait	2
39628	C:\WINDOWS\system32\imm32.dll	query and map write and map read and map execute	image	76390000	763912C0	1D000	execute	own pid	success or wait	1
80	C:\WINDOWS\system32\browseui.dll	map read	commit	00860000	not known	FA400	readonly	own pid	success or wait	1
113	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	map write and map read and map execute	commit	00860000	not known	101600	execute	own pid	success or wait	1
33522	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	query and map write and map read and map execute	image	773D0000	773D4256	103000	execute	own pid	success or wait	1
231	C:\WINDOWS\WindowsShell.Manifest	map write and map read and map execute	commit	00390000	not known	2ED	execute	own pid	success or wait	1
232	C:\WINDOWS\WindowsShell.Manifest	query and map read	commit	00390000	not known	2ED	readonly	own pid	success or wait	1
231	C:\WINDOWS\WindowsShell.Manifest	map read	commit	00390000	not known	2ED	readonly	own pid	success or wait	1
2597	C:\WINDOWS\system32\riched20.dll	query and map write and map read and map execute	image	74E30000	74E3151D	6D000	execute	own pid	success or wait	1
80	C:\WINDOWS\system32\shdocvw.dll	map read	commit	00AA0000	not known	16E000	readonly	own pid	success or wait	1
83	C:\WINDOWS\system32\shell32.dll	map read	commit	01100000	not known	811C00	readonly	own pid	success or wait	1
89	C:\WINDOWS\system32\comctl32.dll	map read	commit	00AC0000	not known	96C00	readonly	own pid	success or wait	1
80	C:\WINDOWS\explorer.exe	map read	commit	00B70000	not known	FC600	readonly	own pid	success or wait	1
1090	C:\WINDOWS\system32\setupapi.dll	query and map write and map read and map execute	image	77920000	7792159A	F3000	execute	own pid	success or wait	1
16	not known	query and map write and map read	commit	00B50000	not known	1000	read write	own pid	success or wait	1

Registry Activities:

Key opened
Reputation	Key Path	Access	Completion	Count
420	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	generic read	object name not found	2
91200	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
96399	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option	query value and set value and read or execute and write	object name not found	1
26786	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and read or execute	success or wait	1
39584	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and read or execute	object name not found	1
30384	HKEY_LOCAL_MACHINE\System\WPA\TabletPC	query value and wow64 64key and wow64 resource and read or execute	object name not found	1
30378	HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	query value and wow64 64key and wow64 resource and read or execute	success or wait	1
11467	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcGenral.DLL	generic read	object name not found	1
20955	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll	generic read	object name not found	1
39992	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll	generic read	object name not found	1
6164	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll	generic read	object name not found	1
40564	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll	generic read	object name not found	1
707	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll	generic read	object name not found	1
33679	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll	generic read	object name not found	1
39197	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll	generic read	object name not found	1
4417	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll	generic read	object name not found	1
14067	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll	generic read	object name not found	1
33789	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll	generic read	object name not found	1
390	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BROWSEUI.dll	generic read	object name not found	1
3843	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll	generic read	object name not found	1
16546	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASN1.dll	generic read	object name not found	1
14049	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPT32.dll	generic read	object name not found	1
15109	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll	generic read	object name not found	1
25266	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll	generic read	object name not found	1
2184	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll	generic read	object name not found	1
18916	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll	generic read	object name not found	1
20565	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll	generic read	object name not found	1
13896	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll	generic read	object name not found	1
4106	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMAGEHLP.dll	generic read	object name not found	1
2389	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINTRUST.dll	generic read	object name not found	1
8182	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll	generic read	object name not found	1
1031	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPTUI.dll	generic read	object name not found	1
8	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHDOCVW.dll	generic read	object name not found	1
25673	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll	generic read	object name not found	1
16171	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UxTheme.dll	generic read	object name not found	1
11435	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ShimEng.dll	generic read	object name not found	1
2621	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll	generic read	object name not found	1
11460	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACM32.dll	generic read	object name not found	1
18911	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll	generic read	object name not found	1
51069	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
77159	HKEY_LOCAL_MACHINE	maximum allowed	success or wait	1
5318	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
71638	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager	query value and read or execute	success or wait	1
39518	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL	generic read	object name not found	1
52210	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
81554	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
24208	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
43104	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
45275	HKEY_LOCAL_MACHINE\Software\Microsoft\Ole	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
18722	HKEY_LOCAL_MACHINE\Software\Classes\Interface	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
4967	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
36549	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance	maximum allowed	object name not found	4
153794	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots	enumerate sub key and read or execute	object name not found	7
55462	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll	generic read	object name not found	2
167058	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	4
59427	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
32768	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
33471	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\LanguagePack	query value and read or execute	success or wait	1
86612	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT	query value and read or execute	object name not found	2
42185	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra	query value and enumerate sub key and read or execute	object name not found	1
16494	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32\Performance	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
18260	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
3974	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes	maximum allowed	success or wait	1
2161	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\PROTOCOLS\Name-Space Handler\	maximum allowed	object name not found	1
20147	HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler	maximum allowed	success or wait	1
19597	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\PROTOCOLS\Name-Space Handler	maximum allowed	object name not found	1
10969	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	maximum allowed	success or wait	4
8120	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	query value and read or execute	object name not found	2
24926	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings	query value and read or execute	success or wait	1
7824	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	query value and read or execute	object name not found	2
38930	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
13105	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
26555	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\	query value and read or execute	object name not found	1
44734	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl	query value and read or execute	object name not found	1
36521	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl	query value and read or execute	object name not found	1
285696	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	query value and read or execute	success or wait	1
36487	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl	query value and read or execute	object name not found	1
21303	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915	query value and read or execute	object name not found	1
5168	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
2158	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
49870	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
14487	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
38918	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
42646	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
7602	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
1140	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RichEd20.dll	generic read	object name not found	1
935	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\clsid\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}	query value and read or execute	object name not found	1
940	HKEY_LOCAL_MACHINE\Software\Classes\clsid\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}	query value and read or execute	success or wait	1
7586	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib	query value and read or execute	object name not found	1
7631	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib	query value and read or execute	success or wait	1
931	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib	maximum allowed	object name not found	1
7594	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32	query value and read or execute	object name not found	1
9333	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32	query value and read or execute	success or wait	1
1147	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32	maximum allowed	object name not found	1
7588	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32	query value and read or execute	object name not found	1
9323	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32	query value and read or execute	success or wait	1
5956	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32	maximum allowed	object name not found	1
7578	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32	query value and read or execute	object name not found	1
1047	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32	query value and read or execute	success or wait	1
7580	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32	maximum allowed	object name not found	1
7581	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32	query value and read or execute	object name not found	1
1044	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32	query value and read or execute	success or wait	1
932	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32	maximum allowed	object name not found	1
35640	HKEY_LOCAL_MACHINE\SYSTEM\Setup	query value and read or execute	success or wait	1
5159	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17546	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager	query value and read or execute	success or wait	1
18065	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	query value and read or execute	success or wait	1
20677	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32	generic read	success or wait	1
20174	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	success or wait	1
43869	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32	generic read	success or wait	1
5960	HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache	maximum allowed	success or wait	10
1829	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	maximum allowed	success or wait	1
1830	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	maximum allowed	success or wait	1
11576	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	maximum allowed	success or wait	1
11596	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	maximum allowed	success or wait	1
11599	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	maximum allowed	success or wait	1
11546	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	maximum allowed	success or wait	1
11542	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	maximum allowed	success or wait	1
9239	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	maximum allowed	success or wait	1
1867	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	maximum allowed	success or wait	1
11544	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	maximum allowed	success or wait	1
11581	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\acm	query value and enumerate sub key and read or execute	object name not found	1
13835	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon	maximum allowed	success or wait	5
20258	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
23213	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
40321	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System	maximum allowed	success or wait	2
184233	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	query value and read or execute	success or wait	14
164740	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	query value and read or execute	success or wait	14
347	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\explorer.exe	query value and enumerate sub key and read or execute	object name not found	1
12568	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	query value and read or execute	object name not found	1
11453	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	query value and read or execute	object name not found	1
7509	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	query value and read or execute	success or wait	1
11437	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	maximum allowed	object name not found	1
9974	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll	generic read	object name not found	1
4032	HKEY_LOCAL_MACHINE\System\Setup	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
10159	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT	query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	object name not found	1
10183	HKEY_LOCAL_MACHINE\System\WPA\PnP	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
25023	HKEY_LOCAL_MACHINE\SYSTEM\Setup	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
48028	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	4
3472	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
8107	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	query value and read or execute	success or wait	1
10151	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels	query value and read or execute	object name not found	1
12948	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
25088	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
2174	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
24556	HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\PagedBuffers	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
31964	HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
250	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\RpcThreadPoolThrottle	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
32562	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
199052	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
195916	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
87441	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume	maximum allowed	success or wait	7
9528	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}\	maximum allowed	success or wait	2
16080	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}\	maximum allowed	success or wait	2
55250	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}\	maximum allowed	success or wait	3
28070	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions	enumerate sub key and read or execute	object name not found	1
4645	HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions	enumerate sub key and read or execute	success or wait	1
23452	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions	maximum allowed	object name not found	1
5899	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	query value and read or execute	object name not found	1
35736	HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	query value and read or execute	success or wait	1
3630	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	maximum allowed	object name not found	1
7721	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	maximum allowed	success or wait	1
14268	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\	maximum allowed	success or wait	1
7980	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System	query value and read or execute	object name not found	1
1076	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	maximum allowed	success or wait	1
7261	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	query value and read or execute	success or wait	1

Key created
Reputation	Key Path	Access	Options	Completion	Count
394	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	non volatile	success or wait	1
8296	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio	query value and set value and create sub key and read or execute and write and read control	non volatile	success or wait	1
22069	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\	set value and create sub key and read or execute and write and read control	non volatile	success or wait	2
11033	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM	query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	non volatile	success or wait	1
11053	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00	query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	non volatile	success or wait	1
1184	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	maximum allowed	non volatile	success or wait	1
905	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb13-b32c-11de-8127-806d6172696f}\	maximum allowed	non volatile	success or wait	1
8013	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb11-b32c-11de-8127-806d6172696f}\	maximum allowed	non volatile	success or wait	1
8027	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb10-b32c-11de-8127-806d6172696f}\	maximum allowed	non volatile	success or wait	1

Key deleted
Reputation	Key Path	Completion	Count

Key value deleted
Reputation	Key Path	Key Value Name	Completion	Count

Key value set
Reputation	Key Path	Name	Type	Data	Completion	Count

Key value replaced with new
Reputation	Key Path	Name	Type	Old Data	New Data	Completion	Count

Key value replaced with same
Reputation	Key Path	Name	Type	Data	Completion	Count
7096	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb13-b32c-11de-8127-806d6172696f}	BaseClass	String	Drive	success or wait	1
1424	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb11-b32c-11de-8127-806d6172696f}	BaseClass	String	Drive	success or wait	1
7118	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb10-b32c-11de-8127-806d6172696f}	BaseClass	String	Drive	success or wait	1

Key value queried
Reputation	Key Path	Name	Completion	Count
83709	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSAppCompat	success or wait	1
59209	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1
30305	HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1
51204	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LeakTrack	object name not found	1
54359	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeDllSearchMode	object name not found	1
553	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1
39787	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs	success or wait	1
43256	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CriticalSectionTimeout	success or wait	1
18328	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole	RWLockResourceTimeOut	object name not found	1
43293	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAll	object name not found	1
43246	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAllForOle32	object name not found	1
13463	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableTypeLib	object name not found	1
26538	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAll	object name not found	1
43272	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAllForOle32	object name not found	1
60053	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	SmoothScroll	object name not found	1
27240	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	EnableBalloonTips	object name not found	1
2723	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	DisableImprovedZoneCheck	object name not found	1
257	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN	explorer.exe	success or wait	1
10095	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ldap	LdapClientIntegrity	success or wait	1
7665	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib	NULL	success or wait	1
1299	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32	NULL	success or wait	1
3842	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32	NULL	success or wait	1
9459	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32	NULL	success or wait	1
9434	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32	NULL	success or wait	1
110591	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1
60053	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	SmoothScroll	object name not found	1
17643	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager	Compositing	object name not found	1
17652	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	LameButtonText	object name not found	1
41537	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1
41537	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1
2812	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	object name not found	1
21255	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave2	object name not found	1
21240	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave3	object name not found	1
4270	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave4	object name not found	1
21261	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave5	object name not found	1
21209	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave6	object name not found	1
21218	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave7	object name not found	1
21223	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave8	object name not found	1
21210	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave9	object name not found	1
40478	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1
40478	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1
17523	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	object name not found	1
2725	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi2	object name not found	1
20470	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi3	object name not found	1
20480	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi4	object name not found	1
20484	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi5	object name not found	1
20477	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi6	object name not found	1
11356	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi7	object name not found	1
2722	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi8	object name not found	1
20444	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi9	object name not found	1
40474	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1
40474	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1
20271	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	object name not found	1
176	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux2	object name not found	1
2713	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux3	object name not found	1
4096	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux4	object name not found	1
20244	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux5	object name not found	1
20249	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux6	object name not found	1
2712	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux7	object name not found	1
20233	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux8	object name not found	1
20196	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux9	object name not found	1
20238	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	success or wait	1
40583	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1
40583	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1
20237	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	object name not found	1
2715	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer2	object name not found	1
15856	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer3	object name not found	1
2722	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer4	object name not found	1
20235	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer5	object name not found	1
20266	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer6	object name not found	1
20222	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer7	object name not found	1
20246	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer8	object name not found	1
20283	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer9	object name not found	1
11070	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio	SystemFormats	success or wait	1
1828	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	buffer overflow	1
9693	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	success or wait	1
1815	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	success or wait	1
1830	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	success or wait	1
11623	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	success or wait	1
2354	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	success or wait	1
1843	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	buffer overflow	1
11617	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	success or wait	1
6818	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	success or wait	1
11611	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	success or wait	1
11644	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	success or wait	1
1833	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	success or wait	1
11641	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	buffer overflow	1
9345	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	success or wait	1
11660	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	success or wait	1
2220	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	success or wait	1
11563	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	success or wait	1
11632	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	success or wait	1
11617	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	buffer overflow	1
6585	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	success or wait	1
1829	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	success or wait	1
11660	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	success or wait	1
2201	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	success or wait	1
1828	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	success or wait	1
8029	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	buffer overflow	1
11634	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	success or wait	1
11655	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	success or wait	1
9143	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	success or wait	1
10608	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	success or wait	1
11630	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	success or wait	1
11605	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	buffer overflow	1
1829	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	success or wait	1
1603	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	success or wait	1
11623	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	success or wait	1
11626	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	success or wait	1
11649	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	success or wait	1
11654	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	buffer overflow	1
11614	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	success or wait	1
11624	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	success or wait	1
1830	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	success or wait	1
8917	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	success or wait	1
11642	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	success or wait	1
1813	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	buffer overflow	1
11604	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	success or wait	1
5540	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	success or wait	1
11618	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	success or wait	1
1828	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	success or wait	1
596	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	success or wait	1
11637	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	buffer overflow	1
11635	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	success or wait	1
11584	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	success or wait	1
11587	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	success or wait	1
11639	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	success or wait	1
11596	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	success or wait	1
11608	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	buffer overflow	1
11593	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	success or wait	1
11595	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	success or wait	1
11635	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	success or wait	1
1840	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	success or wait	1
1833	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	success or wait	1
11019	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM	NoPCMConverter	object name not found	1
11049	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00	Priority1	object name not found	1
60778	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1
20236	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	ChkAccDebugLevel	object name not found	1
21395	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions	ProductType	success or wait	1
24760	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	success or wait	1
19612	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	success or wait	1
14577	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopDebugLevel	object name not found	1
60778	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1
2754	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopLogging	object name not found	1
40492	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1
8125	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	RsopLogging	object name not found	1
60778	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1
40492	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1
1079	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoNetHood	object name not found	1
9488	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoNetHood	object name not found	1
9517	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoPropertiesMyComputer	object name not found	1
9491	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoPropertiesMyComputer	object name not found	1
9525	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoInternetIcon	object name not found	1
9493	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoInternetIcon	object name not found	1
7016	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoCommonGroups	object name not found	1
1086	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoCommonGroups	object name not found	1
8882	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoControlPanel	object name not found	1
8861	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoControlPanel	object name not found	1
8770	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoSetFolders	object name not found	1
8738	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoSetFolders	object name not found	1
11526	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	NULL	success or wait	1
110591	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1
10220	HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP	seed	success or wait	1
25062	HKEY_LOCAL_MACHINE\SYSTEM\Setup	OsLoaderPath	success or wait	1
25062	HKEY_LOCAL_MACHINE\SYSTEM\Setup	OsLoaderPath	success or wait	1
11404	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemPartition	success or wait	1
11404	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemPartition	success or wait	1
20532	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	SourcePath	success or wait	1
20532	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	SourcePath	success or wait	1
20436	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	success or wait	1
20436	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	success or wait	1
5568	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	success or wait	1
5568	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	success or wait	1
2182	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	success or wait	1
2182	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	success or wait	1
7981	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	DevicePath	success or wait	1
25181	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogLevel	success or wait	1
25181	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogLevel	success or wait	1
12504	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogPath	object name not found	1
262517	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName	ComputerName	success or wait	1
134788	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	Hostname	success or wait	1
125958	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	Domain	success or wait	1
32753	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc	MaxRpcSize	object name not found	1
262517	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName	ComputerName	success or wait	1
8004	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}	Data	buffer overflow	1
7995	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}	Data	success or wait	1
8198	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}	Generation	success or wait	1
6150	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}	Data	buffer overflow	1
8006	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}	Data	success or wait	1
8212	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}	Generation	success or wait	1
7997	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}	Data	buffer overflow	1
8001	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}	Data	success or wait	1
47731	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}	Generation	success or wait	1
47731	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}	Generation	success or wait	1
37773	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	DriveMask	success or wait	1
8318	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	SeparateProcess	object name not found	1
8298	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	SeparateProcess	object name not found	1
17128	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	ShellState	success or wait	1
17128	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	ShellState	success or wait	1
4212	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	ForceActiveDesktopOn	object name not found	1
1035	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	ForceActiveDesktopOn	object name not found	1
8316	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoActiveDesktop	object name not found	1
1913	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoActiveDesktop	object name not found	1
8341	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoWebView	object name not found	1
1039	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoWebView	object name not found	1
3775	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	ClassicShell	object name not found	1
1048	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	ClassicShell	object name not found	1
3709	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	DontShowSuperHidden	object name not found	1
8685	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	DontShowSuperHidden	object name not found	1
1735	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoNetCrawling	object name not found	1
8327	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoNetCrawling	object name not found	1
8332	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoSimpleStartMenu	object name not found	1
8317	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoSimpleStartMenu	object name not found	1
9056	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	success or wait	1
1071	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowCompColor	success or wait	1
5197	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideFileExt	success or wait	1
8786	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	DontPrettyPath	success or wait	1
8820	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowInfoTip	success or wait	1
1074	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideIcons	success or wait	1
3925	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	MapNetDrvBtn	success or wait	1
195	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	WebView	success or wait	1
8806	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Filter	success or wait	1
4511	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowSuperHidden	success or wait	1
8790	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	SeparateProcess	success or wait	1
8790	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	NoNetCrawling	success or wait	1
123	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	DesktopProcess	object name not found	1
553	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1

Mutant Activities:

Mutant opened
Reputation	Name	Completion	Count

Mutant created
Reputation	Name	Completion	Count
11504	\BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	1
146640	no name	success or wait	5

Mutant released
Reputation	Name	Completion	Count

Process Activities:

Process started
Reputation	PID	Filepath	Cmdline	Flags	Completion	Count

Process opened
Reputation	PID	Access	Filepath	Cmdline	Completion	Count
2	1592	query information	C:\WINDOWS\explorer.exe	explorer C:\	success or wait	1
59995	776	dupclicate handle	C:\WINDOWS\Explorer.EXE	C:\WINDOWS\Explorer.EXE	success or wait	2
2407	776	query information	C:\WINDOWS\Explorer.EXE	C:\WINDOWS\Explorer.EXE	success or wait	1

Process suspended
Reputation	PID	Filepath	Cmdline	Completion	Count

Process terminated
Reputation	PID	Filepath	Completion	Count
562	1592	C:\WINDOWS\explorer.exe	success or wait	1
562	1592	C:\WINDOWS\explorer.exe	success or wait	1

Thread Activities:

Thread opened
Reputation	TID	PID	Filepath	Access	Completion	Count

Thread created
Reputation	TID	PID	EIP	Filepath	Access	Completion	Count
1316	1208	1592	7C8106F9	C:\WINDOWS\explorer.exe	terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation	success or wait	1

Thread APC queued
Reputation	TID	PID	Path	Completion	Count

Thread context set
Reputation	TID	PID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count

Thread continue
Reputation	TID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count
161215	1208	0	0	0	0	0	200	7C8106F9	no status	1
29735	788	0	0	0	0	0	200	7C810705	no status	1

Thread context got
Reputation	TID	PID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count

Thread delayed
Reputation	TID	Delay	Completion	Count

Thread terminated
Reputation	TID	PID	Completion	Count

Memory Activities:

Memory read
Reputation	PID	Path	Base	Completion	Count

Memory written
Reputation	PID	Filepath	Base	Completion	Count

Driver Activities:

Driver loaded
Reputation	Service name path	Completion	Count

Driver unloaded
Reputation	Service name path	Completion	Count

System Activities:

System information set
Reputation	System info class	Data	Completion	Count

System information queried
Reputation	System info class	Completion	Count
1881168	BasicInformation	success or wait	7
47532	RangeStartInformation	success or wait	1
1881168	BasicInformation	success or wait	1
41192	ProcessorInformation	success or wait	7
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	2
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
8730	PerformanceInformation	success or wait	1

Time Activities:

Performance counter queried
Reputation	Count	Frequency	Completion	Count
1585156	1597703036	3579545	success or wait	1
1585156	1597929538	3579545	success or wait	1
1585156	1597934120	3579545	success or wait	1
1585156	1597935136	3579545	success or wait	1
1585156	1597963608	3579545	success or wait	1
1585156	1597968615	3579545	success or wait	1
1585156	1598071919	3579545	success or wait	1
1585156	1598287051	3579545	success or wait	1

System resolution queried
Reputation	Minimum resolution	Maximum resolution	Current resolution	Completion	Count
8072	2245082484934448	5576704752533645104	430115204990768	success or wait	1

System time queried
Reputation	Time	Completion	Count
199861	129252592751196961	success or wait	1

User Activities:

Window created
Reputation	Window name	Class name	Completion	Count

Window found
Reputation	Window name	Class name	Completion	Count

Window hook set
Reputation	Module	Thread id	Hook code	Completion	Count

Key async got
Reputation	Virtual key code	Key state	Count

Keyboard state got
Reputation	Completion	Count

Key state got
Reputation	Virtual key code	State	Count

Debug Activities:

System debug info set
Reputation	Debug info class	Input data	Output data	Completion	Count

Exception Activities:

Exception raised
Reputation	Exception code	Address	Completion	Count

Chronological sections
Operation	Data	Completion	Time
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe Access: generic read	object name not found	1597454683
System info queried	Type: BasicInformation	success or wait	1597456185
System info queried	Type: BasicInformation	success or wait	1597461634
Section opened	Access: map write and map read and map execute Baseaddress: 7C800000 Size: F6000 Mapped to pid: own pid Path: \KnownDlls\kernel32.dll	success or wait	1597465574
System info queried	Type: RangeStartInformation	success or wait	1597469083
System info queried	Type: BasicInformation	success or wait	1597469206
Section created	Access: query and map write and map read and map execute and extend size Protection: read write Attributes: reserve Path: not known Type: reserve Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: 10000	success or wait	1597469475
System info queried	Type: BasicInformation	success or wait	1597479359
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1597482139
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	1597482870
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe Access: generic read	object name not found	1597483800
Section opened	Access: map read Baseaddress: 001B0000 Size: 15DF4 Mapped to pid: own pid Path: \NLS\NlsSectionUnicode	success or wait	1597484143
Section opened	Access: map read Baseaddress: 001D0000 Size: 40EDC Mapped to pid: own pid Path: \NLS\NlsSectionLocale	success or wait	1597485635
Section opened	Access: query and map read Baseaddress: 00220000 Size: 40004 Mapped to pid: own pid Path: \NLS\NlsSectionSortkey	success or wait	1597486584
Section opened	Access: map read Baseaddress: 00270000 Size: 5A04 Mapped to pid: own pid Path: \NLS\NlsSectionSortTbls	success or wait	1597487277
Section opened	Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409	object name not found	1597488729
Section opened	Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409	object name not found	1597488940
Section opened	Access: map write and map read and map execute Baseaddress: 77DD0000 Size: 9B000 Mapped to pid: own pid Path: \KnownDlls\ADVAPI32.dll	success or wait	1597494377
Section opened	Access: map write and map read and map execute Baseaddress: 77E70000 Size: 92000 Mapped to pid: own pid Path: \KnownDlls\RPCRT4.dll	success or wait	1597497708
Section opened	Access: map write and map read and map execute Baseaddress: 77FE0000 Size: 11000 Mapped to pid: own pid Path: \KnownDlls\Secur32.dll	success or wait	1597501127
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\BROWSEUI.dll	object name not found	1597507735
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 75F80000 Entrypoint: 75F836FA Mapped to pid: own pid Size: FD000	success or wait	1597509512
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write	object name not found	1597510482
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1597510754
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	1597511208
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	object name not found	1597512339
Section opened	Access: map write and map read and map execute Baseaddress: 77F10000 Size: 49000 Mapped to pid: own pid Path: \KnownDlls\GDI32.dll	success or wait	1597517026
Section opened	Access: map write and map read and map execute Baseaddress: 7E410000 Size: 91000 Mapped to pid: own pid Path: \KnownDlls\USER32.dll	success or wait	1597519493
Section opened	Access: map write and map read and map execute Baseaddress: 77C10000 Size: 58000 Mapped to pid: own pid Path: \KnownDlls\msvcrt.dll	success or wait	1597525156
Section opened	Access: map write and map read and map execute Baseaddress: 774E0000 Size: 13D000 Mapped to pid: own pid Path: \KnownDlls\ole32.dll	success or wait	1597529150
Section opened	Access: map write and map read and map execute Baseaddress: 77F60000 Size: 76000 Mapped to pid: own pid Path: \KnownDlls\SHLWAPI.dll	success or wait	1597534811
Section opened	Access: map write and map read and map execute Baseaddress: 77120000 Size: 8B000 Mapped to pid: own pid Path: \KnownDlls\OLEAUT32.dll	success or wait	1597540637
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\SHDOCVW.dll	object name not found	1597544658
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 7E290000 Entrypoint: 7E2A5ED1 Mapped to pid: own pid Size: 171000	success or wait	1597545888
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\CRYPT32.dll	object name not found	1597559068
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 77A80000 Entrypoint: 77A81632 Mapped to pid: own pid Size: 95000	success or wait	1597560299
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\MSASN1.dll	object name not found	1597565482
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 77B20000 Entrypoint: 77B233A1 Mapped to pid: own pid Size: 12000	success or wait	1597566730
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\CRYPTUI.dll	object name not found	1597573558
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 754D0000 Entrypoint: 754D16AB Mapped to pid: own pid Size: 80000	success or wait	1597574744
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\NETAPI32.dll	object name not found	1597620111
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 5B860000 Entrypoint: 5B868B48 Mapped to pid: own pid Size: 55000	success or wait	1597621820
Section opened	Access: map write and map read and map execute Baseaddress: 77C00000 Size: 8000 Mapped to pid: own pid Path: \KnownDlls\VERSION.dll	success or wait	1597629120
Section opened	Access: map write and map read and map execute Baseaddress: 3D930000 Size: E6000 Mapped to pid: own pid Path: \KnownDlls\WININET.dll	success or wait	1597631893
Section opened	Access: map write and map read and map execute Baseaddress: 00400000 Size: 9000 Mapped to pid: own pid Path: \KnownDlls\Normaliz.dll	success or wait	1597638696
Section opened	Access: map write and map read and map execute Baseaddress: 78130000 Size: 132000 Mapped to pid: own pid Path: \KnownDlls\urlmon.dll	success or wait	1597642659
Section opened	Access: map write and map read and map execute Baseaddress: 3DFD0000 Size: 1E8000 Mapped to pid: own pid Path: \KnownDlls\iertutil.dll	success or wait	1597651660
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WINTRUST.dll	object name not found	1597661273
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76C30000 Entrypoint: 76C31529 Mapped to pid: own pid Size: 2E000	success or wait	1597662777
Section opened	Access: map write and map read and map execute Baseaddress: 76C90000 Size: 28000 Mapped to pid: own pid Path: \KnownDlls\IMAGEHLP.dll	success or wait	1597666843
Section opened	Access: map write and map read and map execute Baseaddress: 76F60000 Size: 2C000 Mapped to pid: own pid Path: \KnownDlls\WLDAP32.dll	success or wait	1597677853
Section opened	Access: map write and map read and map execute Baseaddress: 7C9C0000 Size: 817000 Mapped to pid: own pid Path: \KnownDlls\SHELL32.dll	success or wait	1597683076
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\UxTheme.dll	object name not found	1597692013
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 5AD70000 Entrypoint: 5AD71626 Mapped to pid: own pid Size: 38000	success or wait	1597693411
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\ShimEng.dll	object name not found	1597698903
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 5CB70000 Entrypoint: 5CB78E55 Mapped to pid: own pid Size: 26000	success or wait	1597700116
Performance counter queried	Count: 1597703036 Frequency: 3579545	success or wait	1597703013
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1597703957
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00290000 Entrypoint: not known Mapped to pid: own pid Size: 125ED2	success or wait	1597704466
File other operation	Operation: 00000018 Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	object name not found	1597706468
System info queried	Type: ProcessorInformation	success or wait	1597706789
Key opened	Path: HKEY_LOCAL_MACHINE\System\WPA\TabletPC Access: query value and wow64 64key and wow64 resource and read or execute	object name not found	1597707194
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Access: query value and wow64 64key and wow64 resource and read or execute	success or wait	1597707445
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	1597707748
File overwritten	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Disposition: open Options: no options Attributes: normal	object name not found	1597708368
System info queried	Type: BasicInformation	success or wait	1597708897
File overwritten	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Disposition: open Options: no options Attributes: normal	object name not found	1597709810
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1597712034
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00410000 Entrypoint: not known Mapped to pid: own pid Size: 1C4600	success or wait	1597713114
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00410000 Entrypoint: not known Mapped to pid: own pid Size: 1C4600	success or wait	1597714972
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 6F880000 Entrypoint: 6F8A606E Mapped to pid: own pid Size: 1CA000	success or wait	1597716595
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WINMM.dll	object name not found	1597720645
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76B40000 Entrypoint: 76B42B61 Mapped to pid: own pid Size: 2D000	success or wait	1597721955
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\MSACM32.dll	object name not found	1597726958
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 77BE0000 Entrypoint: 77BE1292 Mapped to pid: own pid Size: 15000	success or wait	1597728223
Section opened	Access: map write and map read and map execute Baseaddress: 769C0000 Size: B4000 Mapped to pid: own pid Path: \KnownDlls\USERENV.dll	success or wait	1597733673
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcGenral.DLL Access: generic read	object name not found	1597738935
System info queried	Type: BasicInformation	success or wait	1597739411
Section opened	Access: map read Baseaddress: 003E0000 Size: 20C2 Mapped to pid: own pid Path: \NLS\NlsSectionCType	success or wait	1597741794
Mutant created	Name: \BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	1597744967
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll Access: generic read	object name not found	1597745625
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll Access: generic read	object name not found	1597745871
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll Access: generic read	object name not found	1597746100
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll Access: generic read	object name not found	1597746327
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll Access: generic read	object name not found	1597746555
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll Access: generic read	object name not found	1597746807
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll Access: generic read	object name not found	1597747036
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll Access: generic read	object name not found	1597747267
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll Access: generic read	object name not found	1597747551
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll Access: generic read	object name not found	1597747798
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BROWSEUI.dll Access: generic read	object name not found	1597748047
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll Access: generic read	object name not found	1597748527
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASN1.dll Access: generic read	object name not found	1597748757
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPT32.dll Access: generic read	object name not found	1597749156
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll Access: generic read	object name not found	1597749407
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll Access: generic read	object name not found	1597749641
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll Access: generic read	object name not found	1597749872
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll Access: generic read	object name not found	1597750100
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll Access: generic read	object name not found	1597750350
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll Access: generic read	object name not found	1597750581
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMAGEHLP.dll Access: generic read	object name not found	1597750972
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINTRUST.dll Access: generic read	object name not found	1597751288
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll Access: generic read	object name not found	1597751678
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPTUI.dll Access: generic read	object name not found	1597752054
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHDOCVW.dll Access: generic read	object name not found	1597752462
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll Access: generic read	object name not found	1597752703
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UxTheme.dll Access: generic read	object name not found	1597752951
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ShimEng.dll Access: generic read	object name not found	1597753212
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll Access: generic read	object name not found	1597753441
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACM32.dll Access: generic read	object name not found	1597753746
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll Access: generic read	object name not found	1597754103
File overwritten	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Disposition: open Options: no options Attributes: normal	object name not found	1597754530
System info queried	Type: BasicInformation	success or wait	1597754799
System info queried	Type: BasicInformation	success or wait	1597756239
System info queried	Type: ProcessorInformation	success or wait	1597756391
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1597796945
File overwritten	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Disposition: open Options: no options Attributes: normal	object name not found	1597797869
System info queried	Type: BasicInformation	success or wait	1597798236
System info queried	Type: ProcessorInformation	success or wait	1597798395
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1597831184
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack	object name not found	1597831551
Key opened	Path: HKEY_LOCAL_MACHINE Access: maximum allowed	success or wait	1597831979
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597832352
System info queried	Type: BasicInformation	success or wait	1597832810
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: query value and read or execute	success or wait	1597834079
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode	object name not found	1597834385
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00360000 Entrypoint: not known Mapped to pid: own pid Size: 1AE00	success or wait	1597835661
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00360000 Entrypoint: not known Mapped to pid: own pid Size: 1AE00	success or wait	1597838027
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76390000 Entrypoint: 763912C0 Mapped to pid: own pid Size: 1D000	success or wait	1597839632
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL Access: generic read	object name not found	1597844709
System info queried	Type: BasicInformation	success or wait	1597844893
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597845948
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1597846387
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	1597846640
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1597849913
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs	success or wait	1597850742
System info queried	Type: BasicInformation	success or wait	1597853228
System info queried	Type: BasicInformation	success or wait	1597858157
System info queried	Type: ProcessorInformation	success or wait	1597858310
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1597858572
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout	success or wait	1597858832
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Ole Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1597859246
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: RWLockResourceTimeOut	object name not found	1597859506
System info queried	Type: BasicInformation	success or wait	1597859852
System info queried	Type: ProcessorInformation	success or wait	1597860004
System info queried	Type: BasicInformation	success or wait	1597860140
System info queried	Type: ProcessorInformation	success or wait	1597860290
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1597860504
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll	object name not found	1597860763
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32	object name not found	1597860940
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib	object name not found	1597861111
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1597861416
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAll	object name not found	1597861688
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAllForOle32	object name not found	1597861979
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance Access: maximum allowed	object name not found	1597862633
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00860000 Entrypoint: not known Mapped to pid: own pid Size: FA400	success or wait	1597864716
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1597885553
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00860000 Entrypoint: not known Mapped to pid: own pid Size: 101600	success or wait	1597888342
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 773D0000 Entrypoint: 773D4256 Mapped to pid: own pid Size: 103000	success or wait	1597890219
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll Access: generic read	object name not found	1597898691
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00390000 Entrypoint: not known Mapped to pid: own pid Size: 2ED	success or wait	1597900857
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1597902940
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00390000 Entrypoint: not known Mapped to pid: own pid Size: 2ED	success or wait	1597903325
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00390000 Entrypoint: not known Mapped to pid: own pid Size: 2ED	success or wait	1597904956
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1597918379
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1597919557
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Name: SmoothScroll	object name not found	1597919792
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1597921971
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: EnableBalloonTips	object name not found	1597922334
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\LanguagePack Access: query value and read or execute	success or wait	1597923342
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance Access: maximum allowed	object name not found	1597926385
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute	object name not found	1597927194
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra Access: query value and enumerate sub key and read or execute	object name not found	1597927653
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute	object name not found	1597927867
Performance counter queried	Count: 1597929538 Frequency: 3579545	success or wait	1597929514
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32\Performance Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597930093
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1 Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597931616
Performance counter queried	Count: 1597934120 Frequency: 3579545	success or wait	1597934098
Performance counter queried	Count: 1597935136 Frequency: 3579545	success or wait	1597935115
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1597950301
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes Access: maximum allowed	success or wait	1597953615
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\PROTOCOLS\Name-Space Handler\ Access: maximum allowed	object name not found	1597954460
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler Access: maximum allowed	success or wait	1597954673
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\PROTOCOLS\Name-Space Handler Access: maximum allowed	object name not found	1597956859
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: maximum allowed	success or wait	1597958718
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1597959102
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1597959313
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	success or wait	1597959519
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Name: DisableImprovedZoneCheck	object name not found	1597959790
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1597960475
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597962762
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597963026
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1597963280
Performance counter queried	Count: 1597963608 Frequency: 3579545	success or wait	1597963586
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Name: explorer.exe	success or wait	1597963815
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ Access: query value and read or execute	object name not found	1597964245
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1597964539
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	object name not found	1597964763
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	object name not found	1597964987
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	success or wait	1597965209
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	object name not found	1597965479
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915 Access: query value and read or execute	object name not found	1597965706
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597966056
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597966287
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597966514
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597966738
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597966964
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597967184
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597967447
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597967709
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597967970
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1597968232
Performance counter queried	Count: 1597968615 Frequency: 3579545	success or wait	1597968594
System info queried	Type: BasicInformation	success or wait	1597969999
File overwritten	Path: WMIDataDevice Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: normal	success or wait	1597971582
File overwritten	Path: WMIDataDevice Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: normal	success or wait	1597973192
Thread created	Access: terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation PID: 1592 TID: 1208 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe	success or wait	1597975513
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1597995048
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control Options: non volatile	success or wait	1597997734
System info queried	Type: BasicInformation	success or wait	1597998131
System info queried	Type: ProcessorInformation	success or wait	1597998285
System info queried	Type: BasicInformation	success or wait	1597998441
Mutant created	Name: no name	success or wait	1597999454
Mutant created	Name: no name	success or wait	1597999943
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598000925
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ldap Name: LdapClientIntegrity	success or wait	1598001279
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1598002100
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\RichEd20.dll	object name not found	1598004314
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 74E30000 Entrypoint: 74E3151D Mapped to pid: own pid Size: 6D000	success or wait	1598005636
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RichEd20.dll Access: generic read	object name not found	1598070626
Performance counter queried	Count: 1598071919 Frequency: 3579545	success or wait	1598071889
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00AA0000 Entrypoint: not known Mapped to pid: own pid Size: 16E000	success or wait	1598075235
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1598096526
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance Access: maximum allowed	object name not found	1598099027
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\clsid\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6} Access: query value and read or execute	object name not found	1598100881
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\clsid\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6} Access: query value and read or execute	success or wait	1598101105
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib Access: query value and read or execute	object name not found	1598102705
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib Access: query value and read or execute	success or wait	1598102932
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib Access: maximum allowed	object name not found	1598104550
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib Name: NULL	success or wait	1598104735
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32 Access: query value and read or execute	object name not found	1598106131
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32 Access: query value and read or execute	success or wait	1598106364
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32 Access: maximum allowed	object name not found	1598107976
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32 Name: NULL	success or wait	1598108163
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32 Access: query value and read or execute	object name not found	1598109019
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32 Access: query value and read or execute	success or wait	1598109304
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32 Access: maximum allowed	object name not found	1598110805
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32 Name: NULL	success or wait	1598110993
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32 Access: query value and read or execute	object name not found	1598111839
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32 Access: query value and read or execute	success or wait	1598112066
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32 Access: maximum allowed	object name not found	1598113545
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32 Name: NULL	success or wait	1598113729
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32 Access: query value and read or execute	object name not found	1598114572
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32 Access: query value and read or execute	success or wait	1598114802
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32 Access: maximum allowed	object name not found	1598116390
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32 Name: NULL	success or wait	1598116576
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Access: query value and read or execute	success or wait	1598119507
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	1598119843
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 01100000 Entrypoint: not known Mapped to pid: own pid Size: 811C00	success or wait	1598121523
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1598138868
Section opened	Access: map write and map read and map execute Baseaddress: 5D090000 Size: 9A000 Mapped to pid: own pid Path: \KnownDlls\comctl32.dll	success or wait	1598141374
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll Access: generic read	object name not found	1598146412
System info queried	Type: BasicInformation	success or wait	1598147094
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00AC0000 Entrypoint: not known Mapped to pid: own pid Size: 96C00	success or wait	1598149961
Process opened	Access: query information PID: 1592 Path: C:\WINDOWS\explorer.exe Cmdline: explorer C:\	success or wait	1598156541
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598157948
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598159255
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Name: SmoothScroll	object name not found	1598159502
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	success or wait	1598162443
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager Access: query value and read or execute	success or wait	1598162702
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: Compositing	object name not found	1598162944
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598164206
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Access: query value and read or execute	success or wait	1598164452
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Name: LameButtonText	object name not found	1598164666
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32 Access: generic read	success or wait	1598166167
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	1598166403
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	1598167398
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	object name not found	1598167933
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave2	object name not found	1598168459
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave3	object name not found	1598168983
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave4	object name not found	1598169544
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave5	object name not found	1598170069
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave6	object name not found	1598170590
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave7	object name not found	1598171646
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave8	object name not found	1598172173
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave9	object name not found	1598172733
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	1598173258
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	1598173801
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	object name not found	1598174327
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi2	object name not found	1598174854
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi3	object name not found	1598175376
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi4	object name not found	1598175900
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi5	object name not found	1598176462
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi6	object name not found	1598176987
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi7	object name not found	1598177510
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi8	object name not found	1598178034
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi9	object name not found	1598178557
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	1598179306
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	1598179963
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	object name not found	1598180489
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux2	object name not found	1598181047
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux3	object name not found	1598181571
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux4	object name not found	1598182091
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux5	object name not found	1598182613
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux6	object name not found	1598183134
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux7	object name not found	1598183692
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux8	object name not found	1598184212
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux9	object name not found	1598184734
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	success or wait	1598185307
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm Name: wheel	success or wait	1598185598
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	1598186189
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	1598186760
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	object name not found	1598187285
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer2	object name not found	1598187811
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer3	object name not found	1598188331
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer4	object name not found	1598188855
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer5	object name not found	1598189376
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer6	object name not found	1598189898
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer7	object name not found	1598190453
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer8	object name not found	1598190977
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer9	object name not found	1598191496
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: maximum allowed	success or wait	1598192788
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Access: query value and set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1598193122
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Name: SystemFormats	success or wait	1598193350
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Access: generic read	success or wait	1598194673
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	buffer overflow	1598225762
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	success or wait	1598225986
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1598226358
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Access: maximum allowed	success or wait	1598226633
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: fdwSupport	success or wait	1598226858
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFormatTags	success or wait	1598227138
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: aFormatTagCache	success or wait	1598227415
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFilterTags	success or wait	1598227690
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	buffer overflow	1598228585
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	success or wait	1598228776
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1598229146
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Access: maximum allowed	success or wait	1598229402
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: fdwSupport	success or wait	1598229656
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFormatTags	success or wait	1598229934
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: aFormatTagCache	success or wait	1598230211
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFilterTags	success or wait	1598230486
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	buffer overflow	1598231378
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	success or wait	1598231595
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1598231960
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Access: maximum allowed	success or wait	1598232219
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: fdwSupport	success or wait	1598232441
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFormatTags	success or wait	1598232715
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: aFormatTagCache	success or wait	1598232988
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFilterTags	success or wait	1598233419
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	buffer overflow	1598234322
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	success or wait	1598234514
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1598234880
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Access: maximum allowed	success or wait	1598235139
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: fdwSupport	success or wait	1598235360
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFormatTags	success or wait	1598235634
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: aFormatTagCache	success or wait	1598235909
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFilterTags	success or wait	1598236181
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	buffer overflow	1598237122
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	success or wait	1598237313
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1598237679
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Access: maximum allowed	success or wait	1598237935
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: fdwSupport	success or wait	1598238159
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFormatTags	success or wait	1598238438
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: aFormatTagCache	success or wait	1598238716
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFilterTags	success or wait	1598238989
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	buffer overflow	1598239892
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	success or wait	1598240090
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1598240510
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Access: maximum allowed	success or wait	1598240771
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: fdwSupport	success or wait	1598240997
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFormatTags	success or wait	1598241276
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: aFormatTagCache	success or wait	1598241554
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFilterTags	success or wait	1598241829
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	buffer overflow	1598242786
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	success or wait	1598243739
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1598244119
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Access: maximum allowed	success or wait	1598244384
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: fdwSupport	success or wait	1598244607
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFormatTags	success or wait	1598244885
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: aFormatTagCache	success or wait	1598245164
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFilterTags	success or wait	1598245438
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	buffer overflow	1598246368
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	success or wait	1598246567
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1598246942
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Access: maximum allowed	success or wait	1598247254
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: fdwSupport	success or wait	1598247479
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFormatTags	success or wait	1598247766
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: aFormatTagCache	success or wait	1598248042
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFilterTags	success or wait	1598248319
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	buffer overflow	1598249591
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	success or wait	1598249787
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1598250188
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Access: maximum allowed	success or wait	1598250449
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: fdwSupport	success or wait	1598250669
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFormatTags	success or wait	1598250997
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: aFormatTagCache	success or wait	1598251276
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFilterTags	success or wait	1598251549
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	buffer overflow	1598252438
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	success or wait	1598252635
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache Access: maximum allowed	success or wait	1598253033
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Access: maximum allowed	success or wait	1598253293
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: fdwSupport	success or wait	1598253514
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFormatTags	success or wait	1598253788
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: aFormatTagCache	success or wait	1598254064
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFilterTags	success or wait	1598254386
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: maximum allowed	success or wait	1598255583
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\ Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1598255944
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control Options: non volatile	success or wait	1598256405
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM Name: NoPCMConverter	object name not found	1598256748
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: maximum allowed	success or wait	1598259049
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\ Access: set value and create sub key and read or execute and write and read control Options: non volatile	success or wait	1598259394
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control Options: non volatile	success or wait	1598259845
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 Name: Priority1	object name not found	1598260207
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\acm Access: query value and enumerate sub key and read or execute	object name not found	1598260628
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1598261599
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	1598261845
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1598262291
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: ChkAccDebugLevel	object name not found	1598262508
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598262946
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions Name: ProductType	success or wait	1598263202
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598267923
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598268184
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Personal	success or wait	1598268421
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Local Settings	success or wait	1598268861
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1598269859
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopDebugLevel	object name not found	1598270079
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1598270505
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	1598270713
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopLogging	object name not found	1598270981
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System Access: maximum allowed	success or wait	1598271384
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	1598271707
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: RsopLogging	object name not found	1598271973
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1598272519
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	1598272753
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System Access: maximum allowed	success or wait	1598273173
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	1598273385
Thread continue	TID: 1208 DR0: 0 DR1: 0 DR2: 0 DR3: 0 DR7: 0 EIP: 7C8106F9 EFLAGS: 200	no status	1598274456
Thread continue	TID: 788 DR0: 0 DR1: 0 DR2: 0 DR3: 0 DR7: 0 EIP: 7C810705 EFLAGS: 200	no status	1598279420
File overwritten	Path: WMIDataDevice Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: normal	success or wait	1598280122
Performance counter queried	Count: 1598287051 Frequency: 3579545	success or wait	1598287028
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00B70000 Entrypoint: not known Mapped to pid: own pid Size: FC600	success or wait	1598289229
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1598302357
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance Access: maximum allowed	object name not found	1598304668
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Access: maximum allowed Options: non volatile	success or wait	1598305611
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1598311731
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoNetHood	object name not found	1598312137
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1598312616
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoNetHood	object name not found	1598312886
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1598313625
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoPropertiesMyComputer	object name not found	1598313870
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1598314455
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoPropertiesMyComputer	object name not found	1598314711
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1598315444
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoInternetIcon	object name not found	1598315686
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1598316140
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoInternetIcon	object name not found	1598316388
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\explorer.exe Access: query value and enumerate sub key and read or execute	object name not found	1598317062
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1598318494
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoCommonGroups	object name not found	1598319284
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1598319756
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoCommonGroups	object name not found	1598320188
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Access: query value and read or execute	object name not found	1598320899
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1598321716
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoControlPanel	object name not found	1598322320
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1598323018
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoControlPanel	object name not found	1598323406
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1598324415
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoSetFolders	object name not found	1598324723
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1598325295
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoSetFolders	object name not found	1598325672
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Access: query value and read or execute	object name not found	1598326955
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Access: query value and read or execute	success or wait	1598327215
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Access: maximum allowed	object name not found	1598329066
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Name: NULL	success or wait	1598329297
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\SETUPAPI.dll	object name not found	1598331456
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 77920000 Entrypoint: 7792159A Mapped to pid: own pid Size: F3000	success or wait	1598333661
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll Access: generic read	object name not found	1598344648
Key opened	Path: HKEY_LOCAL_MACHINE\System\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598346113
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	1598346522
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	object name not found	1598347330
Key opened	Path: HKEY_LOCAL_MACHINE\System\WPA\PnP Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598347682
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP Name: seed	success or wait	1598347968
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598348546
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: OsLoaderPath	success or wait	1598348821
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: OsLoaderPath	success or wait	1598349168
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598349739
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemPartition	success or wait	1598349956
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemPartition	success or wait	1598352712
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598353792
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: SourcePath	success or wait	1598354144
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: SourcePath	success or wait	1598354496
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598355076
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackSourcePath	success or wait	1598355367
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackSourcePath	success or wait	1598355713
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598356336
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackCachePath	success or wait	1598356627
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackCachePath	success or wait	1598356974
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598357871
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: DriverCachePath	success or wait	1598358169
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: DriverCachePath	success or wait	1598358517
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598359109
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion Name: DevicePath	success or wait	1598359396
Mutant created	Name: no name	success or wait	1598360996
Mutant created	Name: no name	success or wait	1598361585
Mutant created	Name: no name	success or wait	1598362165
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and read or execute	success or wait	1598362766
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogLevel	success or wait	1598363158
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogLevel	success or wait	1598363530
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogPath	object name not found	1598363957
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels Access: query value and read or execute	object name not found	1598364413
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598365580
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName	success or wait	1598365970
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598366557
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Hostname	success or wait	1598366905
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1598367478
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598367777
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Domain	success or wait	1598368075
System info queried	Type: BasicInformation	success or wait	1598369198
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\PagedBuffers Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1598369565
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598369866
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Name: MaxRpcSize	object name not found	1598370153
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\RpcThreadPoolThrottle Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1598370742
System time queried	Time: 129252592751196961	success or wait	1598372310
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1598373112
System info queried	Type: PerformanceInformation	success or wait	1598373362
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598375683
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1598376124
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName	success or wait	1598376433
File other operation	Operation: 0007EA24 Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598380589
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598383222
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598384700
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598386028
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598387718
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598389111
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598391224
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598392735
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598394200
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598395616
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598397133
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598398963
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598400413
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598402185
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598403629
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598405034
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598406565
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598408137
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598409605
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598411043
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598412443
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598413829
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598415438
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598416804
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598418277
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598419659
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598421034
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598422763
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598424501
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598426187
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598427556
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598429481
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598430991
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1598432583
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599155294
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599157360
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599158873
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599160238
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599161694
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599163091
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599164467
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599165910
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599167284
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599169048
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599170744
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599172228
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599173842
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599175284
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599177119
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599178493
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599180043
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599181410
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599182829
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599184223
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599185593
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599187026
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599188388
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599189753
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599191181
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599192576
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599194182
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599195548
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599196914
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599198320
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599199711
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599201098
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599202451
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599203810
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599205377
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599206739
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599208109
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599209467
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599210899
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599212291
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599213678
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599215065
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599216410
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599217863
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599219398
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599220752
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599222141
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599223491
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599224854
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599226258
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599227607
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599229042
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599230418
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599231770
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599233471
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599234923
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599236275
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599237664
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599239014
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599240633
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599242024
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599243376
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599244776
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599246131
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599247873
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599249231
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599250616
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599251971
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599253320
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599254718
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599256173
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599257525
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599258920
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599260272
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599261666
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599263016
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599264367
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599265780
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599267144
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599268536
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599269921
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599271275
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599272655
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599274006
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599275355
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599276782
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599278126
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599279606
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599280963
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599282398
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599283814
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599285163
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599286858
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599288218
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599289565
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599290948
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599292303
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599293697
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599295053
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599296499
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599297894
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599299248
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599300597
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599302001
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599303352
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599304830
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599306199
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599307562
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599308956
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599310308
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599311693
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599313048
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599314396
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599315787
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599317234
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599318658
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599320016
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599321367
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599322758
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599324118
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599326745
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599328156
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599329562
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599330919
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599332273
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599333663
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599335010
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599336398
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599337757
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599339104
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599340775
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599342220
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599343572
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599344962
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599346310
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599347733
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599349099
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599350459
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599351846
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599353191
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599354508
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599355863
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599357210
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599358663
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599360014
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599361405
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599362823
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599364176
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599365565
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599366916
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599368277
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599369679
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599371033
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599372430
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599373780
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599375130
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599376521
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599377870
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599379357
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599380708
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599382059
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599383481
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599384834
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599386219
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599387571
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599388946
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599390445
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599391804
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599393435
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599394790
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599396134
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599397798
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599399176
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599400641
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599402028
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599403577
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599405054
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599406439
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599407886
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599409240
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599410602
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599412015
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599413370
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599414805
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599416193
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599417571
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599419349
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599420924
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599422475
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599423860
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599425242
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599426805
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599428160
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599429557
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599430940
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599432331
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599433735
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599435113
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599437073
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599438733
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599440106
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599441462
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599443015
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599444455
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599445809
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599447665
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599449036
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599450433
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599451830
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599453193
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599454694
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599456065
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599457423
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599458822
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599460173
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599461684
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599463042
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599464396
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599465782
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599467237
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599468633
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599469992
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599471344
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599472746
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599474109
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599475471
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599477062
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599478415
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599479814
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599481172
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599482523
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599484103
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599485471
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599486907
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599488277
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599489643
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599491155
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599492523
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599493954
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599495330
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599496696
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599498249
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599499655
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599501339
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599502705
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599504072
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599505679
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599507048
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599508446
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599509812
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599511180
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599512640
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599514008
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599515438
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599516817
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599518184
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599519621
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599520987
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599522364
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599523732
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599525092
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599526530
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599527887
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599529497
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599530873
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599532812
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599534404
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599535780
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599537218
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599538594
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599540016
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599541380
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599542746
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599544297
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599545659
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599547218
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599548589
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599549957
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599551391
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599552753
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599554612
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599555997
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599557374
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599558806
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599560171
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599561683
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599563056
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599564420
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599565864
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599567229
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599568754
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1599570399
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600239593
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600241789
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600243428
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600244811
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600246229
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600247604
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600249098
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600250570
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600251953
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600253688
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600255072
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600256450
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600257877
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600259251
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600260658
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600262029
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600263404
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600264815
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600266189
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600267557
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600268971
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600270438
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600271853
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600273222
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600274593
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600275999
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600277378
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600279109
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600280494
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600281925
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600283301
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600284674
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600545290
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600548558
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600550167
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600551555
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600552931
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600554404
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600555789
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600557166
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600558618
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600560065
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600561446
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600562822
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600564193
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600565688
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600567060
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600568557
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600569929
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600571299
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600572469
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600573967
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600575651
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600577035
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600578412
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600579895
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600581288
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600582715
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600584093
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600585499
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600586908
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600588271
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600589792
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600591166
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600592540
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600593946
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600595318
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600596736
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600598121
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600599493
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600600905
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600602279
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600603680
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600605052
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600606422
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600607822
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600609136
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600610637
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600612017
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600613389
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600614795
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600616264
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600617684
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600619065
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600620550
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600621960
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600623336
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600624711
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600626138
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600627555
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600629231
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600630761
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600632176
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600633566
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600634940
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600636363
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600637742
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600639123
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600640531
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600641897
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600643272
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600644641
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600646015
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600647424
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600648793
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600650216
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600651684
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600653053
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600654464
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600655829
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600657240
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600658621
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600660004
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600661417
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600662788
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600664193
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600665562
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600666929
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600668333
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600669725
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600671095
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600672558
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600673959
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600675472
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600676843
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600678247
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600679633
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600681036
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600682824
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600684190
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600685563
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600686976
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600688346
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600689750
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600691119
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600692581
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600694002
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600695372
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600696802
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600698172
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600699551
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600700965
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600702342
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600703748
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600705122
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600706490
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600707939
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600709313
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600710721
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600712088
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600713583
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600715003
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600716456
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600717866
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600719242
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600720624
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600722045
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600723418
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600724825
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600726202
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600727569
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600728982
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600730383
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600731753
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600733175
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600734641
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600736277
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600737654
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600739025
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600740461
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600741844
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600743294
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600744664
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600746026
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600747403
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600748775
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600750182
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600751549
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600752851
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600754320
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600755714
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600757122
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600758493
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600759862
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600762135
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600763614
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600765276
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600766665
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1600768281
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601883022
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601885220
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601886756
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601888157
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601889634
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601891032
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601892422
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601893886
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601895282
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601896728
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601898123
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601900477
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601901976
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601903464
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601904903
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601906362
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601907798
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601909184
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601910622
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601912019
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601913401
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601914829
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601916213
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601917593
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601919269
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601920647
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601922056
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601923438
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601924822
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601926353
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601927784
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601929223
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601930625
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601932010
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601933437
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601934655
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601937752
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601939178
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601940564
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601941985
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601943493
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601944879
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601946300
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601947672
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601949070
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601950509
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601951878
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601953289
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601954660
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601956029
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601957440
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601958807
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601960295
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601961669
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601963036
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601964496
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601965872
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601967283
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601968667
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601970071
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601971636
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601973017
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601974444
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601975859
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601977295
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601978883
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601980309
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601981720
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601983102
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601984472
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601985894
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601987267
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601988684
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601990056
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601991426
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601992856
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601994224
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601995628
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601996999
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601998371
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1601999779
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602001149
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602002529
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602003949
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602005331
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602006872
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602008255
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602009670
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602011054
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602012425
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602013868
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602015239
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602016612
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602018019
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602019391
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602020805
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602022177
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602023546
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602025255
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602026638
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602028203
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602029578
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602030953
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602032366
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602033761
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602035172
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602036542
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602037909
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602039312
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602040683
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602042088
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602043362
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602044734
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602046149
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602047535
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602048944
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602050317
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602051684
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602053063
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602054436
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602055840
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602057256
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602058622
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602060037
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602061413
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602062783
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602064194
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602065563
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602066980
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602068360
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602069736
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602071149
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602072520
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602073927
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602075305
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602076675
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602078460
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602079830
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602081352
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602082725
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602084096
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602085502
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602086871
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602088286
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602089701
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602091074
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602092451
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602093821
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602095185
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602096606
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602098005
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602099412
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602100780
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602102243
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602103656
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602105026
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602106438
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602107810
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602109192
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602110604
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602111971
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602113373
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602114706
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602116079
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602117534
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602118905
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602120310
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602121782
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602123157
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602124566
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602125938
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602127350
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602128748
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602130138
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602131913
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602133282
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602134652
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602136143
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602137520
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602138903
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602140341
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602141713
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602143384
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602144791
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602146237
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602147658
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602149144
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602150624
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602152021
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602153409
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602154801
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602156238
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602157616
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602158995
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602160887
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602162272
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602163714
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602165253
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602166749
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602168155
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602169540
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602170986
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602172521
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602174302
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602175978
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602177401
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602178783
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602180159
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602181566
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602182937
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602184304
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602186273
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602187651
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602189062
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602190435
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602191838
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602193232
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602194612
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602195996
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602197362
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602198734
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602200219
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602201593
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602203012
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602204418
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602205826
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602207371
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602208743
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602210159
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602211528
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602212898
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602214395
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602215784
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602217195
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602218568
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602219938
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602221343
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602223990
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602225369
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602226738
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602228141
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602229645
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602231053
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602232433
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602233803
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602235267
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602236653
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602238029
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602239689
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602241056
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602242436
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602243810
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602245180
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602246592
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602247959
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602249506
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602250884
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602252253
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602253661
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602255030
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602256413
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602257883
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602259514
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602260924
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602262295
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602263670
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602265075
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602266445
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602267855
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602269217
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602270883
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602272295
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602273671
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602275172
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602276543
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602278008
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602279407
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602280806
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602282320
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602283732
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602285239
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602286661
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602288057
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602289506
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602290871
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602292749
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602295571
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602296962
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602298367
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602299884
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602301298
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602302778
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602304208
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602305604
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602307826
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602309273
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602310715
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602312088
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602313500
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602315043
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602316419
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602317842
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602319218
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602320674
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602322187
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602323571
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602325047
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602326416
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602328015
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602329460
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602330839
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602332254
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602333626
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602335032
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602336509
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602337882
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602339299
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602340670
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602342089
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602343471
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602344858
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602346610
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602347983
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602349395
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602350762
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602352130
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602353543
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602354908
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602356326
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602357816
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602359190
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602360641
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602362013
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602363425
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602364817
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602366241
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602367693
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602369071
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602370515
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602371918
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602373304
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602374744
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602376123
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602377750
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602379171
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602380554
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602382002
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602383386
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602385486
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602386893
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602388348
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602389749
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602391135
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602392583
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602393977
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602395416
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602396809
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602398190
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602399591
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602400666
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602402256
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602403610
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602405029
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602406396
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602407767
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602409206
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602410565
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602411968
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602413328
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602415266
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602416648
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602418002
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602419424
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602420952
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602422369
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602423734
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602425092
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602426584
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602427952
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602429372
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602430729
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602432084
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602433608
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602434972
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602436399
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602440507
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602441859
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602443959
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602445325
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602446751
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602448107
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602449884
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602451473
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602455525
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602456936
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602458339
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602459780
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602461184
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602462638
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602464048
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602465451
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602466900
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602468616
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602470062
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602471467
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602472849
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602474294
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602475971
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602477433
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602478840
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602480245
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602481692
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602483091
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602484529
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602485934
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602487333
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602488827
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602490467
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602491918
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602493323
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602494724
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602496170
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602497585
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602499029
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602500432
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602501846
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602503355
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602504764
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602506205
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602507606
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602509043
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602510573
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602511953
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602513364
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602514733
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602516140
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602517523
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602518903
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602520317
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602521684
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602523127
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602524497
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602525872
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602527277
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602528648
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602530073
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602531689
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602533068
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602534570
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602535940
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602537460
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602538846
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602540231
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602541661
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602543037
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602544539
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1602546619
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604069761
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604071818
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604073257
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604074627
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604076056
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604077423
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604078830
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604080205
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604081569
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604083038
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604084406
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604085693
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604087066
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604088433
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604089838
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604091201
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604092603
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604093969
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604095333
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604097032
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604098418
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604099821
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604101210
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1604102598
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605353961
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605356127
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605357620
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605358975
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605360918
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605362271
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605363662
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605365014
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605366400
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605367752
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605369099
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605370539
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605371890
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605373283
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605374699
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605375966
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605377487
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605378838
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605380219
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605381577
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605382928
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605384286
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605385634
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605386985
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605388428
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605389783
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605391179
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605392541
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605394009
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605395421
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605396806
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605398168
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605399525
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605400879
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605402272
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605403620
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605407495
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605408900
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605410299
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605411813
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605413318
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605414757
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605416158
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605417559
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605419110
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605420618
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605422063
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605423466
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605424871
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605426325
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605427738
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605429196
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605430612
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605432020
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605433481
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605434894
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605436342
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605437750
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605439154
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605440598
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605442032
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605443492
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605444902
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605446305
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605447660
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605449176
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605450612
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605452123
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605453527
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605454967
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605456373
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605457788
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605459247
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605460655
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605461829
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605463210
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605464642
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605466026
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605467403
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605468822
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605470228
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605471644
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605473029
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605474402
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605475885
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605477277
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605479443
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605481188
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605483214
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605485167
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605486968
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605488709
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605490154
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605491746
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605493169
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605494650
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605496226
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605497604
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605499223
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605500638
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605502179
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605503864
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605505255
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605506627
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605508246
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605509767
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605511236
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605512615
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605516333
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605518266
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605521174
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605522724
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605524116
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605525530
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605527055
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605528502
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605529906
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605531289
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605532742
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605534147
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605535684
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605537091
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605538497
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605539964
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605541361
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605542793
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605544181
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605545556
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605546971
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605548361
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605549903
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605551397
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605552770
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605554261
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605555671
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605557087
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605558462
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605559844
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605561286
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605562684
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605564166
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605565557
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605566940
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605568687
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605570073
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605571506
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605573009
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605574378
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605575778
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605577145
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605578570
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605579979
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605581350
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605582760
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605584141
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605585549
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605586930
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605588292
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605589762
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605591048
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605592633
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605594035
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605595534
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605596943
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605598311
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605599711
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605601082
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605602455
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605603856
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605605232
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605606610
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605608028
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605609396
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605611174
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605612548
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605614139
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605616016
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605617411
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605619135
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605620531
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605622828
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605624284
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605626113
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605627635
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605629109
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605630522
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605631915
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605633301
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605634686
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605636486
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605637869
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605639545
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605640934
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605643214
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605644818
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605646238
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605647649
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605649044
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605651867
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605653711
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605655130
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605657525
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605659174
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605661089
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605662507
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605667079
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605668478
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605671259
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605673033
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605674479
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605676047
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605678198
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605679616
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605683217
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605684860
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605686275
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605690716
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605692265
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605693676
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605695118
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605696514
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605697901
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605699462
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605700868
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605703149
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605704579
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605706164
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605707568
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605709276
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605710716
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605712109
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605713958
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605715349
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605717485
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605718917
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605720400
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605721789
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605723226
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605724613
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605726000
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605727443
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605728865
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605730567
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605732070
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605733441
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605734965
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605736352
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605737779
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605739174
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605740579
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605742004
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605743390
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605744820
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605746218
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605747602
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605749199
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605750570
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605752014
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605753503
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605754876
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605756898
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605758307
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605760726
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605762137
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605763588
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605764976
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605766389
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605767765
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605769140
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605771212
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605772630
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605774183
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605775578
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605777096
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605778488
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605779865
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605781272
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605782647
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605784408
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605785807
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605787180
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605788592
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605789964
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605791376
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605792747
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605794116
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605795517
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605797001
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605798375
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605799745
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605801114
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605802520
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605803898
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605805359
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605806810
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605808648
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605810060
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605811432
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605812839
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605814212
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605815582
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605817014
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605818483
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605819893
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605821265
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605822632
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605824040
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605825423
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605826843
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605828246
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605829618
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605830994
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605832361
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605834386
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605835779
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605837150
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605838887
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605840369
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605841859
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605843134
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605844547
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605845928
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605847313
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605848727
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605850096
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605851465
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605852884
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605854261
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605855669
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605857040
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605858404
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605859941
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605861316
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605862724
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605864093
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605865575
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605867010
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605868392
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605869800
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605871169
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605872600
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605874018
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605875389
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605876799
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605879402
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605880819
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605882291
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605883698
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605885072
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605886438
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605888428
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605889891
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605891642
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605893032
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605894470
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605895861
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605897241
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605898630
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605900019
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605901399
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605902856
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605904387
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605905828
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605907212
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605908591
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605910211
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605911604
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605913065
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605914475
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605915890
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605917265
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605918640
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605920057
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605921427
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605922790
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605924309
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605925682
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605927110
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605928480
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605930029
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605931429
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605932813
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605934222
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605935592
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605936960
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605938427
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605939832
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605941291
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605942677
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605944072
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605946097
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605947493
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605948933
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605950387
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605951808
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605953209
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605954604
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605956024
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605957406
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605958825
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605960193
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605961564
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605962995
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605964373
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605965742
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605967308
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605968689
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605970138
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605971536
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605973030
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605974436
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605975828
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605977255
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605978630
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605980052
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605981438
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605982832
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605984310
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605985880
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605987474
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605988848
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605990224
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605991635
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605993026
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605994480
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605995876
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605997268
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1605998998
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606000383
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606001811
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606003209
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606004636
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606006083
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606007477
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606009269
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606010904
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606012291
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606013666
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606015180
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606016626
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606018011
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606019384
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606020845
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606022361
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606023773
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606025144
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606026550
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606027929
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606029300
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606030826
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606032199
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606033649
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606035029
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606036404
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606037793
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606039169
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606040535
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606042144
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606043516
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606044900
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606046270
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606047638
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606049053
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606050529
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606052236
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606053606
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606054976
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606056429
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606057867
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606059287
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606060661
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606062062
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606063588
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606064960
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606066370
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606067740
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606069108
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606070511
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606071977
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606073393
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1606074766
File opened	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	success or wait	1607079251
File other operation	Disposition: PipeInformation Data: 01 00 00 00 00 00 00 00 Path: \Device\NamedPipe\lsass	success or wait	1607081420
File other operation	Disposition: CompletionInformation Data: F4 06 00 00 00 00 FF FF Path: \Device\NamedPipe\lsass	success or wait	1607081705
File write	Path: \Device\NamedPipe\lsass	success or wait	1607082366
File read	Path: \Device\NamedPipe\lsass	pending	1607082661
File other operation	Operation: 0007EA24 Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607092259
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607093940
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607095415
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607096622
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607098391
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607099869
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607101271
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607102731
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607104135
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607105532
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607107075
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607108488
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607109969
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607111386
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607112788
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607114266
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607115662
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607117113
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607118702
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607120121
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607121587
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607123020
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607124641
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607126040
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607127432
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607128954
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607130338
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607131754
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607133196
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607134586
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607135993
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607137363
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607138773
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607140149
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607141515
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607143090
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607144521
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607146072
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607147458
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607148835
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607150269
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607151647
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607153050
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607154413
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607155787
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607157200
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607158571
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607160088
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607161467
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607162844
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607164261
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607165633
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607167073
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607168316
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607172577
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607173994
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607175368
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607176890
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607178262
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607179631
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607181326
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607182694
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607184224
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607185600
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607186970
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607188345
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607189715
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607191117
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607192490
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607193866
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607195253
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607196625
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607198002
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607199393
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607200793
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607202343
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607203784
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607205278
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607206676
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607208238
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607209724
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607211118
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607212574
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607213979
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607215391
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607216903
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607218316
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607219955
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607221355
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607222754
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607224213
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607225745
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607227180
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607228586
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607229995
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607231491
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607232895
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607234675
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607236086
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607237580
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607239029
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607240551
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607242004
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607243411
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607244864
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607246269
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607247869
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607249312
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607250714
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607252119
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607253534
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607254946
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607256549
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607257955
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607259467
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607260866
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607262300
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607263704
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607265094
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607266578
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607267974
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607269381
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607270842
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607272350
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607274724
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607276302
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607277768
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607279175
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607280638
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607282050
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607283450
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607284919
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607286323
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607288076
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607289476
File overwritten	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	pipe not available	1607291099
File opened	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	success or wait	1608062108
File other operation	Disposition: PipeInformation Data: 01 00 00 00 00 00 00 00 Path: \Device\NamedPipe\lsass	success or wait	1608064467
File other operation	Disposition: CompletionInformation Data: F4 06 00 00 00 00 FF FF Path: \Device\NamedPipe\lsass	success or wait	1608064819
File write	Path: \Device\NamedPipe\lsass	success or wait	1608065523
File read	Path: \Device\NamedPipe\lsass	pending	1608065843
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1608374738
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1608377033
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1608377586
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f} Name: Data	buffer overflow	1608378210
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f} Name: Data	success or wait	1608378583
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1608379627
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1608379953
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f} Name: Generation	success or wait	1608380608
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1608384264
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1608385965
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1608386297
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f} Name: Data	buffer overflow	1608386747
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f} Name: Data	success or wait	1608387067
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1608388015
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1608388342
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f} Name: Generation	success or wait	1608388796
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1608392244
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1608393785
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1608394158
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f} Name: Data	buffer overflow	1608394614
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f} Name: Data	success or wait	1608394937
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1608395805
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1608396127
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f} Name: Generation	success or wait	1608396581
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1608397355
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1608399486
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb13-b32c-11de-8127-806d6172696f}\ Access: maximum allowed Options: non volatile	success or wait	1608401511
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb13-b32c-11de-8127-806d6172696f} Name: BaseClass Type: String Data: Drive	success or wait	1608401916
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1608402562
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1608404712
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb11-b32c-11de-8127-806d6172696f}\ Access: maximum allowed Options: non volatile	success or wait	1608406663
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb11-b32c-11de-8127-806d6172696f} Name: BaseClass Type: String Data: Drive	success or wait	1608407026
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1608407667
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1608410113
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb10-b32c-11de-8127-806d6172696f}\ Access: maximum allowed Options: non volatile	success or wait	1608414136
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb10-b32c-11de-8127-806d6172696f} Name: BaseClass Type: String Data: Drive	success or wait	1608414522
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1608415569
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1608415898
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f} Name: Generation	success or wait	1608416351
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions Access: enumerate sub key and read or execute	object name not found	1608417396
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions Access: enumerate sub key and read or execute	success or wait	1608417674
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions Access: maximum allowed	object name not found	1608419472
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Access: query value and read or execute	object name not found	1608421142
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Access: query value and read or execute	success or wait	1608421409
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Access: maximum allowed	object name not found	1608422960
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Name: DriveMask	success or wait	1608423324
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608425406
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: SeparateProcess	object name not found	1608425772
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608426211
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: SeparateProcess	object name not found	1608426455
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Access: maximum allowed	success or wait	1608427314
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ Access: maximum allowed	success or wait	1608427611
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Name: ShellState	success or wait	1608427937
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Name: ShellState	success or wait	1608428269
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608428989
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: ForceActiveDesktopOn	object name not found	1608429232
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608429687
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: ForceActiveDesktopOn	object name not found	1608429934
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608430661
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoActiveDesktop	object name not found	1608430901
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608431353
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoActiveDesktop	object name not found	1608431599
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System Access: query value and read or execute	object name not found	1608432269
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608432779
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoWebView	object name not found	1608433018
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608433469
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoWebView	object name not found	1608433714
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608434437
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: ClassicShell	object name not found	1608434675
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608435130
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: ClassicShell	object name not found	1608435381
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608436131
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: DontShowSuperHidden	object name not found	1608436370
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608436850
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: DontShowSuperHidden	object name not found	1608437097
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608438076
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoNetCrawling	object name not found	1608438313
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608438765
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoNetCrawling	object name not found	1608439054
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608439776
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoSimpleStartMenu	object name not found	1608440016
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1608440465
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoSimpleStartMenu	object name not found	1608440711
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Access: maximum allowed	success or wait	1608441544
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: Hidden	success or wait	1608441780
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowCompColor	success or wait	1608442063
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: HideFileExt	success or wait	1608442344
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: DontPrettyPath	success or wait	1608442661
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowInfoTip	success or wait	1608442944
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: HideIcons	success or wait	1608443225
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: MapNetDrvBtn	success or wait	1608443506
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: WebView	success or wait	1608444049
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: Filter	success or wait	1608444369
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowSuperHidden	success or wait	1608444651
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: SeparateProcess	success or wait	1608445020
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: NoNetCrawling	success or wait	1608445304
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Access: query value and read or execute	success or wait	1608446297
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Name: DesktopProcess	object name not found	1608446636
Section created	Access: query and map write and map read Protection: read write Attributes: commit Path: not known Type: commit Baseaddress: 00B50000 Entrypoint: not known Mapped to pid: own pid Size: 1000	success or wait	1608447962
Process opened	Access: dupclicate handle PID: 776 Path: C:\WINDOWS\Explorer.EXE Cmdline: C:\WINDOWS\Explorer.EXE	success or wait	1608448749
Process opened	Access: dupclicate handle PID: 776 Path: C:\WINDOWS\Explorer.EXE Cmdline: C:\WINDOWS\Explorer.EXE	success or wait	1608450514
Process opened	Access: query information PID: 776 Path: C:\WINDOWS\Explorer.EXE Cmdline: C:\WINDOWS\Explorer.EXE	success or wait	1608452390
Process terminated	PID: 1592 Path: C:\WINDOWS\explorer.exe	success or wait	1608456189
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1608484144
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	1608484520
Process terminated	PID: 1592 Path: C:\WINDOWS\explorer.exe	success or wait	1608486680

Analysis File: csrcs.exe PID: 488 Parent PID: 1580 Run ID: 0

Sections

General
Start time:	23:48:02
Start date:	02/08/2010
Path:	C:\WINDOWS\system32\csrcs.exe
Commandline:	C:\WINDOWS\system32\csrcs.exe
File size:	575054 bytes
MD5 hash:	97656225E7B67973C7071C6126992921

File Activities:

File opened
Reputation	File Path	Access	Options	Completion	Count
1343	C:\WINDOWS\WindowsShell.Manifest	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
4	C:\WINDOWS\system32\csrcs.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
8607	PIPE\lsarpc	read attributes and synchronize and generic read and generic write	non directory file	success or wait	2
4	C:\WINDOWS\system32\csrcs.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
14039	C:\WINDOWS\system32\msctfime.ime	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
14039	C:\WINDOWS\system32\msctfime.ime	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
4	C:\WINDOWS\system32\csrcs.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
18	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	read attributes and synchronize and generic write	synchronous io non alert and non directory file	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1

File created
Reputation	File Path	Access	Attributes	Options	Completion	Count
21	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp	read attributes and synchronize and generic read	normal	synchronous io non alert and non directory file	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	read attributes and synchronize and generic read and generic write	normal	synchronous io non alert and non directory file	success or wait	1

File overwritten
Reputation	File Path	Access	Options	Completion	Count
20901	WMIDataDevice	read attributes and synchronize and generic read and generic write	non directory file	success or wait	1
20901	WMIDataDevice	read attributes and synchronize and generic read and generic write	non directory file	success or wait	1
62040	MountPointManager	read attributes and synchronize	synchronous io non alert and non directory file	success or wait	3
62040	MountPointManager	read attributes and synchronize	synchronous io non alert and non directory file	success or wait	6
18	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp	read attributes and synchronize and generic write	synchronous io non alert and non directory file	success or wait	1
1796	C:\WINDOWS\system32\SHELL32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
2276	\Device\KsecDD	read data or list directory and synchronize	synchronous io alert	success or wait	1
1153	C:\WINDOWS\system32\urlmon.dll.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
817	C:\WINDOWS\system32\WININET.dll.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	object name not found	1
442	IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io non alert and non directory file	success or wait	1
284	IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io alert	success or wait	1
441	STORAGE#Volume#1&30a96598&0&Signature94389438Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io non alert and non directory file	success or wait	1
438	STORAGE#Volume#1&30a96598&0&Signature94389438Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io alert	success or wait	1

File deleted
Reputation	File Path	Completion	Count
21	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1

File renamed
Reputation	Old File Path	New File Path	Completion	Count

File written
Reputation	File Path	Completion	Count
155362	\Device\NamedPipe\lsass	success or wait	2
4	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp	success or wait	1
4	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1

Other file operations
Reputation	File Path	Disposition	Data	Completion	Count
47	C:\WINDOWS\system32\csrcs.exe	PositionInformation	00 00 01 00 00 00 00 00	success or wait	3
47	C:\WINDOWS\system32\csrcs.exe	PositionInformation	EC FF 00 00 00 00 00 00	success or wait	3
47	C:\WINDOWS\system32\csrcs.exe	PositionInformation	EC FF 01 00 00 00 00 00	success or wait	3
4	C:\WINDOWS\system32\csrcs.exe	PositionInformation	D8 FF 01 00 00 00 00 00	success or wait	3
47	C:\WINDOWS\system32\csrcs.exe	PositionInformation	D8 FF 02 00 00 00 00 00	success or wait	3
41	C:\WINDOWS\system32\csrcs.exe	PositionInformation	C4 FF 02 00 00 00 00 00	success or wait	3
4	C:\WINDOWS\system32\csrcs.exe	PositionInformation	C4 FF 03 00 00 00 00 00	success or wait	3
47	C:\WINDOWS\system32\csrcs.exe	PositionInformation	B0 FF 03 00 00 00 00 00	success or wait	3
4	C:\WINDOWS\system32\csrcs.exe	PositionInformation	B0 FF 04 00 00 00 00 00	success or wait	3
38	C:\WINDOWS\system32\csrcs.exe	PositionInformation	9C FF 04 00 00 00 00 00	success or wait	3
0	C:\WINDOWS\system32\csrcs.exe	PositionInformation	14 C8 05 00 00 00 00 00	success or wait	3
0	C:\WINDOWS\system32\csrcs.exe	PositionInformation	14 D8 05 00 00 00 00 00	success or wait	3
0	C:\WINDOWS\system32\csrcs.exe	PositionInformation	28 C8 05 00 00 00 00 00	success or wait	3
0	C:\WINDOWS\system32\csrcs.exe	PositionInformation	28 CA 05 00 00 00 00 00	success or wait	3
0	C:\WINDOWS\system32\csrcs.exe	PositionInformation	B9 C8 05 00 00 00 00 00	success or wait	2
0	C:\WINDOWS\system32\csrcs.exe	PositionInformation	B9 CA 05 00 00 00 00 00	success or wait	2
0	C:\WINDOWS\system32\csrcs.exe	PositionInformation	77 7A 08 00 00 00 00 00	success or wait	2
0	C:\WINDOWS\system32\csrcs.exe	PositionInformation	77 7C 08 00 00 00 00 00	success or wait	1
0	C:\WINDOWS\system32\csrcs.exe	PositionInformation	1A 7B 08 00 00 00 00 00	success or wait	1
0	C:\WINDOWS\system32\csrcs.exe	PositionInformation	1A 7D 08 00 00 00 00 00	success or wait	1
0	C:\WINDOWS\system32\csrcs.exe	PositionInformation	46 C6 08 00 00 00 00 00	success or wait	1
15856	\Device\NamedPipe\lsass	PipeInformation	01 00 00 00 00 00 00 00	success or wait	2
131	\Device\NamedPipe\lsass	CompletionInformation	EC 00 00 00 00 00 FF FF	success or wait	2
0	C:\WINDOWS\system32\csrcs.exe	PositionInformation	D5 C8 05 00 00 00 00 00	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	BasicInformation	30 4F 03 65 3C 41 CB 01 00 00 00 00 00 00 00 00 F4 CB C9 67 3C 41 CB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	PositionInformation	00 00 00 00 00 00 00 00	success or wait	6
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	PositionInformation	4E 86 01 00 00 00 00 00	success or wait	2

Section Activities:

Section opened
Reputation	File Path	Access	Base	Entrypoint	Size	Mapped to pid	Completion	Count
40475	\KnownDlls\kernel32.dll	map write and map read and map execute	7C800000	7C80B64E	F6000	own pid	success or wait	1
11	\NLS\NlsSectionUnicode	map read	00070000	not known	15DF4	own pid	success or wait	1
11	\NLS\NlsSectionLocale	map read	00090000	not known	40EDC	own pid	success or wait	1
10	\NLS\NlsSectionSortkey	query and map read	000E0000	not known	40004	own pid	success or wait	1
10	\NLS\NlsSectionSortTbls	map read	00130000	not known	5A04	own pid	success or wait	1
82482	\NLS\NlsSectionSortkey00000409	map read	not known	not known	not known	own pid	object name not found	2
35518	\KnownDlls\ADVAPI32.dll	map write and map read and map execute	77DD0000	77DD710B	9B000	own pid	success or wait	1
40913	\KnownDlls\RPCRT4.dll	map write and map read and map execute	77E70000	77E7628F	92000	own pid	success or wait	1
40856	\KnownDlls\Secur32.dll	map write and map read and map execute	77FE0000	77FE2146	11000	own pid	success or wait	1
14883	\KnownDlls\msvcrt.dll	map write and map read and map execute	77C10000	77C1F2A1	58000	own pid	success or wait	1
37497	\KnownDlls\GDI32.dll	map write and map read and map execute	77F10000	77F16587	49000	own pid	success or wait	1
33945	\KnownDlls\USER32.dll	map write and map read and map execute	7E410000	7E41B217	91000	own pid	success or wait	1
18615	\KnownDlls\SHLWAPI.dll	map write and map read and map execute	77F60000	77F651FB	76000	own pid	success or wait	1
191	\KnownDlls\COMDLG32.dll	map write and map read and map execute	763B0000	763B1619	49000	own pid	success or wait	1
25613	\KnownDlls\SHELL32.dll	map write and map read and map execute	7C9C0000	7C9E74E6	817000	own pid	success or wait	1
1194	\KnownDlls\MPR.dll	map write and map read and map execute	71B20000	71B2124A	12000	own pid	success or wait	1
4087	\KnownDlls\ole32.dll	map write and map read and map execute	774E0000	774FD0B9	13D000	own pid	success or wait	1
3896	\KnownDlls\OLEAUT32.dll	map write and map read and map execute	77120000	77121560	8B000	own pid	success or wait	1
5134	\KnownDlls\PSAPI.DLL	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
18938	\KnownDlls\USERENV.dll	map write and map read and map execute	769C0000	769C15E4	B4000	own pid	success or wait	1
25391	\KnownDlls\VERSION.dll	map write and map read and map execute	77C00000	77C01135	8000	own pid	success or wait	1
13922	\KnownDlls\WININET.dll	map write and map read and map execute	3D930000	3D931744	E6000	own pid	success or wait	1
79	\KnownDlls\Normaliz.dll	map write and map read and map execute	00140000	401782	9000	own pid	success or wait	1
19227	\KnownDlls\urlmon.dll	map write and map read and map execute	78130000	78131AFA	132000	own pid	success or wait	1
18908	\KnownDlls\iertutil.dll	map write and map read and map execute	3DFD0000	3E0E7B59	1E8000	own pid	success or wait	1
18656	\KnownDlls\WINMM.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
2386	\KnownDlls\WSOCK32.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
16409	\KnownDlls\WS2_32.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
22728	\KnownDlls\WS2HELP.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
11	\NLS\NlsSectionCType	map read	00160000	not known	20C2	own pid	success or wait	1
2059	\KnownDlls\uxtheme.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
10059	\KnownDlls\SETUPAPI.dll	map write and map read and map execute	not known	not known	not known	own pid	object name not found	1
0	\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-220523388-1935655697-1343024091-1003SFM.DefaultS-1-5-21-220523388-1935655697-1343024091-1003	query and map write and map read and map execute and extend size	01570000	not known	40000	own pid	success or wait	1
33	\BaseNamedObjects\ShimSharedMemory	map write	003E0000	not known	E000	own pid	success or wait	1

Section created
Reputation	File Path	Access	Attributes	Base	Entrypoint	Size	Protection	Mapped to pid	Completion	Count
2466	not known	query and map write and map read and map execute and extend size	reserve	not known	not known	10000	read write	own pid	success or wait	1
33522	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	query and map write and map read and map execute	image	773D0000	773D4256	103000	execute	own pid	success or wait	1
8524	C:\WINDOWS\system32\psapi.dll	query and map write and map read and map execute	image	76BF0000	76BF10F1	B000	execute	own pid	success or wait	1
20195	C:\WINDOWS\system32\winmm.dll	query and map write and map read and map execute	image	76B40000	76B42B61	2D000	execute	own pid	success or wait	1
5868	C:\WINDOWS\system32\wsock32.dll	query and map write and map read and map execute	image	71AD0000	71AD1039	9000	execute	own pid	success or wait	1
22720	C:\WINDOWS\system32\ws2_32.dll	query and map write and map read and map execute	image	71AB0000	71AB1273	17000	execute	own pid	success or wait	1
5468	C:\WINDOWS\system32\ws2help.dll	query and map write and map read and map execute	image	71AA0000	71AA1638	8000	execute	own pid	success or wait	1
22	C:\WINDOWS\system32\imm32.dll	map write and map read and map execute	commit	00240000	not known	1AE00	execute	own pid	success or wait	2
39628	C:\WINDOWS\system32\imm32.dll	query and map write and map read and map execute	image	76390000	763912C0	1D000	execute	own pid	success or wait	1
20	C:\WINDOWS\WindowsShell.Manifest	map write and map read and map execute	commit	00370000	not known	2ED	execute	own pid	success or wait	1
20	C:\WINDOWS\WindowsShell.Manifest	query and map read	commit	00370000	not known	2ED	readonly	own pid	success or wait	1
20	C:\WINDOWS\WindowsShell.Manifest	map read	commit	00370000	not known	2ED	readonly	own pid	success or wait	1
0	C:\WINDOWS\system32\shell32.dll	map read	commit	00FF0000	not known	811C00	readonly	own pid	success or wait	1
9375	C:\WINDOWS\system32\uxtheme.dll	query and map write and map read and map execute	image	5AD70000	5AD71626	38000	execute	own pid	success or wait	1
1090	C:\WINDOWS\system32\setupapi.dll	query and map write and map read and map execute	image	77920000	7792159A	F3000	execute	own pid	success or wait	1
0	C:\WINDOWS\system32\msctf.dll	map write and map read and map execute	commit	01570000	not known	48C00	execute	own pid	success or wait	1
20358	C:\WINDOWS\system32\msctf.dll	query and map write and map read and map execute	image	74720000	747213A5	4C000	execute	own pid	success or wait	1
45	\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-220523388-1935655697-1343024091-1003	query and map write and map read	commit	003D0000	not known	1000	read write	own pid	object name exists	1
0	C:\WINDOWS\system32\msctfime.ime	map write and map read and map execute	commit	015B0000	not known	2B400	execute	own pid	success or wait	3
0	C:\WINDOWS\system32\msctfime.ime	query and map read	commit	015B0000	not known	2B400	readonly	own pid	success or wait	2
11124	C:\WINDOWS\system32\msctfime.ime	query and map write and map read and map execute	image	755C0000	755D9FE1	2E000	execute	own pid	success or wait	1

Registry Activities:

Key opened
Reputation	Key Path	Access	Completion	Count
69	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrcs.exe	generic read	object name not found	2
91200	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
153794	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots	enumerate sub key and read or execute	object name not found	4
96399	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option	query value and set value and read or execute and write	object name not found	1
26786	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and read or execute	success or wait	1
39584	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and read or execute	object name not found	1
6164	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll	generic read	object name not found	1
40564	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll	generic read	object name not found	1
707	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll	generic read	object name not found	1
51069	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
77159	HKEY_LOCAL_MACHINE	maximum allowed	success or wait	1
5318	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
4417	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll	generic read	object name not found	1
33679	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll	generic read	object name not found	1
71638	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager	query value and read or execute	success or wait	1
39518	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL	generic read	object name not found	1
20955	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll	generic read	object name not found	1
39992	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll	generic read	object name not found	1
39197	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll	generic read	object name not found	1
33789	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll	generic read	object name not found	1
2924	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMCTL32.dll	generic read	object name not found	1
25673	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll	generic read	object name not found	1
839	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMDLG32.dll	generic read	object name not found	1
536	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPR.dll	generic read	object name not found	1
14067	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll	generic read	object name not found	1
3843	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll	generic read	object name not found	1
4083	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL	generic read	object name not found	1
18911	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll	generic read	object name not found	1
25266	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll	generic read	object name not found	1
2184	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll	generic read	object name not found	1
18916	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll	generic read	object name not found	1
20565	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll	generic read	object name not found	1
13896	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll	generic read	object name not found	1
2621	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll	generic read	object name not found	1
3112	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll	generic read	object name not found	1
16343	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll	generic read	object name not found	1
2365	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WSOCK32.dll	generic read	object name not found	1
52210	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
81554	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
24208	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
36549	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance	maximum allowed	object name not found	1
167058	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	3
59427	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
32768	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
33471	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\LanguagePack	query value and read or execute	success or wait	1
35640	HKEY_LOCAL_MACHINE\SYSTEM\Setup	query value and read or execute	success or wait	1
5178	HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
43104	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
45275	HKEY_LOCAL_MACHINE\Software\Microsoft\Ole	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
18722	HKEY_LOCAL_MACHINE\Software\Classes\Interface	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
4967	HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
86612	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT	query value and read or execute	object name not found	2
42185	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra	query value and enumerate sub key and read or execute	object name not found	1
13835	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon	maximum allowed	success or wait	5
20258	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
23213	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
40321	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System	maximum allowed	success or wait	2
3974	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes	maximum allowed	success or wait	1
2161	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\PROTOCOLS\Name-Space Handler\	maximum allowed	object name not found	1
20147	HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler	maximum allowed	success or wait	1
19597	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\PROTOCOLS\Name-Space Handler	maximum allowed	object name not found	1
10969	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	maximum allowed	success or wait	1
8120	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	query value and read or execute	object name not found	2
24926	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings	query value and read or execute	success or wait	1
7824	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	query value and read or execute	object name not found	2
38930	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
13105	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
26555	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\	query value and read or execute	object name not found	1
44734	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl	query value and read or execute	object name not found	1
36521	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl	query value and read or execute	object name not found	1
285696	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	query value and read or execute	success or wait	1
36487	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl	query value and read or execute	object name not found	1
21303	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915	query value and read or execute	object name not found	1
5168	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
2158	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
49870	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
14487	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
38918	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
42646	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
20677	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32	generic read	success or wait	1
20174	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	success or wait	1
150	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Mouse	query value and read or execute	success or wait	1
159	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\AutoIt v3\AutoIt	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
2055	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll	generic read	object name not found	1
5159	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17546	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager	query value and read or execute	success or wait	1
18065	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	query value and read or execute	success or wait	1
184233	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	query value and read or execute	success or wait	15
164740	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	query value and read or execute	success or wait	15
12568	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	query value and read or execute	object name not found	1
11453	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	query value and read or execute	object name not found	1
7509	HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	query value and read or execute	success or wait	1
11437	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	maximum allowed	object name not found	1
9974	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll	generic read	object name not found	1
4032	HKEY_LOCAL_MACHINE\System\Setup	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
10159	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT	query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	object name not found	1
10183	HKEY_LOCAL_MACHINE\System\WPA\PnP	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
25023	HKEY_LOCAL_MACHINE\SYSTEM\Setup	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
48028	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	4
3472	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
8107	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	query value and read or execute	success or wait	1
10151	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels	query value and read or execute	object name not found	1
12948	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
25088	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
2174	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
24556	HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\PagedBuffers	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
31964	HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
2	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrcs.exe\RpcThreadPoolThrottle	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
32562	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
199052	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
195916	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
87441	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume	maximum allowed	success or wait	7
9528	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}\	maximum allowed	success or wait	2
16080	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}\	maximum allowed	success or wait	2
55250	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}\	maximum allowed	success or wait	3
28070	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions	enumerate sub key and read or execute	object name not found	1
4645	HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions	enumerate sub key and read or execute	success or wait	1
23452	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions	maximum allowed	object name not found	1
5899	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	query value and read or execute	object name not found	1
35736	HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	query value and read or execute	success or wait	1
3630	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	maximum allowed	object name not found	1
8123	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Directory	maximum allowed	object name not found	1
844	HKEY_LOCAL_MACHINE\Software\Classes\Directory	maximum allowed	success or wait	1
8133	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory\CurVer	query value and read or execute	object name not found	1
9457	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer	query value and read or execute	object name not found	1
47513	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory	maximum allowed	object name not found	6
8125	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\	maximum allowed	success or wait	1
7721	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	maximum allowed	success or wait	1
14268	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\	maximum allowed	success or wait	1
7980	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System	query value and read or execute	object name not found	1
1076	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	maximum allowed	success or wait	1
7784	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory\ShellEx\IconHandler	query value and read or execute	object name not found	1
9019	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler	query value and read or execute	object name not found	1
7781	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory\Clsid	query value and read or execute	object name not found	1
8988	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid	query value and read or execute	object name not found	1
8680	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Folder	maximum allowed	object name not found	1
8682	HKEY_LOCAL_MACHINE\Software\Classes\Folder	maximum allowed	success or wait	1
8556	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Folder\Clsid	query value and read or execute	object name not found	1
9779	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid	query value and read or execute	object name not found	1
727	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	maximum allowed	success or wait	1
544	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe	maximum allowed	object name not found	2
6455	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.exe	maximum allowed	object name not found	1
959	HKEY_LOCAL_MACHINE\Software\Classes\.exe	maximum allowed	success or wait	1
10235	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.exe	maximum allowed	object name not found	1
959	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\exefile	maximum allowed	object name not found	1
273	HKEY_LOCAL_MACHINE\Software\Classes\exefile	maximum allowed	success or wait	1
6571	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\CurVer	query value and read or execute	object name not found	1
4150	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer	query value and read or execute	object name not found	1
18277	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile	maximum allowed	object name not found	6
828	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\	maximum allowed	success or wait	1
1947	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\ShellEx\IconHandler	query value and read or execute	object name not found	1
1624	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler	query value and read or execute	object name not found	1
3358	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\SystemFileAssociations\.exe	maximum allowed	object name not found	1
357	HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.exe	maximum allowed	object name not found	1
5266	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\SystemFileAssociations\application	maximum allowed	object name not found	1
1673	HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\application	maximum allowed	object name not found	1
387	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\Clsid	query value and read or execute	object name not found	1
441	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid	query value and read or execute	object name not found	1
6614	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\*	maximum allowed	object name not found	1
670	HKEY_LOCAL_MACHINE\Software\Classes\*	maximum allowed	success or wait	1
4495	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\*\Clsid	query value and read or execute	object name not found	1
4495	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\Clsid	query value and read or execute	object name not found	1
20367	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll	generic read	object name not found	1
30	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\csrcs.exe	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
2146	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
27570	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
497	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
14351	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM	maximum allowed	success or wait	1
40996	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	2
2201	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime	generic read	object name not found	1
22435	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\CTF	maximum allowed	success or wait	1
18527	HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared	maximum allowed	success or wait	1

Key created
Reputation	Key Path	Access	Options	Completion	Count
394	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	non volatile	success or wait	1
905	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb13-b32c-11de-8127-806d6172696f}\	maximum allowed	non volatile	success or wait	1
8013	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb11-b32c-11de-8127-806d6172696f}\	maximum allowed	non volatile	success or wait	1
8027	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb10-b32c-11de-8127-806d6172696f}\	maximum allowed	non volatile	success or wait	1

Key deleted
Reputation	Key Path	Completion	Count

Key value deleted
Reputation	Key Path	Key Value Name	Completion	Count

Key value set
Reputation	Key Path	Name	Type	Data	Completion	Count

Key value replaced with new
Reputation	Key Path	Name	Type	Old Data	New Data	Completion	Count

Key value replaced with same
Reputation	Key Path	Name	Type	Data	Completion	Count
7096	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb13-b32c-11de-8127-806d6172696f}	BaseClass	String	Drive	success or wait	1
1424	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb11-b32c-11de-8127-806d6172696f}	BaseClass	String	Drive	success or wait	1
7118	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb10-b32c-11de-8127-806d6172696f}	BaseClass	String	Drive	success or wait	1

Key value queried
Reputation	Key Path	Name	Completion	Count
83709	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSAppCompat	success or wait	1
59209	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1
51204	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LeakTrack	object name not found	1
54359	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeDllSearchMode	object name not found	1
553	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1
39787	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs	success or wait	1
60053	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	SmoothScroll	object name not found	1
27240	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	EnableBalloonTips	object name not found	1
110591	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1
43256	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CriticalSectionTimeout	success or wait	1
18328	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole	RWLockResourceTimeOut	object name not found	1
43293	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAll	object name not found	1
43246	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAllForOle32	object name not found	1
13463	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableTypeLib	object name not found	1
26538	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAll	object name not found	1
43272	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAllForOle32	object name not found	1
60778	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1
20236	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	ChkAccDebugLevel	object name not found	1
21395	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions	ProductType	success or wait	1
24760	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	success or wait	1
19612	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	success or wait	1
14577	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopDebugLevel	object name not found	1
60778	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1
2754	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopLogging	object name not found	1
40492	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1
8125	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	RsopLogging	object name not found	1
60778	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1
40492	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1
2723	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	DisableImprovedZoneCheck	object name not found	1
2	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN	csrcs.exe	object name not found	1
18141	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN	*	object name not found	1
41537	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1
41537	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1
2812	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	object name not found	1
21255	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave2	object name not found	1
21240	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave3	object name not found	1
4270	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave4	object name not found	1
21261	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave5	object name not found	1
21209	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave6	object name not found	1
21218	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave7	object name not found	1
21223	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave8	object name not found	1
21210	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave9	object name not found	1
40478	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1
40478	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1
17523	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	object name not found	1
2725	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi2	object name not found	1
20470	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi3	object name not found	1
20480	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi4	object name not found	1
20484	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi5	object name not found	1
20477	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi6	object name not found	1
11356	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi7	object name not found	1
2722	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi8	object name not found	1
20444	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi9	object name not found	1
40474	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1
40474	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1
20271	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	object name not found	1
176	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux2	object name not found	1
2713	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux3	object name not found	1
4096	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux4	object name not found	1
20244	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux5	object name not found	1
20249	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux6	object name not found	1
2712	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux7	object name not found	1
20233	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux8	object name not found	1
20196	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux9	object name not found	1
20238	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	success or wait	1
40583	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1
40583	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1
20237	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	object name not found	1
2715	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer2	object name not found	1
15856	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer3	object name not found	1
2722	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer4	object name not found	1
20235	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer5	object name not found	1
20266	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer6	object name not found	1
20222	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer7	object name not found	1
20246	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer8	object name not found	1
20283	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer9	object name not found	1
151	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Mouse	SwapMouseButtons	success or wait	1
17643	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager	Compositing	object name not found	1
17652	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop	LameButtonText	object name not found	1
1079	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoNetHood	object name not found	1
9488	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoNetHood	object name not found	1
9517	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoPropertiesMyComputer	object name not found	1
9491	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoPropertiesMyComputer	object name not found	1
9525	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoInternetIcon	object name not found	1
9493	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoInternetIcon	object name not found	1
7016	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoCommonGroups	object name not found	1
1086	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoCommonGroups	object name not found	1
8882	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoControlPanel	object name not found	1
8861	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoControlPanel	object name not found	1
8770	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoSetFolders	object name not found	1
8738	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoSetFolders	object name not found	1
11526	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	NULL	success or wait	1
110591	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1
10220	HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP	seed	success or wait	1
25062	HKEY_LOCAL_MACHINE\SYSTEM\Setup	OsLoaderPath	success or wait	1
25062	HKEY_LOCAL_MACHINE\SYSTEM\Setup	OsLoaderPath	success or wait	1
11404	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemPartition	success or wait	1
11404	HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemPartition	success or wait	1
20532	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	SourcePath	success or wait	1
20532	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	SourcePath	success or wait	1
20436	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	success or wait	1
20436	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	success or wait	1
5568	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	success or wait	1
5568	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	success or wait	1
2182	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	success or wait	1
2182	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	success or wait	1
7981	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	DevicePath	success or wait	1
25181	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogLevel	success or wait	1
25181	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogLevel	success or wait	1
12504	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogPath	object name not found	1
262517	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName	ComputerName	success or wait	1
134788	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	Hostname	success or wait	1
125958	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	Domain	success or wait	1
32753	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc	MaxRpcSize	object name not found	1
262517	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName	ComputerName	success or wait	1
8004	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}	Data	buffer overflow	1
7995	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}	Data	success or wait	1
8198	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}	Generation	success or wait	1
6150	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}	Data	buffer overflow	1
8006	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}	Data	success or wait	1
8212	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}	Generation	success or wait	1
7997	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}	Data	buffer overflow	1
8001	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}	Data	success or wait	1
47731	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}	Generation	success or wait	1
47731	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}	Generation	success or wait	1
37773	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	DriveMask	success or wait	1
3709	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	DontShowSuperHidden	object name not found	1
8685	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	DontShowSuperHidden	object name not found	1
17128	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	ShellState	success or wait	1
17128	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer	ShellState	success or wait	1
4212	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	ForceActiveDesktopOn	object name not found	1
1035	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	ForceActiveDesktopOn	object name not found	1
8316	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoActiveDesktop	object name not found	1
1913	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoActiveDesktop	object name not found	1
8341	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoWebView	object name not found	1
1039	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoWebView	object name not found	1
3775	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	ClassicShell	object name not found	1
1048	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	ClassicShell	object name not found	1
8318	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	SeparateProcess	object name not found	1
8298	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	SeparateProcess	object name not found	1
1735	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoNetCrawling	object name not found	1
8327	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoNetCrawling	object name not found	1
8332	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoSimpleStartMenu	object name not found	1
8317	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoSimpleStartMenu	object name not found	1
9056	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	success or wait	1
1071	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowCompColor	success or wait	1
5197	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideFileExt	success or wait	1
8786	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	DontPrettyPath	success or wait	1
8820	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowInfoTip	success or wait	1
1074	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideIcons	success or wait	1
3925	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	MapNetDrvBtn	success or wait	1
195	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	WebView	success or wait	1
8806	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Filter	success or wait	1
4511	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowSuperHidden	success or wait	1
8790	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	SeparateProcess	success or wait	1
8790	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	NoNetCrawling	success or wait	1
9961	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory	DocObject	object name not found	1
5838	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory	BrowseInPlace	object name not found	1
951	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory	IsShortcut	object name not found	1
3393	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory	AlwaysShowExt	success or wait	1
9953	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory	NeverShowExt	object name not found	1
641	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	AllowFileCLSIDJunctions	object name not found	1
6059	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	AllowFileCLSIDJunctions	object name not found	1
1980	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe	NULL	success or wait	1
468	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile	DocObject	object name not found	1
961	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile	BrowseInPlace	object name not found	1
2501	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile	IsShortcut	object name not found	1
3690	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile	AlwaysShowExt	object name not found	1
3667	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile	NeverShowExt	object name not found	1
29313	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared	CUAS	success or wait	1
5920	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle	Language Hotkey	success or wait	1
5920	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle	Language Hotkey	success or wait	1
55768	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle	Layout Hotkey	success or wait	1
55768	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle	Layout Hotkey	success or wait	1
23596	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF	EnableAnchorContext	object name not found	1
14410	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM	Ime File	success or wait	1
22641	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\CTF	Disable Thread Input Manager	object name not found	1
29313	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared	CUAS	success or wait	1

Mutant Activities:

Mutant opened
Reputation	Name	Completion	Count

Mutant created
Reputation	Name	Completion	Count
146640	no name	success or wait	3
20462	\BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1
20442	\BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1
2160	\BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1
12591	\BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1
11406	\BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1
2176	\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-220523388-1935655697-1343024091-1003MUTEX.DefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1
5	\BaseNamedObjects\df8g1sdf68g18er1g8re16	success or wait	1

Mutant released
Reputation	Name	Completion	Count

Process Activities:

Process started
Reputation	PID	Filepath	Cmdline	Flags	Completion	Count

Process opened
Reputation	PID	Access	Filepath	Cmdline	Completion	Count

Process suspended
Reputation	PID	Filepath	Cmdline	Completion	Count

Process terminated
Reputation	PID	Filepath	Completion	Count

Thread Activities:

Thread opened
Reputation	TID	PID	Filepath	Access	Completion	Count

Thread created
Reputation	TID	PID	EIP	Filepath	Access	Completion	Count
0	512	488	7C8106F9	C:\WINDOWS\system32\csrcs.exe	terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation	success or wait	1

Thread APC queued
Reputation	TID	PID	Path	Completion	Count

Thread context set
Reputation	TID	PID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count

Thread continue
Reputation	TID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count
161215	512	0	0	0	0	0	200	7C8106F9	no status	1
29735	1600	0	0	0	0	0	200	7C810705	no status	1

Thread context got
Reputation	TID	PID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count

Thread delayed
Reputation	TID	Delay	Completion	Count
28549800	5632	0s	success or wait	8879
5361	5632	0s	no status	1

Thread terminated
Reputation	TID	PID	Completion	Count

Memory Activities:

Memory read
Reputation	PID	Path	Base	Completion	Count

Memory written
Reputation	PID	Filepath	Base	Completion	Count

Driver Activities:

Driver loaded
Reputation	Service name path	Completion	Count

Driver unloaded
Reputation	Service name path	Completion	Count

System Activities:

System information set
Reputation	System info class	Data	Completion	Count

System information queried
Reputation	System info class	Completion	Count
1881168	BasicInformation	success or wait	4
47532	RangeStartInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
41192	ProcessorInformation	success or wait	5
1881168	BasicInformation	success or wait	2
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
8730	PerformanceInformation	success or wait	1
39019	CurrentTimeZoneInformation	success or wait	1

Time Activities:

Performance counter queried
Reputation	Count	Frequency	Completion	Count
1585156	1623785008	3579545	success or wait	1
1585156	1623786450	3579545	success or wait	1
1585156	1623818877	3579545	success or wait	1
1585156	1623819408	3579545	success or wait	1
1585156	1623825840	3579545	success or wait	1
1585156	1623883833	3579545	success or wait	1
1585156	1623946488	3579545	success or wait	1
1585156	1634944426	3579545	success or wait	1

System resolution queried
Reputation	Minimum resolution	Maximum resolution	Current resolution	Completion	Count
1	40244204340873008	5576704752533645104	430115204990768	success or wait	1

System time queried
Reputation	Time	Completion	Count
199861	129252592841812367	success or wait	1

User Activities:

Window created
Reputation	Window name	Class name	Completion	Count
170	AutoIt v3	AutoIt v3	success	1
222	6.0.2600.5512!Edit	edit	success	1

Window found
Reputation	Window name	Class name	Completion	Count
23050	no string	Shell_TrayWnd	success	7

Window hook set
Reputation	Module	Thread id	Hook code	Completion	Count
32955	C:\WINDOWS\system32\MSCTF.dll	1600	keyboard	success	1
3631	C:\WINDOWS\system32\MSCTF.dll	1600	mouse	success	1

Key async got
Reputation	Virtual key code	Key state	Count

Keyboard state got
Reputation	Completion	Count

Key state got
Reputation	Virtual key code	State	Count

Debug Activities:

System debug info set
Reputation	Debug info class	Input data	Output data	Completion	Count

Exception Activities:

Exception raised
Reputation	Exception code	Address	Completion	Count

Chronological sections
Operation	Data	Completion	Time
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrcs.exe Access: generic read	object name not found	1623311594
System info queried	Type: BasicInformation	success or wait	1623313105
System info queried	Type: BasicInformation	success or wait	1623333147
Section opened	Access: map write and map read and map execute Baseaddress: 7C800000 Size: F6000 Mapped to pid: own pid Path: \KnownDlls\kernel32.dll	success or wait	1623347016
System info queried	Type: RangeStartInformation	success or wait	1623367617
System info queried	Type: BasicInformation	success or wait	1623368766
Section created	Access: query and map write and map read and map execute and extend size Protection: read write Attributes: reserve Path: not known Type: reserve Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: 10000	success or wait	1623371861
System info queried	Type: BasicInformation	success or wait	1623390060
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623393189
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	1623394596
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrcs.exe Access: generic read	object name not found	1623396606
Section opened	Access: map read Baseaddress: 00070000 Size: 15DF4 Mapped to pid: own pid Path: \NLS\NlsSectionUnicode	success or wait	1623396908
Section opened	Access: map read Baseaddress: 00090000 Size: 40EDC Mapped to pid: own pid Path: \NLS\NlsSectionLocale	success or wait	1623401280
Section opened	Access: query and map read Baseaddress: 000E0000 Size: 40004 Mapped to pid: own pid Path: \NLS\NlsSectionSortkey	success or wait	1623415036
Section opened	Access: map read Baseaddress: 00130000 Size: 5A04 Mapped to pid: own pid Path: \NLS\NlsSectionSortTbls	success or wait	1623416947
Section opened	Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409	object name not found	1623418571
Section opened	Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409	object name not found	1623418786
Section opened	Access: map write and map read and map execute Baseaddress: 77DD0000 Size: 9B000 Mapped to pid: own pid Path: \KnownDlls\ADVAPI32.dll	success or wait	1623424736
Section opened	Access: map write and map read and map execute Baseaddress: 77E70000 Size: 92000 Mapped to pid: own pid Path: \KnownDlls\RPCRT4.dll	success or wait	1623442085
Section opened	Access: map write and map read and map execute Baseaddress: 77FE0000 Size: 11000 Mapped to pid: own pid Path: \KnownDlls\Secur32.dll	success or wait	1623469387
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1623500523
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 773D0000 Entrypoint: 773D4256 Mapped to pid: own pid Size: 103000	success or wait	1623504156
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write	object name not found	1623505124
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1623505429
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	1623505835
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	object name not found	1623506899
Section opened	Access: map write and map read and map execute Baseaddress: 77C10000 Size: 58000 Mapped to pid: own pid Path: \KnownDlls\msvcrt.dll	success or wait	1623508584
Section opened	Access: map write and map read and map execute Baseaddress: 77F10000 Size: 49000 Mapped to pid: own pid Path: \KnownDlls\GDI32.dll	success or wait	1623514082
Section opened	Access: map write and map read and map execute Baseaddress: 7E410000 Size: 91000 Mapped to pid: own pid Path: \KnownDlls\USER32.dll	success or wait	1623517480
Section opened	Access: map write and map read and map execute Baseaddress: 77F60000 Size: 76000 Mapped to pid: own pid Path: \KnownDlls\SHLWAPI.dll	success or wait	1623523935
Section opened	Access: map write and map read and map execute Baseaddress: 763B0000 Size: 49000 Mapped to pid: own pid Path: \KnownDlls\COMDLG32.dll	success or wait	1623535733
Section opened	Access: map write and map read and map execute Baseaddress: 7C9C0000 Size: 817000 Mapped to pid: own pid Path: \KnownDlls\SHELL32.dll	success or wait	1623557020
Section opened	Access: map write and map read and map execute Baseaddress: 71B20000 Size: 12000 Mapped to pid: own pid Path: \KnownDlls\MPR.dll	success or wait	1623572322
Section opened	Access: map write and map read and map execute Baseaddress: 774E0000 Size: 13D000 Mapped to pid: own pid Path: \KnownDlls\ole32.dll	success or wait	1623576429
Section opened	Access: map write and map read and map execute Baseaddress: 77120000 Size: 8B000 Mapped to pid: own pid Path: \KnownDlls\OLEAUT32.dll	success or wait	1623582794
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\PSAPI.DLL	object name not found	1623591183
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76BF0000 Entrypoint: 76BF10F1 Mapped to pid: own pid Size: B000	success or wait	1623592158
Section opened	Access: map write and map read and map execute Baseaddress: 769C0000 Size: B4000 Mapped to pid: own pid Path: \KnownDlls\USERENV.dll	success or wait	1623602496
Section opened	Access: map write and map read and map execute Baseaddress: 77C00000 Size: 8000 Mapped to pid: own pid Path: \KnownDlls\VERSION.dll	success or wait	1623608455
Section opened	Access: map write and map read and map execute Baseaddress: 3D930000 Size: E6000 Mapped to pid: own pid Path: \KnownDlls\WININET.dll	success or wait	1623611461
Section opened	Access: map write and map read and map execute Baseaddress: 00140000 Size: 9000 Mapped to pid: own pid Path: \KnownDlls\Normaliz.dll	success or wait	1623616658
Section opened	Access: map write and map read and map execute Baseaddress: 78130000 Size: 132000 Mapped to pid: own pid Path: \KnownDlls\urlmon.dll	success or wait	1623622990
Section opened	Access: map write and map read and map execute Baseaddress: 3DFD0000 Size: 1E8000 Mapped to pid: own pid Path: \KnownDlls\iertutil.dll	success or wait	1623630690
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WINMM.dll	object name not found	1623639114
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76B40000 Entrypoint: 76B42B61 Mapped to pid: own pid Size: 2D000	success or wait	1623640047
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WSOCK32.dll	object name not found	1623645325
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 71AD0000 Entrypoint: 71AD1039 Mapped to pid: own pid Size: 9000	success or wait	1623646261
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WS2_32.dll	object name not found	1623648364
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 71AB0000 Entrypoint: 71AB1273 Mapped to pid: own pid Size: 17000	success or wait	1623649235
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WS2HELP.dll	object name not found	1623652952
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 71AA0000 Entrypoint: 71AA1638 Mapped to pid: own pid Size: 8000	success or wait	1623653854
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1623659706
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll Access: generic read	object name not found	1623668207
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll Access: generic read	object name not found	1623669032
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll Access: generic read	object name not found	1623669301
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623669711
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack	object name not found	1623669964
Key opened	Path: HKEY_LOCAL_MACHINE Access: maximum allowed	success or wait	1623670382
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623670748
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll Access: generic read	object name not found	1623671146
System info queried	Type: BasicInformation	success or wait	1623671724
Section opened	Access: map read Baseaddress: 00160000 Size: 20C2 Mapped to pid: own pid Path: \NLS\NlsSectionCType	success or wait	1623673385
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll Access: generic read	object name not found	1623676541
System info queried	Type: BasicInformation	success or wait	1623676802
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: query value and read or execute	success or wait	1623678386
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode	object name not found	1623678657
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00240000 Entrypoint: not known Mapped to pid: own pid Size: 1AE00	success or wait	1623679905
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00240000 Entrypoint: not known Mapped to pid: own pid Size: 1AE00	success or wait	1623681958
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76390000 Entrypoint: 763912C0 Mapped to pid: own pid Size: 1D000	success or wait	1623683762
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL Access: generic read	object name not found	1623687821
System info queried	Type: BasicInformation	success or wait	1623687977
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll Access: generic read	object name not found	1623688959
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll Access: generic read	object name not found	1623689199
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll Access: generic read	object name not found	1623689434
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll Access: generic read	object name not found	1623689722
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMCTL32.dll Access: generic read	object name not found	1623689961
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll Access: generic read	object name not found	1623690197
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMDLG32.dll Access: generic read	object name not found	1623690431
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPR.dll Access: generic read	object name not found	1623690665
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll Access: generic read	object name not found	1623690898
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll Access: generic read	object name not found	1623691260
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL Access: generic read	object name not found	1623691497
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll Access: generic read	object name not found	1623691732
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll Access: generic read	object name not found	1623691965
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll Access: generic read	object name not found	1623692198
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll Access: generic read	object name not found	1623692431
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll Access: generic read	object name not found	1623692667
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll Access: generic read	object name not found	1623692900
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll Access: generic read	object name not found	1623693132
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll Access: generic read	object name not found	1623693400
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll Access: generic read	object name not found	1623693636
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WSOCK32.dll Access: generic read	object name not found	1623694573
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623695119
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623695525
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	1623695745
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623699277
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs	success or wait	1623699524
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance Access: maximum allowed	object name not found	1623701423
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00370000 Entrypoint: not known Mapped to pid: own pid Size: 2ED	success or wait	1623704180
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1623705896
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00370000 Entrypoint: not known Mapped to pid: own pid Size: 2ED	success or wait	1623706232
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00370000 Entrypoint: not known Mapped to pid: own pid Size: 2ED	success or wait	1623707604
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623721828
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623722787
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Name: SmoothScroll	object name not found	1623723003
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623724050
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: EnableBalloonTips	object name not found	1623724307
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\LanguagePack Access: query value and read or execute	success or wait	1623725081
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Access: query value and read or execute	success or wait	1623729375
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	1623729625
Section created	Access: map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00FF0000 Entrypoint: not known Mapped to pid: own pid Size: 811C00	success or wait	1623732136
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1623750636
Key opened	Path: HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623753867
System info queried	Type: BasicInformation	success or wait	1623757172
System info queried	Type: ProcessorInformation	success or wait	1623757324
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623757715
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout	success or wait	1623757965
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Ole Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623758388
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: RWLockResourceTimeOut	object name not found	1623758634
System info queried	Type: BasicInformation	success or wait	1623758986
System info queried	Type: ProcessorInformation	success or wait	1623759140
System info queried	Type: BasicInformation	success or wait	1623759278
System info queried	Type: ProcessorInformation	success or wait	1623759430
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623759647
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll	object name not found	1623759911
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32	object name not found	1623760089
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib	object name not found	1623760262
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623760569
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAll	object name not found	1623760819
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAllForOle32	object name not found	1623760996
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute	object name not found	1623761648
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra Access: query value and enumerate sub key and read or execute	object name not found	1623767553
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute	object name not found	1623768144
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1623769729
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	1623770352
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1623770949
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: ChkAccDebugLevel	object name not found	1623771557
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623772231
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions Name: ProductType	success or wait	1623772687
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623777596
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623777984
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Personal	success or wait	1623778325
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Local Settings	success or wait	1623778714
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1623780524
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopDebugLevel	object name not found	1623780763
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1623781195
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	1623781406
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopLogging	object name not found	1623781672
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System Access: maximum allowed	success or wait	1623782076
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	1623782560
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: RsopLogging	object name not found	1623782855
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon Access: maximum allowed	success or wait	1623783279
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	1623783499
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System Access: maximum allowed	success or wait	1623783923
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	1623784136
Performance counter queried	Count: 1623785008 Frequency: 3579545	success or wait	1623784985
Performance counter queried	Count: 1623786450 Frequency: 3579545	success or wait	1623786429
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1623805908
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes Access: maximum allowed	success or wait	1623809687
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\PROTOCOLS\Name-Space Handler\ Access: maximum allowed	object name not found	1623810645
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler Access: maximum allowed	success or wait	1623810869
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\PROTOCOLS\Name-Space Handler Access: maximum allowed	object name not found	1623812300
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: maximum allowed	success or wait	1623814240
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1623814628
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1623814841
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	success or wait	1623815049
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Name: DisableImprovedZoneCheck	object name not found	1623815350
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1623816014
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623818015
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623818279
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623818536
Performance counter queried	Count: 1623818877 Frequency: 3579545	success or wait	1623818854
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Name: csrcs.exe	object name not found	1623819083
Performance counter queried	Count: 1623819408 Frequency: 3579545	success or wait	1623819385
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Name: *	object name not found	1623819611
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ Access: query value and read or execute	object name not found	1623820393
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute	object name not found	1623820654
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	object name not found	1623820881
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	object name not found	1623821106
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	success or wait	1623822035
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute	object name not found	1623822305
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915 Access: query value and read or execute	object name not found	1623822530
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623822877
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623823102
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623823322
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623823544
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623823767
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623823985
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623824247
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623824506
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623824766
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623825026
Performance counter queried	Count: 1623825840 Frequency: 3579545	success or wait	1623825817
System info queried	Type: BasicInformation	success or wait	1623827192
File overwritten	Path: WMIDataDevice Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: normal	success or wait	1623828910
File overwritten	Path: WMIDataDevice Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: normal	success or wait	1623830386
Thread created	Access: terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation PID: 488 TID: 512 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\csrcs.exe	success or wait	1623833216
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute	object name not found	1623852779
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control Options: non volatile	success or wait	1623855140
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32 Access: generic read	success or wait	1623856347
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	1623856578
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	1623857908
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	object name not found	1623858440
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave2	object name not found	1623858967
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave3	object name not found	1623859486
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave4	object name not found	1623860011
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave5	object name not found	1623860531
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave6	object name not found	1623861093
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave7	object name not found	1623861616
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave8	object name not found	1623862139
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave9	object name not found	1623862658
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	1623863181
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	1623863720
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	object name not found	1623864249
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi2	object name not found	1623864806
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi3	object name not found	1623865331
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi4	object name not found	1623865851
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi5	object name not found	1623866373
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi6	object name not found	1623866892
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi7	object name not found	1623867414
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi8	object name not found	1623867933
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi9	object name not found	1623868596
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	1623869370
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	1623869909
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	object name not found	1623870435
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux2	object name not found	1623870955
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux3	object name not found	1623871472
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux4	object name not found	1623872032
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux5	object name not found	1623872554
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux6	object name not found	1623873013
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux7	object name not found	1623874201
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux8	object name not found	1623874724
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux9	object name not found	1623875479
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	success or wait	1623876060
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm Name: wheel	success or wait	1623876387
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	1623877020
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	1623877553
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	object name not found	1623878076
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer2	object name not found	1623878594
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer3	object name not found	1623879155
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer4	object name not found	1623879673
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer5	object name not found	1623880193
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer6	object name not found	1623880710
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer7	object name not found	1623881232
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer8	object name not found	1623881748
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer9	object name not found	1623882543
System info queried	Type: BasicInformation	success or wait	1623883299
System info queried	Type: ProcessorInformation	success or wait	1623883562
Performance counter queried	Count: 1623883833 Frequency: 3579545	success or wait	1623883810
Thread continue	TID: 512 DR0: 0 DR1: 0 DR2: 0 DR3: 0 DR7: 0 EIP: 7C8106F9 EFLAGS: 200	no status	1623885080
Thread continue	TID: 1600 DR0: 0 DR1: 0 DR2: 0 DR3: 0 DR7: 0 EIP: 7C810705 EFLAGS: 200	no status	1623889453
Performance counter queried	Count: 1623946488 Frequency: 3579545	success or wait	1623946465
System info queried	Type: BasicInformation	success or wait	1623946623
System info queried	Type: BasicInformation	success or wait	1623952507
System info queried	Type: ProcessorInformation	success or wait	1623952637
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Mouse Access: query value and read or execute	success or wait	1623955154
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Mouse Name: SwapMouseButtons	success or wait	1623955437
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\AutoIt v3\AutoIt Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1623959898
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\uxtheme.dll	object name not found	1623961727
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 5AD70000 Entrypoint: 5AD71626 Mapped to pid: own pid Size: 38000	success or wait	1623962733
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll Access: generic read	object name not found	1623967869
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control	success or wait	1623969188
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager Access: query value and read or execute	success or wait	1623969465
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: Compositing	object name not found	1623969711
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1623971097
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Access: query value and read or execute	success or wait	1623971361
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Name: LameButtonText	object name not found	1623971592
File opened	Path: C:\WINDOWS\system32\csrcs.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1623974666
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1623975211
File other operation	Disposition: PositionInformation Data: 00 00 01 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1624023955
File other operation	Disposition: PositionInformation Data: EC FF 00 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1624024182
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1624024433
File other operation	Disposition: PositionInformation Data: EC FF 01 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1624071435
File other operation	Disposition: PositionInformation Data: D8 FF 01 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1624071718
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1624072056
File other operation	Disposition: PositionInformation Data: D8 FF 02 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625415776
File other operation	Disposition: PositionInformation Data: C4 FF 02 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625417983
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625418167
File other operation	Disposition: PositionInformation Data: C4 FF 03 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625467579
File other operation	Disposition: PositionInformation Data: B0 FF 03 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625467733
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625467921
File other operation	Disposition: PositionInformation Data: B0 FF 04 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625517161
File other operation	Disposition: PositionInformation Data: 9C FF 04 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625517315
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625518557
File other operation	Disposition: PositionInformation Data: 14 C8 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625572224
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625573046
File other operation	Disposition: PositionInformation Data: 14 D8 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625578345
File other operation	Disposition: PositionInformation Data: 28 C8 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625578530
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625580010
File other operation	Disposition: PositionInformation Data: 28 CA 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625580767
File other operation	Disposition: PositionInformation Data: B9 C8 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625581863
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625582045
File other operation	Disposition: PositionInformation Data: B9 CA 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625583892
File other operation	Disposition: PositionInformation Data: 77 7A 08 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625584039
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625584220
File other operation	Disposition: PositionInformation Data: 77 7C 08 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625585888
File other operation	Disposition: PositionInformation Data: 1A 7B 08 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625586033
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625588157
File other operation	Disposition: PositionInformation Data: 1A 7D 08 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625588814
File other operation	Disposition: PositionInformation Data: 46 C6 08 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625588958
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1625589136
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1625602881
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoNetHood	object name not found	1625603505
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1625605029
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoNetHood	object name not found	1625605413
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1625607918
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoPropertiesMyComputer	object name not found	1625608176
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1625609543
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoPropertiesMyComputer	object name not found	1625609791
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1625611414
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoInternetIcon	object name not found	1625612596
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1625613025
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoInternetIcon	object name not found	1625614177
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1625616647
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoCommonGroups	object name not found	1625617765
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1625618200
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoCommonGroups	object name not found	1625619468
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Access: query value and read or execute	object name not found	1625620468
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1625622008
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoControlPanel	object name not found	1625623249
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1625623775
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoControlPanel	object name not found	1625624952
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1625626764
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoSetFolders	object name not found	1625627918
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1625628439
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoSetFolders	object name not found	1625629515
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Access: query value and read or execute	object name not found	1625632699
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Access: query value and read or execute	success or wait	1625632959
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Access: maximum allowed	object name not found	1625636541
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Name: NULL	success or wait	1625637620
Section opened	Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\SETUPAPI.dll	object name not found	1625642214
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 77920000 Entrypoint: 7792159A Mapped to pid: own pid Size: F3000	success or wait	1625644399
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll Access: generic read	object name not found	1625659069
Key opened	Path: HKEY_LOCAL_MACHINE\System\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625661836
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	1625662215
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner	object name not found	1625663740
Key opened	Path: HKEY_LOCAL_MACHINE\System\WPA\PnP Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625664032
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP Name: seed	success or wait	1625665237
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625668175
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: OsLoaderPath	success or wait	1625668482
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: OsLoaderPath	success or wait	1625669689
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625670228
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemPartition	success or wait	1625671329
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemPartition	success or wait	1625671664
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625673419
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: SourcePath	success or wait	1625673712
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: SourcePath	success or wait	1625674073
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625675468
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackSourcePath	success or wait	1625675780
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackSourcePath	success or wait	1625676993
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625677533
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackCachePath	success or wait	1625678651
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackCachePath	success or wait	1625678985
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625680589
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: DriverCachePath	success or wait	1625680879
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: DriverCachePath	success or wait	1625681215
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625682662
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion Name: DevicePath	success or wait	1625683003
Mutant created	Name: no name	success or wait	1625684794
Mutant created	Name: no name	success or wait	1625686199
Mutant created	Name: no name	success or wait	1625687662
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup Access: query value and read or execute	success or wait	1625688120
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogLevel	success or wait	1625688417
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogLevel	success or wait	1625689640
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogPath	object name not found	1625690171
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels Access: query value and read or execute	object name not found	1625690535
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625692514
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName	success or wait	1625693814
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625694361
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Hostname	success or wait	1625695573
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1625696110
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625697311
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Domain	success or wait	1625697592
System info queried	Type: BasicInformation	success or wait	1625699788
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\PagedBuffers Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1625700235
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625700836
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Name: MaxRpcSize	object name not found	1625701582
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrcs.exe\RpcThreadPoolThrottle Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1625703482
System time queried	Time: 129252592841812367	success or wait	1625705347
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1625706115
System info queried	Type: PerformanceInformation	success or wait	1625707312
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625711498
Key opened	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1625711843
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName	success or wait	1625712132
File opened	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	success or wait	1625719319
File other operation	Disposition: PipeInformation Data: 01 00 00 00 00 00 00 00 Path: \Device\NamedPipe\lsass	success or wait	1625719743
File other operation	Disposition: CompletionInformation Data: EC 00 00 00 00 00 FF FF Path: \Device\NamedPipe\lsass	success or wait	1625719989
File write	Path: \Device\NamedPipe\lsass	success or wait	1625721399
File read	Path: \Device\NamedPipe\lsass	success or wait	1625721858
File opened	Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none	success or wait	1625732482
File other operation	Disposition: PipeInformation Data: 01 00 00 00 00 00 00 00 Path: \Device\NamedPipe\lsass	success or wait	1625732867
File other operation	Disposition: CompletionInformation Data: EC 00 00 00 00 00 FF FF Path: \Device\NamedPipe\lsass	success or wait	1625733974
File write	Path: \Device\NamedPipe\lsass	success or wait	1625734508
File read	Path: \Device\NamedPipe\lsass	success or wait	1625735762
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1625772112
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1625780000
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1625780334
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f} Name: Data	buffer overflow	1625781840
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f} Name: Data	success or wait	1625782144
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1625783998
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1625784344
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb10-b32c-11de-8127-806d6172696f} Name: Generation	success or wait	1625785646
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1625792629
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1625797097
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1625797448
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f} Name: Data	buffer overflow	1625798832
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f} Name: Data	success or wait	1625799137
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1625800876
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1625801192
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb11-b32c-11de-8127-806d6172696f} Name: Generation	success or wait	1625802645
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1625809778
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1625813547
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1625814796
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f} Name: Data	buffer overflow	1625815229
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f} Name: Data	success or wait	1625816514
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1625817370
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1625818581
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f} Name: Generation	success or wait	1625819006
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1625822248
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1625826292
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb13-b32c-11de-8127-806d6172696f}\ Access: maximum allowed Options: non volatile	success or wait	1625830010
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb13-b32c-11de-8127-806d6172696f} Name: BaseClass Type: String Data: Drive	success or wait	1625830446
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1625831910
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1625836550
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb11-b32c-11de-8127-806d6172696f}\ Access: maximum allowed Options: non volatile	success or wait	1625841077
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb11-b32c-11de-8127-806d6172696f} Name: BaseClass Type: String Data: Drive	success or wait	1625841427
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1625842883
File overwritten	Path: MountPointManager Access: read attributes and synchronize Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1626843689
Key created	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb10-b32c-11de-8127-806d6172696f}\ Access: maximum allowed Options: non volatile	success or wait	1626853609
Key value set	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{edc2bb10-b32c-11de-8127-806d6172696f} Name: BaseClass Type: String Data: Drive	success or wait	1626854227
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume Access: maximum allowed	success or wait	1626856957
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f}\ Access: maximum allowed	success or wait	1626865647
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{edc2bb13-b32c-11de-8127-806d6172696f} Name: Generation	success or wait	1626866180
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions Access: enumerate sub key and read or execute	object name not found	1626868730
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions Access: enumerate sub key and read or execute	success or wait	1626876910
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions Access: maximum allowed	object name not found	1626887654
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Access: query value and read or execute	object name not found	1626900024
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Access: query value and read or execute	success or wait	1626900296
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Access: maximum allowed	object name not found	1626911161
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Name: DriveMask	success or wait	1626911367
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Directory Access: maximum allowed	object name not found	1626926523
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Directory Access: maximum allowed	success or wait	1626928630
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory\CurVer Access: query value and read or execute	object name not found	1626932543
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer Access: query value and read or execute	object name not found	1626932820
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory Access: maximum allowed	object name not found	1626936315
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ Access: maximum allowed	success or wait	1626936587
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626939590
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: DontShowSuperHidden	object name not found	1626940171
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626941543
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: DontShowSuperHidden	object name not found	1626941828
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Access: maximum allowed	success or wait	1626943770
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ Access: maximum allowed	success or wait	1626944967
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Name: ShellState	success or wait	1626945231
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer Name: ShellState	success or wait	1626945553
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626948304
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: ForceActiveDesktopOn	object name not found	1626948576
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626949985
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: ForceActiveDesktopOn	object name not found	1626950264
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626952824
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoActiveDesktop	object name not found	1626953094
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626955720
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoActiveDesktop	object name not found	1626956444
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System Access: query value and read or execute	object name not found	1626958860
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626960713
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoWebView	object name not found	1626962332
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626962872
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoWebView	object name not found	1626964316
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626966362
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: ClassicShell	object name not found	1626966652
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626968076
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: ClassicShell	object name not found	1626968683
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626972769
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: SeparateProcess	object name not found	1626973056
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626974686
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: SeparateProcess	object name not found	1626974976
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626978232
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoNetCrawling	object name not found	1626978519
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626980054
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoNetCrawling	object name not found	1626980337
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626982298
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoSimpleStartMenu	object name not found	1626983669
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1626984214
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoSimpleStartMenu	object name not found	1626985386
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Access: maximum allowed	success or wait	1626988820
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: Hidden	success or wait	1626989118
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowCompColor	success or wait	1626989432
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: HideFileExt	success or wait	1626991258
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: DontPrettyPath	success or wait	1626991576
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowInfoTip	success or wait	1626994648
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: HideIcons	success or wait	1626994981
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: MapNetDrvBtn	success or wait	1626995293
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: WebView	success or wait	1626997052
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: Filter	success or wait	1626997491
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowSuperHidden	success or wait	1626997804
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: SeparateProcess	success or wait	1626999431
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: NoNetCrawling	success or wait	1626999770
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory\ShellEx\IconHandler Access: query value and read or execute	object name not found	1627005784
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler Access: query value and read or execute	object name not found	1627007008
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory Access: maximum allowed	object name not found	1627010884
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory Name: DocObject	object name not found	1627011187
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory Access: maximum allowed	object name not found	1627014811
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory Name: BrowseInPlace	object name not found	1627015044
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory\Clsid Access: query value and read or execute	object name not found	1627018807
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid Access: query value and read or execute	object name not found	1627020003
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\Folder Access: maximum allowed	object name not found	1627020755
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\Folder Access: maximum allowed	success or wait	1627021963
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Folder\Clsid Access: query value and read or execute	object name not found	1627025625
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid Access: query value and read or execute	object name not found	1627025911
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory Access: maximum allowed	object name not found	1627032620
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory Name: IsShortcut	object name not found	1627032863
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory Access: maximum allowed	object name not found	1627036557
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory Name: AlwaysShowExt	success or wait	1627036791
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\Directory Access: maximum allowed	object name not found	1627040398
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory Name: NeverShowExt	object name not found	1627041536
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1627048366
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: AllowFileCLSIDJunctions	object name not found	1627049569
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Access: query value and read or execute	success or wait	1627050055
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: AllowFileCLSIDJunctions	object name not found	1627052164
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts Access: maximum allowed	success or wait	1627056673
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe Access: maximum allowed	object name not found	1627057066
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe Access: maximum allowed	object name not found	1627057593
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\.exe Access: maximum allowed	object name not found	1627071860
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\.exe Access: maximum allowed	success or wait	1627072247
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\.exe Access: maximum allowed	object name not found	1627075491
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe Name: NULL	success or wait	1627075716
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\exefile Access: maximum allowed	object name not found	1627077929
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\exefile Access: maximum allowed	success or wait	1627078185
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\CurVer Access: query value and read or execute	object name not found	1627167066
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer Access: query value and read or execute	object name not found	1627167366
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile Access: maximum allowed	object name not found	1627169118
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ Access: maximum allowed	success or wait	1627169379
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\ShellEx\IconHandler Access: query value and read or execute	object name not found	1627173802
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler Access: query value and read or execute	object name not found	1627174069
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\SystemFileAssociations\.exe Access: maximum allowed	object name not found	1627177211
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.exe Access: maximum allowed	object name not found	1627177644
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\SystemFileAssociations\application Access: maximum allowed	object name not found	1627178770
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\application Access: maximum allowed	object name not found	1627179157
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile Access: maximum allowed	object name not found	1627180786
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile Name: DocObject	object name not found	1627181007
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile Access: maximum allowed	object name not found	1627182808
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile Name: BrowseInPlace	object name not found	1627183047
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile\Clsid Access: query value and read or execute	object name not found	1627184839
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid Access: query value and read or execute	object name not found	1627185122
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\* Access: maximum allowed	object name not found	1627185856
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Classes\* Access: maximum allowed	success or wait	1627186192
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\*\Clsid Access: query value and read or execute	object name not found	1627187929
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\Clsid Access: query value and read or execute	object name not found	1627188206
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile Access: maximum allowed	object name not found	1627189890
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile Name: IsShortcut	object name not found	1627190115
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile Access: maximum allowed	object name not found	1627191839
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile Name: AlwaysShowExt	object name not found	1627192062
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\exefile Access: maximum allowed	object name not found	1627193842
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile Name: NeverShowExt	object name not found	1627194067
File opened	Path: C:\WINDOWS\system32\csrcs.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1627195655
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1627196120
File other operation	Disposition: PositionInformation Data: 00 00 01 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1627250521
File other operation	Disposition: PositionInformation Data: EC FF 00 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1627250671
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1627250851
File other operation	Disposition: PositionInformation Data: EC FF 01 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1627301049
File other operation	Disposition: PositionInformation Data: D8 FF 01 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1627301206
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1627301393
File other operation	Disposition: PositionInformation Data: D8 FF 02 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1627350998
File other operation	Disposition: PositionInformation Data: C4 FF 02 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1627351149
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1627351329
File other operation	Disposition: PositionInformation Data: C4 FF 03 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1627402710
File other operation	Disposition: PositionInformation Data: B0 FF 03 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1627402862
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1627403047
File other operation	Disposition: PositionInformation Data: B0 FF 04 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1629460156
File other operation	Disposition: PositionInformation Data: 9C FF 04 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1629460306
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1629460491
File other operation	Disposition: PositionInformation Data: 14 C8 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1629507597
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1629507829
File other operation	Disposition: PositionInformation Data: 14 D8 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1629512368
File other operation	Disposition: PositionInformation Data: 28 C8 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1629512583
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1629514135
File other operation	Disposition: PositionInformation Data: 28 CA 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1629514826
File other operation	Disposition: PositionInformation Data: D5 C8 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1629514968
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1629517642
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1629662810
Window created	Window Name: AutoIt v3 Class Name: AutoIt v3	success	1633007624
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 01570000 Entrypoint: not known Mapped to pid: own pid Size: 48C00	success or wait	1633008805
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 74720000 Entrypoint: 747213A5 Mapped to pid: own pid Size: 4C000	success or wait	1633010994
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll Access: generic read	object name not found	1633301222
Section created	Access: query and map write and map read Protection: read write Attributes: commit Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-220523388-1935655697-1343024091-1003 Type: commit Baseaddress: 003D0000 Entrypoint: not known Mapped to pid: own pid Size: 1000	object name exists	1633517685
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\csrcs.exe Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1633518651
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1633588289
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared Name: CUAS	success or wait	1633588789
Mutant created	Name: \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1633731524
Mutant created	Name: \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1633731931
Mutant created	Name: \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1633732208
Mutant created	Name: \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1633732483
Mutant created	Name: \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1633732752
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1633733055
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Name: Language Hotkey	success or wait	1633803699
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Name: Language Hotkey	success or wait	1633804012
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Name: Layout Hotkey	success or wait	1633804309
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Keyboard Layout\Toggle Name: Layout Hotkey	success or wait	1633998149
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1634128224
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF Name: EnableAnchorContext	object name not found	1634128694
Mutant created	Name: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-220523388-1935655697-1343024091-1003MUTEX.DefaultS-1-5-21-220523388-1935655697-1343024091-1003	object name exists	1634131090
Section opened	Access: query and map write and map read and map execute and extend size Baseaddress: 01570000 Size: 40000 Mapped to pid: own pid Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-220523388-1935655697-1343024091-1003SFM.DefaultS-1-5-21-220523388-1935655697-1343024091-1003	success or wait	1634131577
Windows hook set	Module: C:\WINDOWS\system32\MSCTF.dll TID: 1600 Hook ID: keyboard	success	1634413222
Windows hook set	Module: C:\WINDOWS\system32\MSCTF.dll TID: 1600 Hook ID: mouse	success	1634413463
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM Access: maximum allowed	success or wait	1634414867
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM Name: Ime File	success or wait	1634440942
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 2B400	success or wait	1634453372
File opened	Path: C:\WINDOWS\system32\msctfime.ime Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1634467634
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 2B400	success or wait	1634468016
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 2B400	success or wait	1634507612
File opened	Path: C:\WINDOWS\system32\msctfime.ime Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none	success or wait	1634596692
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 2B400	success or wait	1634627832
Section opened	Access: map write Baseaddress: 003E0000 Size: E000 Mapped to pid: own pid Path: \BaseNamedObjects\ShimSharedMemory	success or wait	1634708500
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1634761052
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 015B0000 Entrypoint: not known Mapped to pid: own pid Size: 2B400	success or wait	1634843734
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 755C0000 Entrypoint: 755D9FE1 Mapped to pid: own pid Size: 2E000	success or wait	1634852323
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime Access: generic read	object name not found	1634881122
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\CTF Access: maximum allowed	success or wait	1634887452
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\CTF Name: Disable Thread Input Manager	object name not found	1634887793
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared Access: maximum allowed	success or wait	1634892226
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared Name: CUAS	success or wait	1634893707
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1634895910
Window created	Window Name: 6.0.2600.5512!Edit Class Name: edit	success	1634900117
Windows found	Window Name: no string Class Name: Shell_TrayWnd	success	1634902907
Windows found	Window Name: no string Class Name: Shell_TrayWnd	success	1634936316
Performance counter queried	Count: 1634944426 Frequency: 3579545	success or wait	1634942627
File opened	Path: C:\WINDOWS\system32\csrcs.exe Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1634956679
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1634957153
File other operation	Disposition: PositionInformation Data: 00 00 01 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1635039849
File other operation	Disposition: PositionInformation Data: EC FF 00 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1635040024
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1635040225
File other operation	Disposition: PositionInformation Data: EC FF 01 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636011564
File other operation	Disposition: PositionInformation Data: D8 FF 01 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636011713
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636011893
File other operation	Disposition: PositionInformation Data: D8 FF 02 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636074668
File other operation	Disposition: PositionInformation Data: C4 FF 02 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636074815
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636074995
File other operation	Disposition: PositionInformation Data: C4 FF 03 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636148680
File other operation	Disposition: PositionInformation Data: B0 FF 03 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636148937
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636149147
File other operation	Disposition: PositionInformation Data: B0 FF 04 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636213940
File other operation	Disposition: PositionInformation Data: 9C FF 04 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636214093
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636214274
File other operation	Disposition: PositionInformation Data: 14 C8 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636259082
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636277288
File other operation	Disposition: PositionInformation Data: 14 D8 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636281357
File other operation	Disposition: PositionInformation Data: 28 C8 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636303025
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636303246
File other operation	Disposition: PositionInformation Data: 28 CA 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636304073
File other operation	Disposition: PositionInformation Data: B9 C8 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636321912
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636322150
File other operation	Disposition: PositionInformation Data: B9 CA 05 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636322872
File other operation	Disposition: PositionInformation Data: 77 7A 08 00 00 00 00 00 Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636323015
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1636323193
File created	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp Access: read attributes and synchronize and generic read Disposition: create Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1637341121
File overwritten	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp Access: read attributes and synchronize and generic write Disposition: overwrite if exists Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1637397162
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1637398897
File read	Path: C:\WINDOWS\system32\csrcs.exe	success or wait	1637414413
File write	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp	success or wait	1637471771
File write	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp	success or wait	1637504918
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1637509521
File created	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq Access: read attributes and synchronize and generic read and generic write Disposition: overwrite if exists Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1637621877
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp	success or wait	1637634679
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp	success or wait	1637665227
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp	end of file	1637992865
File write	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639186731
File write	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639271476
File write	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639322871
File deleted	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\aut2.tmp	success or wait	1639358221
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq Access: read attributes and synchronize and generic write Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1639362760
File other operation	Disposition: BasicInformation Data: 30 4F 03 65 3C 41 CB 01 00 00 00 00 00 00 00 00 F4 CB C9 67 3C 41 CB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639363320
Windows found	Window Name: no string Class Name: Shell_TrayWnd	success	1639373645
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1639379196
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639381123
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639384586
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639389546
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639391642
File other operation	Disposition: PositionInformation Data: 4E 86 01 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639457387
File other operation	Disposition: PositionInformation Data: 4E 86 01 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639461838
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639462403
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639470682
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639471737
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639474143
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1639557173
File deleted	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\zvhhwsq	success or wait	1640815857
Windows found	Window Name: no string Class Name: Shell_TrayWnd	success	1642051470
Windows found	Window Name: no string Class Name: Shell_TrayWnd	success	1645709342
Windows found	Window Name: no string Class Name: Shell_TrayWnd	success	1648788456
Windows found	Window Name: no string Class Name: Shell_TrayWnd	success	1650800423
System info queried	Type: CurrentTimeZoneInformation	success or wait	1650841534
Mutant created	Name: \BaseNamedObjects\df8g1sdf68g18er1g8re16	success or wait	1650851516
Thread delayed	Time: 0 TID: 5632	success or wait	1651189045
Thread delayed	Time: 0 TID: 5632	success or wait	1651224744
Thread delayed	Time: 0 TID: 5632	success or wait	1651260693
Thread delayed	Time: 0 TID: 5632	success or wait	1651296773
Thread delayed	Time: 0 TID: 5632	success or wait	1651332377
Thread delayed	Time: 0 TID: 5632	success or wait	1651368155
Thread delayed	Time: 0 TID: 5632	success or wait	1651405903
Thread delayed	Time: 0 TID: 5632	success or wait	1651440099
Thread delayed	Time: 0 TID: 5632	success or wait	1651476229
Thread delayed	Time: 0 TID: 5632	success or wait	1651511834
Thread delayed	Time: 0 TID: 5632	success or wait	1651547645
Thread delayed	Time: 0 TID: 5632	success or wait	1651583156
Thread delayed	Time: 0 TID: 5632	success or wait	1651619257
Thread delayed	Time: 0 TID: 5632	success or wait	1651655385
Thread delayed	Time: 0 TID: 5632	success or wait	1651690983
Thread delayed	Time: 0 TID: 5632	success or wait	1651727094
Thread delayed	Time: 0 TID: 5632	success or wait	1651762800
Thread delayed	Time: 0 TID: 5632	success or wait	1651798325
Thread delayed	Time: 0 TID: 5632	success or wait	1651834303
Thread delayed	Time: 0 TID: 5632	success or wait	1651870026
Thread delayed	Time: 0 TID: 5632	success or wait	1651907072
Thread delayed	Time: 0 TID: 5632	success or wait	1651942001
Thread delayed	Time: 0 TID: 5632	success or wait	1651977771
Thread delayed	Time: 0 TID: 5632	success or wait	1652014164
Thread delayed	Time: 0 TID: 5632	success or wait	1652049968
Thread delayed	Time: 0 TID: 5632	success or wait	1652085438
Thread delayed	Time: 0 TID: 5632	success or wait	1652122084
Thread delayed	Time: 0 TID: 5632	success or wait	1652158596
Thread delayed	Time: 0 TID: 5632	success or wait	1652192996
Thread delayed	Time: 0 TID: 5632	success or wait	1652228875
Thread delayed	Time: 0 TID: 5632	success or wait	1652267900
Thread delayed	Time: 0 TID: 5632	success or wait	1652300370
Thread delayed	Time: 0 TID: 5632	success or wait	1652341444
Thread delayed	Time: 0 TID: 5632	success or wait	1652375248
Thread delayed	Time: 0 TID: 5632	success or wait	1652407907
Thread delayed	Time: 0 TID: 5632	success or wait	1652443808
Thread delayed	Time: 0 TID: 5632	success or wait	1652482327
Thread delayed	Time: 0 TID: 5632	success or wait	1652515508
Thread delayed	Time: 0 TID: 5632	success or wait	1652556372
Thread delayed	Time: 0 TID: 5632	success or wait	1652588818
Thread delayed	Time: 0 TID: 5632	success or wait	1652623543
Thread delayed	Time: 0 TID: 5632	success or wait	1652659010
Thread delayed	Time: 0 TID: 5632	success or wait	1652696319
Thread delayed	Time: 0 TID: 5632	success or wait	1652730778
Thread delayed	Time: 0 TID: 5632	success or wait	1652766404
Thread delayed	Time: 0 TID: 5632	success or wait	1652802233
Thread delayed	Time: 0 TID: 5632	success or wait	1652838880
Thread delayed	Time: 0 TID: 5632	success or wait	1652874215
Thread delayed	Time: 0 TID: 5632	success or wait	1652909796
Thread delayed	Time: 0 TID: 5632	success or wait	1652975848
Thread delayed	Time: 0 TID: 5632	success or wait	1653026078
Thread delayed	Time: 0 TID: 5632	success or wait	1653055191
Thread delayed	Time: 0 TID: 5632	success or wait	1653088981
Thread delayed	Time: 0 TID: 5632	success or wait	1653124565
Thread delayed	Time: 0 TID: 5632	success or wait	1653160460
Thread delayed	Time: 0 TID: 5632	success or wait	1653198542
Thread delayed	Time: 0 TID: 5632	success or wait	1653232213
Thread delayed	Time: 0 TID: 5632	success or wait	1653268176
Thread delayed	Time: 0 TID: 5632	success or wait	1653303982
Thread delayed	Time: 0 TID: 5632	success or wait	1653339667
Thread delayed	Time: 0 TID: 5632	success or wait	1653375537
Thread delayed	Time: 0 TID: 5632	success or wait	1653411449
Thread delayed	Time: 0 TID: 5632	success or wait	1653447185
Thread delayed	Time: 0 TID: 5632	success or wait	1653483477
Thread delayed	Time: 0 TID: 5632	success or wait	1653518967
Thread delayed	Time: 0 TID: 5632	success or wait	1653555904
Thread delayed	Time: 0 TID: 5632	success or wait	1653590734
Thread delayed	Time: 0 TID: 5632	success or wait	1653626665
Thread delayed	Time: 0 TID: 5632	success or wait	1653662282
Thread delayed	Time: 0 TID: 5632	success or wait	1653726410
Thread delayed	Time: 0 TID: 5632	success or wait	1653734422
Thread delayed	Time: 0 TID: 5632	success or wait	1653806337
Thread delayed	Time: 0 TID: 5632	success or wait	1653949029
Thread delayed	Time: 0 TID: 5632	success or wait	1654021015
Thread delayed	Time: 0 TID: 5632	success or wait	1654165350
Thread delayed	Time: 0 TID: 5632	success or wait	1654246508
Thread delayed	Time: 0 TID: 5632	success or wait	1654384627
Thread delayed	Time: 0 TID: 5632	success or wait	1654451749
Thread delayed	Time: 0 TID: 5632	success or wait	1654595851
Thread delayed	Time: 0 TID: 5632	success or wait	1654669497
Thread delayed	Time: 0 TID: 5632	success or wait	1654809898
Thread delayed	Time: 0 TID: 5632	success or wait	1654849209
Thread delayed	Time: 0 TID: 5632	success or wait	1654882334
Thread delayed	Time: 0 TID: 5632	success or wait	1654917464
Thread delayed	Time: 0 TID: 5632	success or wait	1654956357
Thread delayed	Time: 0 TID: 5632	success or wait	1655012794
Thread delayed	Time: 0 TID: 5632	success or wait	1655091412
Thread delayed	Time: 0 TID: 5632	success or wait	1655105545
Thread delayed	Time: 0 TID: 5632	success or wait	1655142872
Thread delayed	Time: 0 TID: 5632	success or wait	1655171532
Thread delayed	Time: 0 TID: 5632	success or wait	1655209948
Thread delayed	Time: 0 TID: 5632	success or wait	1655260590
Thread delayed	Time: 0 TID: 5632	success or wait	1655293563
Thread delayed	Time: 0 TID: 5632	success or wait	1655316168
Thread delayed	Time: 0 TID: 5632	success or wait	1655357165
Thread delayed	Time: 0 TID: 5632	success or wait	1655386871
Thread delayed	Time: 0 TID: 5632	success or wait	1655526600
Thread delayed	Time: 0 TID: 5632	success or wait	1655564038
Thread delayed	Time: 0 TID: 5632	success or wait	1655598342
Thread delayed	Time: 0 TID: 5632	success or wait	1655634703
Thread delayed	Time: 0 TID: 5632	success or wait	1655669734
Thread delayed	Time: 0 TID: 5632	success or wait	1655707315
Thread delayed	Time: 0 TID: 5632	success or wait	1655741579
Thread delayed	Time: 0 TID: 5632	success or wait	1655777471
Thread delayed	Time: 0 TID: 5632	success or wait	1655813447
Thread delayed	Time: 0 TID: 5632	success or wait	1655849396
Thread delayed	Time: 0 TID: 5632	success or wait	1655885179
Thread delayed	Time: 0 TID: 5632	success or wait	1655920863
Thread delayed	Time: 0 TID: 5632	success or wait	1655956909
Thread delayed	Time: 0 TID: 5632	success or wait	1655992616
Thread delayed	Time: 0 TID: 5632	success or wait	1656028168
Thread delayed	Time: 0 TID: 5632	success or wait	1656064044
Thread delayed	Time: 0 TID: 5632	success or wait	1656100297
Thread delayed	Time: 0 TID: 5632	success or wait	1656135737
Thread delayed	Time: 0 TID: 5632	success or wait	1656172341
Thread delayed	Time: 0 TID: 5632	success or wait	1656207429
Thread delayed	Time: 0 TID: 5632	success or wait	1656243319
Thread delayed	Time: 0 TID: 5632	success or wait	1656279163
Thread delayed	Time: 0 TID: 5632	success or wait	1656315038
Thread delayed	Time: 0 TID: 5632	success or wait	1656350770
Thread delayed	Time: 0 TID: 5632	success or wait	1656386649
Thread delayed	Time: 0 TID: 5632	success or wait	1656422736
Thread delayed	Time: 0 TID: 5632	success or wait	1656458442
Thread delayed	Time: 0 TID: 5632	success or wait	1656494272
Thread delayed	Time: 0 TID: 5632	success or wait	1656550369
Thread delayed	Time: 0 TID: 5632	success or wait	1656614592
Thread delayed	Time: 0 TID: 5632	success or wait	1656675734
Thread delayed	Time: 0 TID: 5632	success or wait	1656712650
Thread delayed	Time: 0 TID: 5632	success or wait	1656750621
Thread delayed	Time: 0 TID: 5632	success or wait	1656784297
Thread delayed	Time: 0 TID: 5632	success or wait	1656817922
Thread delayed	Time: 0 TID: 5632	success or wait	1656858237
Thread delayed	Time: 0 TID: 5632	success or wait	1656889755
Thread delayed	Time: 0 TID: 5632	success or wait	1656924564
Thread delayed	Time: 0 TID: 5632	success or wait	1656961258
Thread delayed	Time: 0 TID: 5632	success or wait	1657018965
Thread delayed	Time: 0 TID: 5632	success or wait	1657032461
Thread delayed	Time: 0 TID: 5632	success or wait	1657072107
Thread delayed	Time: 0 TID: 5632	success or wait	1657103703
Thread delayed	Time: 0 TID: 5632	success or wait	1657139473
Thread delayed	Time: 0 TID: 5632	success or wait	1657175295
Thread delayed	Time: 0 TID: 5632	success or wait	1657211570
Thread delayed	Time: 0 TID: 5632	success or wait	1657247164
Thread delayed	Time: 0 TID: 5632	success or wait	1657283330
Thread delayed	Time: 0 TID: 5632	success or wait	1657319095
Thread delayed	Time: 0 TID: 5632	success or wait	1657354560
Thread delayed	Time: 0 TID: 5632	success or wait	1657390449
Thread delayed	Time: 0 TID: 5632	success or wait	1657429505
Thread delayed	Time: 0 TID: 5632	success or wait	1657462065
Thread delayed	Time: 0 TID: 5632	success or wait	1657499066
Thread delayed	Time: 0 TID: 5632	success or wait	1657537257
Thread delayed	Time: 0 TID: 5632	success or wait	1657569902
Thread delayed	Time: 0 TID: 5632	success or wait	1657607099
Thread delayed	Time: 0 TID: 5632	success or wait	1657644319
Thread delayed	Time: 0 TID: 5632	success or wait	1657679524
Thread delayed	Time: 0 TID: 5632	success or wait	1657713374
Thread delayed	Time: 0 TID: 5632	success or wait	1657751326
Thread delayed	Time: 0 TID: 5632	success or wait	1657785472
Thread delayed	Time: 0 TID: 5632	success or wait	1657820842
Thread delayed	Time: 0 TID: 5632	success or wait	1657856669
Thread delayed	Time: 0 TID: 5632	success or wait	1657892524
Thread delayed	Time: 0 TID: 5632	success or wait	1657929952
Thread delayed	Time: 0 TID: 5632	success or wait	1657964802
Thread delayed	Time: 0 TID: 5632	success or wait	1658000100
Thread delayed	Time: 0 TID: 5632	success or wait	1658035894
Thread delayed	Time: 0 TID: 5632	success or wait	1658072831
Thread delayed	Time: 0 TID: 5632	success or wait	1658107637
Thread delayed	Time: 0 TID: 5632	success or wait	1658143406
Thread delayed	Time: 0 TID: 5632	success or wait	1658179243
Thread delayed	Time: 0 TID: 5632	success or wait	1658215611
Thread delayed	Time: 0 TID: 5632	success or wait	1658251309
Thread delayed	Time: 0 TID: 5632	success or wait	1658287663
Thread delayed	Time: 0 TID: 5632	success or wait	1658323029
Thread delayed	Time: 0 TID: 5632	success or wait	1658358447
Thread delayed	Time: 0 TID: 5632	success or wait	1658394289
Thread delayed	Time: 0 TID: 5632	success or wait	1658430163
Thread delayed	Time: 0 TID: 5632	success or wait	1658465878
Thread delayed	Time: 0 TID: 5632	success or wait	1658504606
Thread delayed	Time: 0 TID: 5632	success or wait	1658537655
Thread delayed	Time: 0 TID: 5632	success or wait	1658573320
Thread delayed	Time: 0 TID: 5632	success or wait	1658609173
Thread delayed	Time: 0 TID: 5632	success or wait	1658645337
Thread delayed	Time: 0 TID: 5632	success or wait	1658680980
Thread delayed	Time: 0 TID: 5632	success or wait	1658716712
Thread delayed	Time: 0 TID: 5632	success or wait	1658752569
Thread delayed	Time: 0 TID: 5632	success or wait	1658788500
Thread delayed	Time: 0 TID: 5632	success or wait	1658824334
Thread delayed	Time: 0 TID: 5632	success or wait	1658860121
Thread delayed	Time: 0 TID: 5632	success or wait	1658896003
Thread delayed	Time: 0 TID: 5632	success or wait	1658931798
Thread delayed	Time: 0 TID: 5632	success or wait	1658968179
Thread delayed	Time: 0 TID: 5632	success or wait	1659003703
Thread delayed	Time: 0 TID: 5632	success or wait	1659039345
Thread delayed	Time: 0 TID: 5632	success or wait	1659075682
Thread delayed	Time: 0 TID: 5632	success or wait	1659111292
Thread delayed	Time: 0 TID: 5632	success or wait	1659165192
Thread delayed	Time: 0 TID: 5632	success or wait	1659183507
Thread delayed	Time: 0 TID: 5632	success or wait	1659219623
Thread delayed	Time: 0 TID: 5632	success or wait	1659254816
Thread delayed	Time: 0 TID: 5632	success or wait	1659292020
Thread delayed	Time: 0 TID: 5632	success or wait	1659326197
Thread delayed	Time: 0 TID: 5632	success or wait	1659361985
Thread delayed	Time: 0 TID: 5632	success or wait	1659398396
Thread delayed	Time: 0 TID: 5632	success or wait	1659434207
Thread delayed	Time: 0 TID: 5632	success or wait	1659472884
Thread delayed	Time: 0 TID: 5632	success or wait	1659505368
Thread delayed	Time: 0 TID: 5632	success or wait	1659541771
Thread delayed	Time: 0 TID: 5632	success or wait	1659577484
Thread delayed	Time: 0 TID: 5632	success or wait	1659612928
Thread delayed	Time: 0 TID: 5632	success or wait	1659648824
Thread delayed	Time: 0 TID: 5632	success or wait	1659684568
Thread delayed	Time: 0 TID: 5632	success or wait	1659720500
Thread delayed	Time: 0 TID: 5632	success or wait	1659756632
Thread delayed	Time: 0 TID: 5632	success or wait	1659792508
Thread delayed	Time: 0 TID: 5632	success or wait	1659831564
Thread delayed	Time: 0 TID: 5632	success or wait	1659863966
Thread delayed	Time: 0 TID: 5632	success or wait	1659899806
Thread delayed	Time: 0 TID: 5632	success or wait	1659938952
Thread delayed	Time: 0 TID: 5632	success or wait	1659971570
Thread delayed	Time: 0 TID: 5632	success or wait	1660007349
Thread delayed	Time: 0 TID: 5632	success or wait	1660046356
Thread delayed	Time: 0 TID: 5632	success or wait	1660078944
Thread delayed	Time: 0 TID: 5632	success or wait	1660136788
Thread delayed	Time: 0 TID: 5632	success or wait	1660205145
Thread delayed	Time: 0 TID: 5632	success or wait	1660228053
Thread delayed	Time: 0 TID: 5632	success or wait	1660261682
Thread delayed	Time: 0 TID: 5632	success or wait	1660306907
Thread delayed	Time: 0 TID: 5632	success or wait	1660331637
Thread delayed	Time: 0 TID: 5632	success or wait	1660369528
Thread delayed	Time: 0 TID: 5632	success or wait	1660403584
Thread delayed	Time: 0 TID: 5632	success or wait	1660438113
Thread delayed	Time: 0 TID: 5632	success or wait	1660474038
Thread delayed	Time: 0 TID: 5632	success or wait	1660509376
Thread delayed	Time: 0 TID: 5632	success or wait	1660545258
Thread delayed	Time: 0 TID: 5632	success or wait	1660609656
Thread delayed	Time: 0 TID: 5632	success or wait	1660619116
Thread delayed	Time: 0 TID: 5632	success or wait	1660760284
Thread delayed	Time: 0 TID: 5632	success or wait	1660838550
Thread delayed	Time: 0 TID: 5632	success or wait	1660976891
Thread delayed	Time: 0 TID: 5632	success or wait	1661047701
Thread delayed	Time: 0 TID: 5632	success or wait	1661190843
Thread delayed	Time: 0 TID: 5632	success or wait	1661263115
Thread delayed	Time: 0 TID: 5632	success or wait	1661406682
Thread delayed	Time: 0 TID: 5632	success or wait	1661477749
Thread delayed	Time: 0 TID: 5632	success or wait	1661623668
Thread delayed	Time: 0 TID: 5632	success or wait	1661693161
Thread delayed	Time: 0 TID: 5632	success or wait	1661729901
Thread delayed	Time: 0 TID: 5632	success or wait	1661764115
Thread delayed	Time: 0 TID: 5632	success or wait	1661800910
Thread delayed	Time: 0 TID: 5632	success or wait	1661835906
Thread delayed	Time: 0 TID: 5632	success or wait	1661895652
Thread delayed	Time: 0 TID: 5632	success or wait	1661909285
Thread delayed	Time: 0 TID: 5632	success or wait	1661959015
Thread delayed	Time: 0 TID: 5632	success or wait	1661979911
Thread delayed	Time: 0 TID: 5632	success or wait	1662018608
Thread delayed	Time: 0 TID: 5632	success or wait	1662051445
Thread delayed	Time: 0 TID: 5632	success or wait	1662094289
Thread delayed	Time: 0 TID: 5632	success or wait	1662135309
Thread delayed	Time: 0 TID: 5632	success or wait	1662190132
Thread delayed	Time: 0 TID: 5632	success or wait	1662200703
Thread delayed	Time: 0 TID: 5632	success or wait	1662251760
Thread delayed	Time: 0 TID: 5632	success or wait	1662271751
Thread delayed	Time: 0 TID: 5632	success or wait	1662313927
Thread delayed	Time: 0 TID: 5632	success or wait	1662338920
Thread delayed	Time: 0 TID: 5632	success or wait	1662481377
Thread delayed	Time: 0 TID: 5632	success or wait	1662553505
Thread delayed	Time: 0 TID: 5632	success or wait	1662590549
Thread delayed	Time: 0 TID: 5632	success or wait	1662625213
Thread delayed	Time: 0 TID: 5632	success or wait	1662663115
Thread delayed	Time: 0 TID: 5632	success or wait	1662696896
Thread delayed	Time: 0 TID: 5632	success or wait	1662733406
Thread delayed	Time: 0 TID: 5632	success or wait	1662771140
Thread delayed	Time: 0 TID: 5632	success or wait	1662806874
Thread delayed	Time: 0 TID: 5632	success or wait	1662839957
Thread delayed	Time: 0 TID: 5632	success or wait	1662877999
Thread delayed	Time: 0 TID: 5632	success or wait	1662911184
Thread delayed	Time: 0 TID: 5632	success or wait	1662946846
Thread delayed	Time: 0 TID: 5632	success or wait	1662985488
Thread delayed	Time: 0 TID: 5632	success or wait	1663018855
Thread delayed	Time: 0 TID: 5632	success or wait	1663054216
Thread delayed	Time: 0 TID: 5632	success or wait	1663092923
Thread delayed	Time: 0 TID: 5632	success or wait	1663127929
Thread delayed	Time: 0 TID: 5632	success or wait	1663161802
Thread delayed	Time: 0 TID: 5632	success or wait	1663197612
Thread delayed	Time: 0 TID: 5632	success or wait	1663233462
Thread delayed	Time: 0 TID: 5632	success or wait	1663269711
Thread delayed	Time: 0 TID: 5632	success or wait	1663306716
Thread delayed	Time: 0 TID: 5632	success or wait	1663341325
Thread delayed	Time: 0 TID: 5632	success or wait	1663376963
Thread delayed	Time: 0 TID: 5632	success or wait	1663412678
Thread delayed	Time: 0 TID: 5632	success or wait	1663450540
Thread delayed	Time: 0 TID: 5632	success or wait	1663484609
Thread delayed	Time: 0 TID: 5632	success or wait	1663520249
Thread delayed	Time: 0 TID: 5632	success or wait	1663556173
Thread delayed	Time: 0 TID: 5632	success or wait	1663593182
Thread delayed	Time: 0 TID: 5632	success or wait	1663627750
Thread delayed	Time: 0 TID: 5632	success or wait	1663663667
Thread delayed	Time: 0 TID: 5632	success or wait	1663723150
Thread delayed	Time: 0 TID: 5632	success or wait	1663736360
Thread delayed	Time: 0 TID: 5632	success or wait	1663771146

Analysis File: cmd.exe PID: 492 Parent PID: 1580 Run ID: 0

Sections

General
Start time:	23:48:08
Start date:	02/08/2010
Path:	C:\WINDOWS\system32\cmd.exe
Commandline:	cmd /c C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

File Activities:

File opened
Reputation	File Path	Access	Options	Completion	Count
395	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	1
395	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	26
395	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	read attributes and synchronize and generic read	synchronous io non alert and non directory file	success or wait	11
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	read attributes and synchronize and generic read	synchronous io non alert and non directory file	object name not found	1

File created
Reputation	File Path	Access	Attributes	Options	Completion	Count

File overwritten
Reputation	File Path	Access	Options	Completion	Count

File deleted
Reputation	File Path	Completion	Count
0	C:\bfgbhk.ex.exe	cannot delete	11
0	C:\BFGBHK~1.EXE	cannot delete	11
0	C:\bfgbhk.ex.exe	success or wait	1
15	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1

File renamed
Reputation	Old File Path	New File Path	Completion	Count

File written
Reputation	File Path	Completion	Count

Other file operations
Reputation	File Path	Disposition	Data	Completion	Count
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	PositionInformation	00 00 00 00 00 00 00 00	success or wait	35
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	PositionInformation	07 00 00 00 00 00 00 00	success or wait	38
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	PositionInformation	1F 00 00 00 00 00 00 00	success or wait	60
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	PositionInformation	46 00 00 00 00 00 00 00	success or wait	71
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	PositionInformation	72 00 00 00 00 00 00 00	success or wait	25

Section Activities:

Section opened
Reputation	File Path	Access	Base	Entrypoint	Size	Mapped to pid	Completion	Count
40475	\KnownDlls\kernel32.dll	map write and map read and map execute	7C800000	7C80B64E	F6000	own pid	success or wait	1
129	\NLS\NlsSectionUnicode	map read	00260000	not known	15DF4	own pid	success or wait	1
890	\NLS\NlsSectionLocale	map read	00280000	not known	40EDC	own pid	success or wait	1
891	\NLS\NlsSectionSortkey	query and map read	002D0000	not known	40004	own pid	success or wait	1
893	\NLS\NlsSectionSortTbls	map read	00320000	not known	5A04	own pid	success or wait	1
82482	\NLS\NlsSectionSortkey00000409	map read	not known	not known	not known	own pid	object name not found	2
14883	\KnownDlls\msvcrt.dll	map write and map read and map execute	77C10000	77C1F2A1	58000	own pid	success or wait	1
33945	\KnownDlls\USER32.dll	map write and map read and map execute	7E410000	7E41B217	91000	own pid	success or wait	1
37497	\KnownDlls\GDI32.dll	map write and map read and map execute	77F10000	77F16587	49000	own pid	success or wait	1
175	\NLS\NlsSectionCType	map read	00340000	not known	20C2	own pid	success or wait	1
35518	\KnownDlls\ADVAPI32.dll	map write and map read and map execute	77DD0000	77DD710B	9B000	own pid	success or wait	1
40913	\KnownDlls\RPCRT4.dll	map write and map read and map execute	77E70000	77E7628F	92000	own pid	success or wait	1
40856	\KnownDlls\Secur32.dll	map write and map read and map execute	77FE0000	77FE2146	11000	own pid	success or wait	1

Section created
Reputation	File Path	Access	Attributes	Base	Entrypoint	Size	Protection	Mapped to pid	Completion	Count
2466	not known	query and map write and map read and map execute and extend size	reserve	not known	not known	10000	read write	own pid	success or wait	1
288	C:\WINDOWS\system32\imm32.dll	map write and map read and map execute	commit	00420000	not known	1AE00	execute	own pid	success or wait	2
39628	C:\WINDOWS\system32\imm32.dll	query and map write and map read and map execute	image	76390000	763912C0	1D000	execute	own pid	success or wait	1
0	C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	query and map read	commit	00860000	not known	72	readonly	own pid	success or wait	1

Registry Activities:

Key opened
Reputation	Key Path	Access	Completion	Count
11176	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	generic read	object name not found	2
91200	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
4417	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll	generic read	object name not found	1
39197	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll	generic read	object name not found	1
33679	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll	generic read	object name not found	1
71638	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager	query value and read or execute	success or wait	1
96399	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option	query value and set value and read or execute and write	object name not found	2
26786	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and read or execute	success or wait	4
39584	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and read or execute	object name not found	1
6164	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll	generic read	object name not found	1
40564	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll	generic read	object name not found	1
707	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll	generic read	object name not found	1
51069	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
77159	HKEY_LOCAL_MACHINE	maximum allowed	success or wait	1
5318	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
39518	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL	generic read	object name not found	1
20955	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll	generic read	object name not found	1
39992	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll	generic read	object name not found	1
52210	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
81554	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	2
24208	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
10969	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	maximum allowed	success or wait	1
3690	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\System	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
3871	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	maximum allowed	success or wait	1
3690	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	maximum allowed	success or wait	1
1350	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
13402	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
13416	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17347	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1844	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17103	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
3362	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
1840	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
1901	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17108	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
1840	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
2593	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
4216	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
14565	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
2637	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17320	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17349	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17342	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17358	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17299	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1862	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17306	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
8514	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1848	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17317	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17121	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1845	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17112	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1765	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
13111	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1754	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17105	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17073	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17100	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1844	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1828	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17104	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
1829	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17134	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
17069	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
2738	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
17089	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1
167058	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1
11150	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1

Key created
Reputation	Key Path	Access	Options	Completion	Count

Key deleted
Reputation	Key Path	Completion	Count

Key value deleted
Reputation	Key Path	Key Value Name	Completion	Count

Key value set
Reputation	Key Path	Name	Type	Data	Completion	Count

Key value replaced with new
Reputation	Key Path	Name	Type	Old Data	New Data	Completion	Count

Key value replaced with same
Reputation	Key Path	Name	Type	Data	Completion	Count

Key value queried
Reputation	Key Path	Name	Completion	Count
83709	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSAppCompat	success or wait	1
54359	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeDllSearchMode	object name not found	1
59209	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1
51204	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LeakTrack	object name not found	1
553	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1
39787	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs	success or wait	1
4004	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DisableUNCCheck	object name not found	1
3998	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	EnableExtensions	success or wait	1
4006	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DelayedExpansion	object name not found	1
4018	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DefaultColor	success or wait	1
4011	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	CompletionChar	success or wait	1
4021	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	PathCompletionChar	success or wait	1
407	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	AutoRun	success or wait	1
415	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	DisableUNCCheck	object name not found	1
3189	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	EnableExtensions	success or wait	1
3694	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	DelayedExpansion	object name not found	1
3696	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	DefaultColor	success or wait	1
3694	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	CompletionChar	success or wait	1
3680	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	PathCompletionChar	object name not found	1
3700	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor	AutoRun	object name not found	1
17039	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale	00000409	success or wait	1
13112	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups	1	success or wait	1
17163	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	Levels	object name not found	1
17125	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	success or wait	1
17170	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	success or wait	1
17173	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	success or wait	1
17187	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	success or wait	1
1836	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	success or wait	1
6713	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	success or wait	1
17132	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	success or wait	1
17177	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	success or wait	1
17158	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	success or wait	1
17151	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	success or wait	1
17177	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	success or wait	1
17160	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	success or wait	1
9133	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	success or wait	1
17158	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	success or wait	1
17186	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	success or wait	1
13416	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	success or wait	1
8727	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	success or wait	1
17123	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	success or wait	1
17163	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	success or wait	1
17158	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	success or wait	1
17192	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	success or wait	1
17142	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	success or wait	1
17147	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	success or wait	1
9120	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	success or wait	1
4605	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	buffer overflow	1
9255	HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	success or wait	1
27376	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	LogFileName	object name not found	1
553	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1

Mutant Activities:

Mutant opened
Reputation	Name	Completion	Count

Mutant created
Reputation	Name	Completion	Count

Mutant released
Reputation	Name	Completion	Count

Process Activities:

Process started
Reputation	PID	Filepath	Cmdline	Flags	Completion	Count

Process opened
Reputation	PID	Access	Filepath	Cmdline	Completion	Count

Process suspended
Reputation	PID	Filepath	Cmdline	Completion	Count

Process terminated
Reputation	PID	Filepath	Completion	Count
5386	492	C:\WINDOWS\system32\cmd.exe	success or wait	1
5386	492	C:\WINDOWS\system32\cmd.exe	success or wait	1

Thread Activities:

Thread opened
Reputation	TID	PID	Filepath	Access	Completion	Count

Thread created
Reputation	TID	PID	EIP	Filepath	Access	Completion	Count

Thread APC queued
Reputation	TID	PID	Path	Completion	Count

Thread context set
Reputation	TID	PID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count

Thread continue
Reputation	TID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count
29735	1424	0	0	0	0	0	200	7C810705	no status	1

Thread context got
Reputation	TID	PID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count

Thread delayed
Reputation	TID	Delay	Completion	Count

Thread terminated
Reputation	TID	PID	Completion	Count

Memory Activities:

Memory read
Reputation	PID	Path	Base	Completion	Count

Memory written
Reputation	PID	Filepath	Base	Completion	Count

Driver Activities:

Driver loaded
Reputation	Service name path	Completion	Count

Driver unloaded
Reputation	Service name path	Completion	Count

System Activities:

System information set
Reputation	System info class	Data	Completion	Count

System information queried
Reputation	System info class	Completion	Count
1881168	BasicInformation	success or wait	3
47532	RangeStartInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1
1881168	BasicInformation	success or wait	1

Time Activities:

Performance counter queried
Reputation	Count	Frequency	Completion	Count
1585156	1640923705	3579545	success or wait	1

System resolution queried
Reputation	Minimum resolution	Maximum resolution	Current resolution	Completion	Count

System time queried
Reputation	Time	Completion	Count

User Activities:

Window created
Reputation	Window name	Class name	Completion	Count

Window found
Reputation	Window name	Class name	Completion	Count

Window hook set
Reputation	Module	Thread id	Hook code	Completion	Count

Key async got
Reputation	Virtual key code	Key state	Count

Keyboard state got
Reputation	Completion	Count

Key state got
Reputation	Virtual key code	State	Count

Debug Activities:

System debug info set
Reputation	Debug info class	Input data	Output data	Completion	Count

Exception Activities:

Exception raised
Reputation	Exception code	Address	Completion	Count

Chronological sections
Operation	Data	Completion	Time
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe Access: generic read	object name not found	1639246040
System info queried	Type: BasicInformation	success or wait	1639297420
System info queried	Type: BasicInformation	success or wait	1639356181
Section opened	Access: map write and map read and map execute Baseaddress: 7C800000 Size: F6000 Mapped to pid: own pid Path: \KnownDlls\kernel32.dll	success or wait	1639390475
System info queried	Type: RangeStartInformation	success or wait	1639471434
System info queried	Type: BasicInformation	success or wait	1639471826
Section created	Access: query and map write and map read and map execute and extend size Protection: read write Attributes: reserve Path: not known Type: reserve Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: 10000	success or wait	1639524280
System info queried	Type: BasicInformation	success or wait	1639547870
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1639613236
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	1639624496
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe Access: generic read	object name not found	1639631329
Section opened	Access: map read Baseaddress: 00260000 Size: 15DF4 Mapped to pid: own pid Path: \NLS\NlsSectionUnicode	success or wait	1639634921
Section opened	Access: map read Baseaddress: 00280000 Size: 40EDC Mapped to pid: own pid Path: \NLS\NlsSectionLocale	success or wait	1639646605
Section opened	Access: query and map read Baseaddress: 002D0000 Size: 40004 Mapped to pid: own pid Path: \NLS\NlsSectionSortkey	success or wait	1639647670
Section opened	Access: map read Baseaddress: 00320000 Size: 5A04 Mapped to pid: own pid Path: \NLS\NlsSectionSortTbls	success or wait	1639655948
Section opened	Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409	object name not found	1639668882
Section opened	Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409	object name not found	1639669379
Section opened	Access: map write and map read and map execute Baseaddress: 77C10000 Size: 58000 Mapped to pid: own pid Path: \KnownDlls\msvcrt.dll	success or wait	1639708876
Section opened	Access: map write and map read and map execute Baseaddress: 7E410000 Size: 91000 Mapped to pid: own pid Path: \KnownDlls\USER32.dll	success or wait	1640574418
Section opened	Access: map write and map read and map execute Baseaddress: 77F10000 Size: 49000 Mapped to pid: own pid Path: \KnownDlls\GDI32.dll	success or wait	1640586845
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll Access: generic read	object name not found	1640641341
System info queried	Type: BasicInformation	success or wait	1640647453
Section opened	Access: map read Baseaddress: 00340000 Size: 20C2 Mapped to pid: own pid Path: \NLS\NlsSectionCType	success or wait	1640673608
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll Access: generic read	object name not found	1640686182
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll Access: generic read	object name not found	1640688510
System info queried	Type: BasicInformation	success or wait	1640694961
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: query value and read or execute	success or wait	1640700569
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode	object name not found	1640701317
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00420000 Entrypoint: not known Mapped to pid: own pid Size: 1AE00	success or wait	1640711369
Section created	Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00420000 Entrypoint: not known Mapped to pid: own pid Size: 1AE00	success or wait	1640733009
Section created	Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76390000 Entrypoint: 763912C0 Mapped to pid: own pid Size: 1D000	success or wait	1640747333
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write	object name not found	1640757315
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1640760828
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	1640761656
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	object name not found	1640774631
Section opened	Access: map write and map read and map execute Baseaddress: 77DD0000 Size: 9B000 Mapped to pid: own pid Path: \KnownDlls\ADVAPI32.dll	success or wait	1640787560
Section opened	Access: map write and map read and map execute Baseaddress: 77E70000 Size: 92000 Mapped to pid: own pid Path: \KnownDlls\RPCRT4.dll	success or wait	1640807415
Section opened	Access: map write and map read and map execute Baseaddress: 77FE0000 Size: 11000 Mapped to pid: own pid Path: \KnownDlls\Secur32.dll	success or wait	1640835302
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll Access: generic read	object name not found	1640880278
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll Access: generic read	object name not found	1640887497
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll Access: generic read	object name not found	1640887878
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1640888340
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack	object name not found	1640888747
Key opened	Path: HKEY_LOCAL_MACHINE Access: maximum allowed	success or wait	1640896690
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1640897121
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL Access: generic read	object name not found	1640897733
System info queried	Type: BasicInformation	success or wait	1640903087
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll Access: generic read	object name not found	1640904843
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll Access: generic read	object name not found	1640905086
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1640905629
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1640911128
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	1640912308
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1640915283
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs	success or wait	1640915532
Thread continue	TID: 1424 DR0: 0 DR1: 0 DR2: 0 DR3: 0 DR7: 0 EIP: 7C810705 EFLAGS: 200	no status	1640922698
Performance counter queried	Count: 1640923705 Frequency: 3579545	success or wait	1640923683
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: maximum allowed	success or wait	1640932298
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\System Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1640937471
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor Access: maximum allowed	success or wait	1640953818
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DisableUNCCheck	object name not found	1640954149
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: EnableExtensions	success or wait	1640954418
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DelayedExpansion	object name not found	1640954680
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DefaultColor	success or wait	1640954938
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: CompletionChar	success or wait	1640959632
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: PathCompletionChar	success or wait	1640960902
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: AutoRun	success or wait	1640961164
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Access: maximum allowed	success or wait	1640961561
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: DisableUNCCheck	object name not found	1640961830
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: EnableExtensions	success or wait	1640967323
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: DelayedExpansion	object name not found	1640968656
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: DefaultColor	success or wait	1640968923
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: CompletionChar	success or wait	1640969186
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: PathCompletionChar	object name not found	1640969450
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Command Processor Name: AutoRun	object name not found	1640969711
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641022090
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641027119
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641027524
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale Name: 00000409	success or wait	1641027809
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups Name: 1	success or wait	1641028342
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641073371
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1641073796
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: Levels	object name not found	1641078729
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641080133
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641080843
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: ItemData	success or wait	1641084808
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: SaferFlags	success or wait	1641086204
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641087162
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641091865
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: ItemData	success or wait	1641092099
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: HashAlg	success or wait	1641092458
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: ItemSize	success or wait	1641092810
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: SaferFlags	success or wait	1641093163
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641098402
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: ItemData	success or wait	1641098638
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: HashAlg	success or wait	1641099030
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: ItemSize	success or wait	1641099383
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: SaferFlags	success or wait	1641102887
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641104725
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: ItemData	success or wait	1641104960
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: HashAlg	success or wait	1641105352
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: ItemSize	success or wait	1641108925
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: SaferFlags	success or wait	1641110290
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641111132
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: ItemData	success or wait	1641111366
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: HashAlg	success or wait	1641115681
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: ItemSize	success or wait	1641117051
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: SaferFlags	success or wait	1641117413
Key opened	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641132028
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: ItemData	success or wait	1641132944
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: HashAlg	success or wait	1641133353
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: ItemSize	success or wait	1641133711
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: SaferFlags	success or wait	1641134106
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641147250
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641147499
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641147753
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641148005
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641156064
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641157484
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641157716
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641157941
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641158166
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641158389
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641166742
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641167888
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641168114
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641177341
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641187953
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641189973
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641199476
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641207112
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641216238
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641224438
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641229522
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641231412
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641237442
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641242750
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641247948
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641253562
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641257658
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641264089
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641264459
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: DefaultLevel	success or wait	1641264724
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and enumerate sub key and notify and read or execute and write and read control	object name not found	1641270229
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1641277227
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: PolicyScope	success or wait	1641277673
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1641282580
Section created	Access: query and map read Protection: readonly Attributes: commit Path: not known Type: commit Baseaddress: 00860000 Entrypoint: not known Mapped to pid: own pid Size: 72	success or wait	1641311185
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641316891
Key opened	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1641317611
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cache	buffer overflow	1641321996
Key value queried	Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cache	success or wait	1641322320
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute	success or wait	1641328874
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: LogFileName	object name not found	1641329123
Key opened	Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write	object name not found	1641330131
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1641346649
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641348164
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641348571
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641348784
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641363526
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641364333
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641371932
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1641373554
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641374153
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641378177
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641379379
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641385991
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641386525
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641391654
File deleted	Path: C:\bfgbhk.ex.exe	cannot delete	1641441535
File deleted	Path: C:\BFGBHK~1.EXE	cannot delete	1641443758
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1641492126
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641493505
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641499827
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641500039
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641507841
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641750924
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641751400
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1641790205
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641790815
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641796258
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641801772
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641802079
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641802828
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641807415
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	end of file	1641807718
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641811960
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641812412
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641813130
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641818167
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641818869
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1641827528
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641829451
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641829819
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641830023
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641841768
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641847099
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1641847457
File deleted	Path: C:\bfgbhk.ex.exe	cannot delete	1642029173
File deleted	Path: C:\BFGBHK~1.EXE	cannot delete	1642034706
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1642074897
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642080087
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642080453
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642080658
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642104267
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642105978
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642106447
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1642153424
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642153926
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642156325
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642156834
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642157189
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642161983
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642162494
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	end of file	1642162879
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642167325
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642167761
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642168585
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642172762
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642173366
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1642181308
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642183586
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642183937
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642184132
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642192969
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642193517
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642193881
File deleted	Path: C:\bfgbhk.ex.exe	cannot delete	1642236805
File deleted	Path: C:\BFGBHK~1.EXE	cannot delete	1642242447
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1642278260
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642278766
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642283602
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1642283907
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643129381
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643130125
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643140036
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1643198656
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643202241
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643203781
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643207930
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643209152
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643209906
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643213920
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	end of file	1643215009
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643216360
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643216697
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643221624
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643221821
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643222332
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1643231149
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643231595
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643236630
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643236833
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643243048
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643246635
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643248507
File deleted	Path: C:\bfgbhk.ex.exe	cannot delete	1643293804
File deleted	Path: C:\BFGBHK~1.EXE	cannot delete	1643299265
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1643343298
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643344000
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643344357
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643347746
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643354929
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643355445
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643359129
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1643384626
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643385207
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643390109
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643390618
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643390812
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643395627
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643397022
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	end of file	1643397221
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643401143
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643402531
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643403041
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643406244
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643407815
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1643412219
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643417508
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643417974
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643418175
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643425105
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643430227
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643430593
File deleted	Path: C:\bfgbhk.ex.exe	cannot delete	1643469648
File deleted	Path: C:\BFGBHK~1.EXE	cannot delete	1643470603
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1643512179
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643512769
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643513117
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643513463
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643526391
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643532351
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643532769
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1643574897
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643576498
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643577015
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643582858
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643583086
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643583846
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643590288
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	end of file	1643593880
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643595604
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643595953
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643600533
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643601921
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643602443
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1643614325
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643615158
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643621401
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643621758
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643627999
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643634501
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643634867
File deleted	Path: C:\bfgbhk.ex.exe	cannot delete	1643714689
File deleted	Path: C:\BFGBHK~1.EXE	cannot delete	1643721141
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1643757599
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643758096
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643762889
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643763089
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643768462
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643773799
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643774226
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1643824610
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643828640
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643830653
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643834811
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643836106
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643836830
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643841659
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	end of file	1643842955
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643843473
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643843814
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643849984
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643850190
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643850715
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1643861135
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643861579
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643862526
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643867765
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643874609
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643875137
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1643878590
File deleted	Path: C:\bfgbhk.ex.exe	cannot delete	1643932227
File deleted	Path: C:\BFGBHK~1.EXE	cannot delete	1643933403
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1646530864
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646533589
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646533957
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646637182
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646645988
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646646721
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646779924
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1646834750
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646835401
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646836530
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646842347
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646842547
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646843951
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646850770
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	end of file	1646850934
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646856053
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646858998
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646859515
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646872696
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646874996
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1646895586
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646896164
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646899934
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646900244
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646906701
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646913313
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1646917588
File deleted	Path: C:\bfgbhk.ex.exe	cannot delete	1646953771
File deleted	Path: C:\BFGBHK~1.EXE	cannot delete	1646958701
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1647070491
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1647070994
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1647071355
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1647129414
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648065172
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648066652
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648078632
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1648165518
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648166225
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648187489
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648188019
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648188224
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648203390
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648203908
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	end of file	1648204105
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648216398
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648219481
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648219994
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648230937
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648234201
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1648258167
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648270021
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648270384
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648270583
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648277617
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648284347
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648284735
File deleted	Path: C:\bfgbhk.ex.exe	cannot delete	1648324348
File deleted	Path: C:\BFGBHK~1.EXE	cannot delete	1648332853
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1648388378
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648430042
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648430409
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648430784
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648437580
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648545777
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648546210
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1648699766
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648708516
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648709183
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648722150
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648722516
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648723346
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648731630
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	end of file	1648731929
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648732430
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648732758
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648740292
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648740633
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648741140
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1648758047
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648758521
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648763792
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648764095
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648773142
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648776359
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648782721
File deleted	Path: C:\bfgbhk.ex.exe	cannot delete	1648829661
File deleted	Path: C:\BFGBHK~1.EXE	cannot delete	1648833264
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1648874313
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648879345
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648879735
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648879939
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648885937
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648890716
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648891117
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1648948131
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648948638
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648954239
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648954849
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648955046
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648959835
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648960457
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	end of file	1648960656
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648962158
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648965857
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648966604
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648973096
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648974413
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1648985112
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648985557
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648991002
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648991308
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648997884
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1648999512
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649003374
File deleted	Path: C:\bfgbhk.ex.exe	cannot delete	1649047133
File deleted	Path: C:\BFGBHK~1.EXE	cannot delete	1649048039
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1649096135
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649098183
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649100166
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649100367
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649106334
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649108424
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649110441
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1649142916
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649145467
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649147745
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649149816
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649152795
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649153488
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649156501
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	end of file	1649159722
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649160256
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649162171
File other operation	Disposition: PositionInformation Data: 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649164304
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649164504
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649165009
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1649174162
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649175533
File other operation	Disposition: PositionInformation Data: 07 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649176512
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649177679
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649185260
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649188522
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649191504
File deleted	Path: C:\bfgbhk.ex.exe	success or wait	1649642454
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1649662480
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649664691
File other operation	Disposition: PositionInformation Data: 1F 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649665999
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649666832
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649673373
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649676230
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649678811
File opened	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	success or wait	1649719338
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649721005
File other operation	Disposition: PositionInformation Data: 46 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649722725
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649723932
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649731013
File read	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	end of file	1649732232
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649740318
File other operation	Disposition: PositionInformation Data: 72 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649741296
File deleted	Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd	success or wait	1649779078
File other operation	Operation: 000001EC Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\s.cmd Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: normal	object name not found	1649795211
Process terminated	PID: 492 Path: C:\WINDOWS\system32\cmd.exe	success or wait	1649830941
Key opened	Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control	success or wait	1649836764
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	1649837194
Process terminated	PID: 492 Path: C:\WINDOWS\system32\cmd.exe	success or wait	1649853052