Joe Sandbox - Report 25113

General Information

Analysis ID:	25113
Start time:	13:05:09
Start date:	29/10/2012
Overall analysis duration:	0h 6m 27s
Sample file name:	long sleep 2s
Cookbook file name:	default.jbs
Analysis system description:	XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Warnings:	Too many NtProtectVirtualMemory calls (excessive behavior)

Classification / Threat Score

Persistence, Installation, Boot Survival :
Hiding, Stealthiness, Detection and Removal Protection :
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection :
Spreading :
Exploiting :
Networking :
Data spying, Sniffing, Keylogging, Ebanking Fraud :

Matching Signatures

Spawns processes
Binary may include packed or crypted data
Creates files inside the system directory
Drops PE files
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
Contains long sleeps (>= 3 min)

Startup

system is xp long sleep 2s.exe (PID: 1764 MD5: 8EBD97EE5F259CB2F1B38DA1F1040CF0) cmd.exe (PID: 1492 MD5: 6D778E0F95447E6546553EEEA709D03C) explorer.exe (PID: 1696 MD5: 12896823FB95BFB3DC9B46BCAEDC9923) cmd.exe (PID: 260 MD5: 6D778E0F95447E6546553EEEA709D03C) smss.exe (PID: 2036 MD5: 8EBD97EE5F259CB2F1B38DA1F1040CF0) smss.exe (PID: 988 MD5: 8EBD97EE5F259CB2F1B38DA1F1040CF0) cleanup

system is xp

long sleep 2s.exe (PID: 1764 MD5: 8EBD97EE5F259CB2F1B38DA1F1040CF0)

cmd.exe (PID: 1492 MD5: 6D778E0F95447E6546553EEEA709D03C)

explorer.exe (PID: 1696 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)

cmd.exe (PID: 260 MD5: 6D778E0F95447E6546553EEEA709D03C)

smss.exe (PID: 2036 MD5: 8EBD97EE5F259CB2F1B38DA1F1040CF0)

smss.exe (PID: 988 MD5: 8EBD97EE5F259CB2F1B38DA1F1040CF0)

cleanup

Created / dropped Files

File Path	MD5
C:\WINDOWS\system32\LogFiles\smss.exe	4627B559FD60FCBF5DEF3C3DA6796C37
\net\NtControlPipe20	1762360A5F893647DA17132504911925

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File name:	long sleep 2s
File size:	69632
MD5:	8ebd97ee5f259cb2f1b38da1f1040cf0
SHA1:	0d625e128878c81000c51a4164278a4d82dbec38
SHA256:	fbd61f2a302779e6946895fbe111534f016dc232495c2146edcbfa72b982faa3
SHA512:	b670d450e5983ea1f6ddbee37fc3eb3d870a6631b27a4bb5cad1790822edf2d32aebab99400e5a0021f6bc56fca760c301908922a5441973f48e41dba1ce9c42

Static PE Info

General
Entrypoint:	0x14006d83
Entrypoint Section:	.text
Imagebase:	0x14000000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4B236366 [Sat Dec 12 09:33:26 2009 UTC]
TLS Callbacks:

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xf190	0xea8	data	Chinese	China
RT_ICON	0x10038	0x8a8	data	Chinese	China
RT_ICON	0x108e0	0x6c8	data	Chinese	China
RT_ICON	0x10fa8	0x568	GLS_BINARY_LSB_FIRST	Chinese	China
RT_GROUP_ICON	0x11510	0x3e	MS Windows icon resource - 4 icons, 48x48, 256-colors	Chinese	China
RT_VERSION	0x11550	0x40c	data	Chinese	China

Imports

DLL	Import
KERNEL32.dll	GetLogicalDrives, GetSystemDirectoryA, GetCurrentProcessId, GetTickCount, WaitForSingleObject, CreateProcessA, TerminateProcess, GetExitCodeProcess, ReadFile, FindClose, FindNextFileA, FindFirstFileA, GetVersionExA, GlobalMemoryStatus, Beep, GetLogicalDriveStringsA, GetDriveTypeA, GetLocalTime, Process32Next, Process32First, CreateToolhelp32Snapshot, GetLastError, CreateRemoteThread, WriteProcessMemory, VirtualAllocEx, VirtualFreeEx, OpenProcess, GetModuleHandleA, SetStdHandle, LoadLibraryA, GetProcAddress, GetVolumeInformationA, GetPrivateProfileStringA, GetFileSize, DeleteFileA, SetFilePointer, CreateFileA, WriteFile, CloseHandle, GetVersion, GetCurrentProcess, CopyFileA, ExitProcess, GetCurrentThreadId, GetModuleFileNameA, GetWindowsDirectoryA, WinExec, Sleep, SetFileAttributesA, CreateThread, HeapReAlloc, VirtualAlloc, HeapAlloc, GetOEMCP, GetACP, GetCPInfo, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, RtlUnwind, HeapFree, VirtualFree, HeapCreate, HeapDestroy, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetStartupInfoA, GetCommandLineA, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, FlushFileBuffers
USER32.dll	PostThreadMessageA, ExitWindowsEx
ADVAPI32.dll	RegisterServiceCtrlHandlerA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, ChangeServiceConfigA, ControlService, DeleteService, OpenServiceA, SetServiceStatus, OpenSCManagerA, CreateServiceA, CloseServiceHandle, ChangeServiceConfig2A, StartServiceA, StartServiceCtrlDispatcherA
WS2_32.dll	WSASocketA
SHLWAPI.dll	PathFileExistsA

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy
.text	0x1000	0x93f8	0xa000	6.13551319499
.rdata	0xb000	0xf76	0x1000	5.29189470492
.data	0xc000	0x28bc	0x2000	2.58448393238
.rsrc	0xf000	0x18000	0x3000	3.54133462508

Version Infos

Description	Data
LegalCopyright	(C) 1988-2009 Microsoft Corp. All rights reserved.
InternalName	NTservice
FileVersion	5, 3, 2600, 2180
CompanyName	Microsoft Corporation
PrivateBuild
LegalTrademarks
Comments
ProductName	Microsoft(R) Windows(R) Operating System
SpecialBuild
ProductVersion	5, 3, 2600, 2180
FileDescription	Windows NT Security Support
OriginalFilename	services.exe
Translation	0x0804 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

String Analysis

VM Artifacts

String value	Source
\??\C:\WINDOWS\system32\VBoxService.e	cmd.exe
\??\C:\WINDOWS\system32\VBoxTray.e	long sleep 2s.exe, cmd.exe

Network Behavior

No network behavior found

Code Manipulation Behavior

System Behavior

Analysis File: long sleep 2s.exe PID: 1764 Parent PID: 1504

General

Start time:	09:39:46
Start date:	24/01/2012
Path:	C:\long sleep 2s.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x14000000
File size:	69632 bytes
MD5 hash:	8EBD97EE5F259CB2F1B38DA1F1040CF0

File Activites

File Opened

File Path	Access	Options	Content overwritten	Completion	Count	Source Address	Symbol
C:\	execute or traverse and synchronize	directory file and synchronous io non alert	false	success or wait	10	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WS2_32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WS2HELP.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\IMM32.DLL	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	3	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\cmd.exe	read data or list directory and execute or traverse and read attributes and synchronize	synchronous io non alert and non directory file	false	success or wait	6	1400113E	WinExec
C:\WINDOWS\system32\Apphelp.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	1400113E	WinExec
C:\WINDOWS\system32\	read data or list directory and synchronize	directory file and synchronous io non alert and open for backup ident	false	success or wait	8	1400113E	WinExec
C:\WINDOWS\	read data or list directory and synchronize	directory file and synchronous io non alert and open for backup ident	false	success or wait	10	1400113E	WinExec
C:\WINDOWS\system32\cmd.exe.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	2	1400113E	WinExec
C:\WINDOWS\explorer.exe	read data or list directory and execute or traverse and read attributes and synchronize	synchronous io non alert and non directory file	false	success or wait	3	14001476	WinExec
C:\WINDOWS\explorer.exe.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	14001476	WinExec
C:\WINDOWS\system32\LogFiles\smss.exe	write attributes and synchronize	synchronous io non alert and open for backup ident and open reparse point	false	object name not found	1	140012BF	SetFileAttributesA
C:\WINDOWS\system32\LogFiles\smss.exe	write attributes and synchronize	synchronous io non alert and open for backup ident and open reparse point	false	success or wait	1	14001308	SetFileAttributesA
C:\WINDOWS\AppPatch\sysmain.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file		success or wait	3	1400113E	WinExec
C:\WINDOWS\AppPatch\systest.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file		object name not found	3	1400113E	WinExec
\Device\NamedPipe\ShimViewer	write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize	no options		object name not found	3	1400113E	WinExec
C:\WINDOWS\system32\cmd.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file		success or wait	4	1400113E	WinExec
C:\WINDOWS\explorer.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file		success or wait	2	14001476	WinExec
C:\long sleep 2s.exe	read attributes and synchronize and generic read	sequential only and synchronous io non alert and non directory file and open reparse point		success or wait	10	140012F7	CopyFileA

File Created

File Path	Access	Attributes	Options	Completion	Count	Source Address	Symbol
C:\WINDOWS\system32\LogFiles\smss.exe	read attributes and delete and synchronize and generic write	archive	sequential only and synchronous io non alert and non directory file	success or wait	10	140012F7	CopyFileA

File Path	Offset	Length	Value	Completion	Count	Source Address	Symbol
C:\WINDOWS\system32\LogFiles\smss.exe	unknown	65536	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	20	140012F7	CopyFileA

File Path	Disposition	File Mask	Completion	Count	Source Address	Symbol
C:\WINDOWS\system32	BothDirectoryInformation	cmd.exe	success or wait	8	1400113E	WinExec
C:\	BothDirectoryInformation	WINDOWS	success or wait	9	1400113E	WinExec
C:\WINDOWS	BothDirectoryInformation	system32	success or wait	6	1400113E	WinExec
C:\WINDOWS	BothDirectoryInformation	explorer.exe	success or wait	4	14001476	WinExec

Other File Operations

File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address	Symbol
C:\	90028	NULL	NULL	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\LogFiles\smss.exe	EndOfFileInformation	unknown		success or wait	10	140012F7	CopyFileA
C:\WINDOWS\system32\LogFiles\smss.exe	BasicInformation	Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 13:09 29-10-2012 Change Time: 09:39 24-01-2012 File Attributes: none		success or wait	10	140012F7	CopyFileA
C:\WINDOWS\system32\LogFiles\smss.exe	BasicInformation	Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: readony and system and directory and archive and temporary		success or wait	1	14001308	SetFileAttributesA

Section Activites

Section loaded by Windows

File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
unknown	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	260000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	280000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	2D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	320000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\WS2_32.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\WS2HELP.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	400000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	400000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	840000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and write and read and execute and extend size	image	840000	12288	own pid	readonly	success or wait	1
\BaseNamedObjects\ShimSharedMemory	write	unknown	960000	57344	own pid	read write	success or wait	1
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	970000	126976	own pid	execute	success or wait	1
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	970000	1208320	own pid	readonly	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
C:\WINDOWS\system32\cmd.exe	write and read and execute	commit	AA0000	389120	own pid	execute	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and read	commit	AA0000	389120	own pid	readonly	success or wait	1
C:\WINDOWS\system32\cmd.exe	write and read and execute	commit	AA0000	389120	own pid	execute	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and read	commit	AA0000	389120	own pid	readonly	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and read	commit	970000	389120	own pid	readonly	success or wait	1
C:\WINDOWS\explorer.exe	query and write and read and execute and extend size	image	970000	389120	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	980000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\explorer.exe	write and read and execute	commit	AB0000	1036288	own pid	execute	success or wait	1
C:\WINDOWS\explorer.exe	query and read	commit	AB0000	1036288	own pid	readonly	success or wait	1
C:\WINDOWS\explorer.exe	write and read and execute	commit	AB0000	1036288	own pid	execute	success or wait	1
C:\WINDOWS\explorer.exe	query and read	commit	AB0000	1036288	own pid	readonly	success or wait	1
C:\WINDOWS\explorer.exe	query and read	commit	980000	1036288	own pid	readonly	success or wait	1
C:\long sleep 2s.exe	query and write and read and execute and extend size	commit	980000	69632	own pid	readonly	success or wait	1
C:\long sleep 2s.exe	query and write and read and execute and extend size	commit	980000	69632	own pid	readonly	success or wait	1
C:\long sleep 2s.exe	query and write and read and execute and extend size	commit	980000	69632	own pid	readonly	success or wait	1
C:\long sleep 2s.exe	query and write and read and execute and extend size	commit	980000	69632	own pid	readonly	success or wait	1
C:\long sleep 2s.exe	query and write and read and execute and extend size	commit	980000	69632	own pid	readonly	success or wait	1
C:\long sleep 2s.exe	query and write and read and execute and extend size	commit	980000	69632	own pid	readonly	success or wait	1
C:\long sleep 2s.exe	query and write and read and execute and extend size	commit	980000	69632	own pid	readonly	success or wait	1
C:\long sleep 2s.exe	query and write and read and execute and extend size	commit	980000	69632	own pid	readonly	success or wait	1
C:\long sleep 2s.exe	query and write and read and execute and extend size	commit	980000	69632	own pid	readonly	success or wait	1
C:\long sleep 2s.exe	query and write and read and execute and extend size	commit	980000	69632	own pid	readonly	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and write and read and execute and extend size	image	980000	69632	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	980000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\system32\cmd.exe	write and read and execute	commit	AB0000	389120	own pid	execute	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and read	commit	AB0000	389120	own pid	readonly	success or wait	1
C:\WINDOWS\system32\cmd.exe	write and read and execute	commit	AB0000	389120	own pid	execute	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and read	commit	AB0000	389120	own pid	readonly	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and read	commit	980000	389120	own pid	readonly	success or wait	1

Registry Activites

Key Path	Name	Completion	Count	Source Address	Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CWDIllegalInDLLSearch	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSAppCompat	success or wait	3	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeDllSearchMode	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSUserEnabled	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LeakTrack	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeProcessSearchMode	object name not found	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility	DisableAppCompat	object name not found	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	Levels	object name not found	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	success or wait	1	1400113E	WinExec
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	buffer overflow	1	1400113E	WinExec
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	success or wait	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	LogFileName	object name not found	1	1400113E	WinExec
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1	14001476	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	LogFileName	object name not found	1	14001476	WinExec
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1	14001332	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	LogFileName	object name not found	1	14001332	WinExec
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1	14006058	ExitProcess

Process Activites

Process Created

PID	Filepath	Cmdline	Flags	Completion	Count	Source Address	Symbol
1492	C:\WINDOWS\system32\cmd.exe	cmd /c md C:\WINDOWS\system32\LogFiles	none	success or wait	1	1400113E	WinExec
1696	C:\WINDOWS\explorer.exe	explorer C:\	none	success or wait	1	14001476	WinExec
260	C:\WINDOWS\system32\cmd.exe	cmd /c C:\WINDOWS\system32\LogFiles\smss.exe	none	success or wait	1	14001332	WinExec

PID	Process info class	Completion	Count	Source Address	Symbol
1764	Cookie	success or wait	5	7C90E457	KiUserApcDispatcher
1764	ImageInformation	success or wait	1	7C90E457	KiUserApcDispatcher
1764	DefaultHardErrorMode	success or wait	32	14001110	PathFileExistsA
1764	Wow64Information	success or wait	1	1400113E	WinExec
1764	DeviceMap	success or wait	3	1400113E	WinExec
1492	BasicInformation	success or wait	2	1400113E	WinExec
1492	BasicInformation	success or wait	1	1400113E	WinExec
1696	BasicInformation	success or wait	2	14001476	WinExec
1696	BasicInformation	success or wait	1	14001476	WinExec
260	BasicInformation	success or wait	2	14001332	WinExec
260	BasicInformation	success or wait	1	14001332	WinExec

Process Terminated

PID	Filepath	Completion	Count	Source Address	Symbol
1764	C:\long sleep 2s.exe	success or wait	1	14006058	ExitProcess

Thread Activites

TID	PID	EIP	EAX (Usermode EIP)	Filepath	Completion	Count	Source Address	Symbol
1120	1492	7C810705	4AD05046	C:\WINDOWS\system32\cmd.exe	success or wait	1	1400113E	WinExec
1976	1696	7C810705	101A55F	C:\WINDOWS\explorer.exe	success or wait	1	14001476	WinExec
116	260	7C810705	4AD05046	C:\WINDOWS\system32\cmd.exe	success or wait	1	14001332	WinExec

TID	PID	Path	Completion	Count	Source Address	Symbol
1120	1492	C:\WINDOWS\system32\cmd.exe	success or wait	1	1400113E	WinExec
1976	1696	C:\WINDOWS\explorer.exe	success or wait	1	14001476	WinExec
116	260	C:\WINDOWS\system32\cmd.exe	success or wait	1	14001332	WinExec

Memory Activites

PID	Filepath	Base	Length	Value	Completion	Count	Source Address	Symbol
1492	C:\WINDOWS\system32\cmd.exe	7FFDC008	4	00 00 D0 4A	success or wait	1	1400113E	WinExec
1492	C:\WINDOWS\system32\cmd.exe	4AD00000	4096	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 1D ED D5 EA 59 8C BB B9 59 8C BB B9 59 8C BB B9 9A 83 B4 B9 5F 8C BB B9 59 8C BA B9 80 8C BB B9 9A 83 E6 B9 5E 8C BB B9 E6 83 DB B9 5B 8C BB B9 9A 83 E5 B9 58 8C BB B9 9A 83 E4 B9 6D 8C BB B9 9A 83 E1 B9 58 8C BB B9 52 69 63 68 59 8C BB B9 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 AF 5B 02 48 00 00 00 00 00 00 00 00 E0 00 0F 01 0B 01 07 0A 00 F8 01 00 00 F6 03 00 00 00 00	success or wait	1	1400113E	WinExec
1492	C:\WINDOWS\system32\cmd.exe	4AD3E000	256	00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 03 00 00 00 30 00 00 80 0B 00 00 00 80 00 00 80 0E 00 00 00 98 00 00 80 10 00 00 00 B0 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 01 00 00 00 C8 00 00 80 02 00 00 00 E0 00 00 80 03 00 00 00 F8 00 00 80 04 00 00 00 10 01 00 80 05 00 00 00 28 01 00 80 06 00 00 00 40 01 00 80 07 00 00 00 58 01 00 80 08 00 00 00 70 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 88 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 80 02 00 80 A0 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 B8 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 E0 01 00 00 00 00 00 00 00 00 00	success or wait	1	1400113E	WinExec
1492	C:\WINDOWS\system32\cmd.exe	7FFDC010	4	00 00 02 00	success or wait	1	1400113E	WinExec
1696	C:\WINDOWS\explorer.exe	7FFDE008	4	00 00 00 01	success or wait	1	14001476	WinExec
1696	C:\WINDOWS\explorer.exe	1000000	4096	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 97 A6 B0 91 D3 C7 DE C2 D3 C7 DE C2 D3 C7 DE C2 10 C8 D1 C2 D7 C7 DE C2 D3 C7 DF C2 48 C5 DE C2 10 C8 83 C2 C8 C7 DE C2 10 C8 80 C2 D2 C7 DE C2 10 C8 BE C2 FA C7 DE C2 10 C8 81 C2 CE C7 DE C2 10 C8 84 C2 D2 C7 DE C2 52 69 63 68 D3 C7 DE C2 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 30 5C 02 48 00 00 00 00 00 00 00 00 E0 00 0E 01 0B 01 07 0A 00 4E 04 00 00 7A 0B 00 00 00 00	success or wait	1	14001476	WinExec
1696	C:\WINDOWS\explorer.exe	1048000	256	00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 02 00 00 00 60 00 00 80 03 00 00 00 70 01 00 80 04 00 00 00 08 05 00 80 05 00 00 00 40 05 00 80 06 00 00 00 88 05 00 80 09 00 00 00 48 06 00 80 0E 00 00 00 60 06 00 80 10 00 00 00 00 07 00 80 18 00 00 00 18 07 00 80 F0 00 00 00 30 07 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 8F 00 00 00 48 07 00 80 91 00 00 00 60 07 00 80 92 00 00 00 78 07 00 80 93 00 00 00 90 07 00 80 94 00 00 00 A8 07 00 80 95 00 00 00 C0 07 00 80 96 00 00 00 D8 07 00 80 97 00 00 00 F0 07 00 80 98 00 00 00 08 08 00 80 99 00 00 00 20 08 00 80 9E 00 00 00 38 08 00 80 A2 00 00 00 50 08 00 80 A3 00 00 00 68 08 00 80 A4 00 00 00 80 08 00 80 A5 00 00 00 98 08 00 80 A6 00 00 00 B0 08 00 80 A7 00 00 00 C8 08 00 80 AA 00 00 00 E0 08 00	success or wait	1	14001476	WinExec
1696	C:\WINDOWS\explorer.exe	1048718	24	00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 7B 00 00 00 F0 19 00 80	success or wait	1	14001476	WinExec
260	C:\WINDOWS\system32\cmd.exe	7FFDC008	4	00 00 D0 4A	success or wait	1	14001332	WinExec
260	C:\WINDOWS\system32\cmd.exe	4AD00000	4096	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 1D ED D5 EA 59 8C BB B9 59 8C BB B9 59 8C BB B9 9A 83 B4 B9 5F 8C BB B9 59 8C BA B9 80 8C BB B9 9A 83 E6 B9 5E 8C BB B9 E6 83 DB B9 5B 8C BB B9 9A 83 E5 B9 58 8C BB B9 9A 83 E4 B9 6D 8C BB B9 9A 83 E1 B9 58 8C BB B9 52 69 63 68 59 8C BB B9 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 AF 5B 02 48 00 00 00 00 00 00 00 00 E0 00 0F 01 0B 01 07 0A 00 F8 01 00 00 F6 03 00 00 00 00	success or wait	1	14001332	WinExec
260	C:\WINDOWS\system32\cmd.exe	4AD3E000	256	00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 03 00 00 00 30 00 00 80 0B 00 00 00 80 00 00 80 0E 00 00 00 98 00 00 80 10 00 00 00 B0 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 01 00 00 00 C8 00 00 80 02 00 00 00 E0 00 00 80 03 00 00 00 F8 00 00 80 04 00 00 00 10 01 00 80 05 00 00 00 28 01 00 80 06 00 00 00 40 01 00 80 07 00 00 00 58 01 00 80 08 00 00 00 70 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 88 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 80 02 00 80 A0 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 B8 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 E0 01 00 00 00 00 00 00 00 00 00	success or wait	1	14001332	WinExec
260	C:\WINDOWS\system32\cmd.exe	7FFDC010	4	00 00 02 00	success or wait	1	14001332	WinExec

PID	Filepath	Base	Length	Value	Completion	Count	Source Address	Symbol
1492	C:\WINDOWS\system32\cmd.exe	10000	1972	3D 00 3A 00 3A 00 3D 00 3A 00 3A 00 5C 00 00 00 3D 00 5A 00 3A 00 3D 00 5A 00 3A 00 5C 00 00 00 41 00 4C 00 4C 00 55 00 53 00 45 00 52 00 53 00 50 00 52 00 4F 00 46 00 49 00 4C 00 45 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 6C 00 6C 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20	success or wait	1	1400113E	WinExec
1492	C:\WINDOWS\system32\cmd.exe	20000	1664	00 10 00 00 80 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 08 02 90 02 00 00 00 00 00 00 FC 00 FE 00 98 04 00 00 36 00 38 00 98 05 00 00 50 00 52 00 D0 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 36 00 38 00 24 06 00 00 1E 00 20 00 5C 06 00 00 00 00 02 00 7C 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1	1400113E	WinExec
1492	C:\WINDOWS\system32\cmd.exe	7FFDC010	4	00 00 02 00	success or wait	1	1400113E	WinExec
1492	C:\WINDOWS\system32\cmd.exe	30000	388	53 00 68 00 69 00 6D 00 45 00 6E 00 67 00 2E 00 64 00 6C 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 01 00 00 AB ED 0D AC AA 3F 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1	1400113E	WinExec
1492	C:\WINDOWS\system32\cmd.exe	7FFDC1E8	4	00 00 03 00	success or wait	1	1400113E	WinExec
1696	C:\WINDOWS\explorer.exe	10000	1972	3D 00 3A 00 3A 00 3D 00 3A 00 3A 00 5C 00 00 00 3D 00 5A 00 3A 00 3D 00 5A 00 3A 00 5C 00 00 00 41 00 4C 00 4C 00 55 00 53 00 45 00 52 00 53 00 50 00 52 00 4F 00 46 00 49 00 4C 00 45 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 6C 00 6C 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20	success or wait	1	14001476	WinExec
1696	C:\WINDOWS\explorer.exe	20000	1572	00 10 00 00 24 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 08 02 90 02 00 00 00 00 00 00 EA 00 EC 00 98 04 00 00 2E 00 30 00 84 05 00 00 18 00 1A 00 B4 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 05 00 00 00 2E 00 30 00 D0 05 00 00 1E 00 20 00 00 06 00 00 00 00 02 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1	14001476	WinExec
1696	C:\WINDOWS\explorer.exe	7FFDE010	4	00 00 02 00	success or wait	1	14001476	WinExec
1696	C:\WINDOWS\explorer.exe	30000	388	53 00 68 00 69 00 6D 00 45 00 6E 00 67 00 2E 00 64 00 6C 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 01 00 00 AB ED 0D AC 6A D0 02 00 B2 D1 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1	14001476	WinExec
1696	C:\WINDOWS\explorer.exe	7FFDE1E8	4	00 00 03 00	success or wait	1	14001476	WinExec
260	C:\WINDOWS\system32\cmd.exe	10000	1972	3D 00 3A 00 3A 00 3D 00 3A 00 3A 00 5C 00 00 00 3D 00 5A 00 3A 00 3D 00 5A 00 3A 00 5C 00 00 00 41 00 4C 00 4C 00 55 00 53 00 45 00 52 00 53 00 50 00 52 00 4F 00 46 00 49 00 4C 00 45 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 6C 00 6C 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20	success or wait	1	14001332	WinExec
260	C:\WINDOWS\system32\cmd.exe	20000	1676	00 10 00 00 8C 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 08 02 90 02 00 00 00 00 00 00 FC 00 FE 00 98 04 00 00 36 00 38 00 98 05 00 00 5C 00 5E 00 D0 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 36 00 38 00 30 06 00 00 1E 00 20 00 68 06 00 00 00 00 02 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1	14001332	WinExec
260	C:\WINDOWS\system32\cmd.exe	7FFDC010	4	00 00 02 00	success or wait	1	14001332	WinExec
260	C:\WINDOWS\system32\cmd.exe	30000	388	53 00 68 00 69 00 6D 00 45 00 6E 00 67 00 2E 00 64 00 6C 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 01 00 00 AB ED 0D AC AA 3F 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1	14001332	WinExec
260	C:\WINDOWS\system32\cmd.exe	7FFDC1E8	4	00 00 03 00	success or wait	1	14001332	WinExec

Memory Allocated

PID	Filepath	Base	Length	Protection	Completion	Count	Source Address	Symbol
1764	C:\long sleep 2s.exe	140000	12FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	140000	12FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	141000	12F7F4	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	240000	12FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	240000	12FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	250000	12F340	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	251000	12F168	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	143000	12F3EC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	830000	12F91C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	830000	12F920	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	831000	12F5FC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	144000	12F634	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	833000	12F6B8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	850000	12FF1C	page read and write	success or wait	1	1400813A	HeapCreate
1764	C:\long sleep 2s.exe	850000	12FF20	page read and write	success or wait	1	1400813A	HeapCreate
1764	C:\long sleep 2s.exe	851000	12FC4C	page read and write	success or wait	1	7C817077	unknown
1764	C:\long sleep 2s.exe	860000	12FE78	page read and write	success or wait	1	140098EB	VirtualAlloc
1764	C:\long sleep 2s.exe	860000	12FE68	page read and write	success or wait	1	14009977	VirtualAlloc
1764	C:\long sleep 2s.exe	145000	12E51C	page read and write	success or wait	1	1400113E	WinExec
1764	C:\long sleep 2s.exe	146000	12E69C	page read and write	success or wait	1	1400113E	WinExec
1764	C:\long sleep 2s.exe	970000	12EDD8	page read and write	success or wait	1	1400113E	WinExec
1764	C:\long sleep 2s.exe	970000	12EDD4	page read and write	success or wait	1	1400113E	WinExec
1764	C:\long sleep 2s.exe	147000	12ECF8	page read and write	success or wait	1	1400113E	WinExec
1764	C:\long sleep 2s.exe	980000	12ED48	page read and write	success or wait	2	1400113E	WinExec
1492	C:\WINDOWS\system32\cmd.exe	10000	12EE50	page read and write	success or wait	1	1400113E	WinExec
1492	C:\WINDOWS\system32\cmd.exe	20000	12EE50	page read and write	success or wait	1	1400113E	WinExec
1492	C:\WINDOWS\system32\cmd.exe	30000	12EE50	page read and write	success or wait	1	1400113E	WinExec
1492	C:\WINDOWS\system32\cmd.exe	40000	12F0BC	page read and write	success or wait	1	1400113E	WinExec
1492	C:\WINDOWS\system32\cmd.exe	40000	12F0B8	page read and write	success or wait	1	1400113E	WinExec
1764	C:\long sleep 2s.exe	980000	12ED18	page read and write	success or wait	1	14001476	WinExec
1696	C:\WINDOWS\explorer.exe	10000	12EE20	page read and write	success or wait	1	14001476	WinExec
1696	C:\WINDOWS\explorer.exe	20000	12EE20	page read and write	success or wait	1	14001476	WinExec
1696	C:\WINDOWS\explorer.exe	30000	12EE20	page read and write	success or wait	1	14001476	WinExec
1696	C:\WINDOWS\explorer.exe	40000	12F08C	page read and write	success or wait	1	14001476	WinExec
1696	C:\WINDOWS\explorer.exe	71000	12F088	page read and write	success or wait	1	14001476	WinExec
260	C:\WINDOWS\system32\cmd.exe	10000	12EE50	page read and write	success or wait	1	14001332	WinExec
260	C:\WINDOWS\system32\cmd.exe	20000	12EE50	page read and write	success or wait	1	14001332	WinExec
260	C:\WINDOWS\system32\cmd.exe	30000	12EE50	page read and write	success or wait	1	14001332	WinExec
260	C:\WINDOWS\system32\cmd.exe	40000	12F0BC	page read and write	success or wait	1	14001332	WinExec
260	C:\WINDOWS\system32\cmd.exe	40000	12F0B8	page read and write	success or wait	1	14001332	WinExec

PID	Filepath	Base	Length	New Protection	Old Protection	Completion	Count	Source Address	Symbol
1764	C:\long sleep 2s.exe	7C801000	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	7C801000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	1400B000	1000	page read and write	page write copy	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	1400B000	1000	page write copy	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	77F11000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	77F11000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	7E411000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	7E411000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	1400B000	1000	page read and write	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	1400B000	1000	page read and write	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	77DD1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	77DD1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	77E71000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	77E71000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	77FE1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	77FE1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	71AB1000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	71AB1000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	77C11000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	77C11000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	71AA1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	71AA1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	77F61000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	77F61000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	76391000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	76391000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
1764	C:\long sleep 2s.exe	77B41000	1000	page read and write	page execute read	success or wait	2	1400113E	WinExec
1764	C:\long sleep 2s.exe	77B41000	1000	page execute read	page read and write	success or wait	2	1400113E	WinExec
1764	C:\long sleep 2s.exe	77C01000	1000	page read and write	page execute read	success or wait	2	1400113E	WinExec
1764	C:\long sleep 2s.exe	77C01000	1000	page execute read	page read and write	success or wait	2	1400113E	WinExec
1696	C:\WINDOWS\explorer.exe	71000	1000	page read and write and page guard	page read and write	success or wait	1	14001476	WinExec

Memory Usage Statistics

Time	Private Usage (mb)	Workingset (mb)	Page File Usage (mb)
09:39:47	0	1	0
09:39:48	0	1	0

System Activites

System info class	Completion	Count	Source Address	Symbol
BasicInformation	success or wait	9	7C90E457	KiUserApcDispatcher
RangeStartInformation	success or wait	1	7C90E457	KiUserApcDispatcher
ProcessorInformation	success or wait	2	7C90E457	KiUserApcDispatcher
WatchdogTimerHandler	success or wait	3	1400113E	WinExec

Chronological Activities

Operation	Data	Completion	Time
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CWDIllegalInDLLSearch	object name not found	525700670
System info queried	Type: BasicInformation	success or wait	525703602
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 140000 Length: 12FB14 Allocation Type: unknown Protection: page read and write	success or wait	525704256
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 140000 Length: 12FB18 Allocation Type: unknown Protection: page read and write	success or wait	525704518
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 141000 Length: 12F7F4 Allocation Type: unknown Protection: page read and write	success or wait	525704912
System info queried	Type: BasicInformation	success or wait	525705626
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 240000 Length: 12FB14 Allocation Type: unknown Protection: page read and write	success or wait	525705909
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 240000 Length: 12FB18 Allocation Type: unknown Protection: page read and write	success or wait	525706160
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	525708995
File control set	Path: C:\ Control Code: 90028 Input Buffer: NULL	success or wait	525709957
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	525713088
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 7C801000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525715473
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 7C801000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525716576
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: Cookie	success or wait	525718017
System info queried	Type: RangeStartInformation	success or wait	525718315
System info queried	Type: BasicInformation	success or wait	525721042
Section loaded	Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	525721419
System info queried	Type: BasicInformation	success or wait	525724737
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 250000 Length: 12F340 Allocation Type: unknown Protection: page read and write	success or wait	525725221
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	525730976
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	525734795
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	525736786
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	525738715
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	525741641
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	525745799
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	525746173
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 251000 Length: 12F168 Allocation Type: unknown Protection: page read and write	success or wait	525746495
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page write copy	success or wait	525751627
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 1400B000 Length: 1000 New Protection: page write copy Old Protection: page read and write	success or wait	525754494
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	525754866
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	525756798
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525759251
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525760591
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525760947
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525761348
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525763919
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525764534
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525764896
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525766052
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525766381
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525766794
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525767208
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525767670
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	525767959
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	525770196
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	525770651
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525774293
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525777098
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525777424
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525778075
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	525778463
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525781980
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525782623
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525785305
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525785780
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525786125
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525786971
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	525787385
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525789125
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525791503
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525791892
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525792338
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525795011
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525795474
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525795814
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525796650
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525796963
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525797465
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	525797849
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	525798240
Section loaded	Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	525799184
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 143000 Length: 12F3EC Allocation Type: unknown Protection: page read and write	success or wait	525801435
File opened	Path: C:\WINDOWS\system32\WS2_32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	525802260
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	525803286
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	525805573
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AB1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525809376
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AB1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525809816
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AB1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525812063
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AB1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525812463
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	525812848
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77C11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525817283
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77C11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525817874
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77C11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525818228
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77C11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525818668
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AB1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525818982
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AB1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525819478
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AB1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525821727
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AB1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525822064
Section loaded	Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	525822451
File opened	Path: C:\WINDOWS\system32\WS2HELP.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	525825487
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	525826559
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AA1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525829174
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AA1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525829747
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AA1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525830105
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AA1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525833045
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AA1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525833407
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 71AA1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525833771
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	525836355
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	525836813
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	525837249
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525850269
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525850712
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525851033
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525853301
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525853641
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525854138
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525856783
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525857155
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525857476
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525858412
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	525858703
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	525859086
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: ImageInformation	success or wait	525859648
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	525860428
System info queried	Type: BasicInformation	success or wait	525865074
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode	object name not found	525866225
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	525869530
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 400000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	525870671
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	525873439
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 400000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	525874465
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	525878132
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	525881596
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525883721
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525884825
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525885188
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525885590
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525886153
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525887616
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525890410
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525890791
System info queried	Type: BasicInformation	success or wait	525891434
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	525893485
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs	success or wait	525897177
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	525899753
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSUserEnabled	success or wait	525900792
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack	object name not found	525904216
System info queried	Type: BasicInformation	success or wait	525907835
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 830000 Length: 12F91C Allocation Type: unknown Protection: page read and write	success or wait	525908159
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 830000 Length: 12F920 Allocation Type: unknown Protection: page read and write	success or wait	525908445
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 831000 Length: 12F5FC Allocation Type: unknown Protection: page read and write	success or wait	525909247
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 144000 Length: 12F634 Allocation Type: unknown Protection: page read and write	success or wait	525909991
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 840000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	525910556
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 833000 Length: 12F6B8 Allocation Type: unknown Protection: page read and write	success or wait	525912592
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: Cookie	success or wait	525915718
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: Cookie	success or wait	525915977
System info queried	Type: BasicInformation	success or wait	525916248
System info queried	Type: ProcessorInformation	success or wait	525918711
System info queried	Type: BasicInformation	success or wait	525924356
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 850000 Length: 12FF1C Allocation Type: unknown Protection: page read and write	success or wait	525924732
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 850000 Length: 12FF20 Allocation Type: unknown Protection: page read and write	success or wait	525925069
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 851000 Length: 12FC4C Allocation Type: unknown Protection: page read and write	success or wait	525928715
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 860000 Length: 12FE78 Allocation Type: unknown Protection: page read and write	success or wait	525929215
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 860000 Length: 12FE68 Allocation Type: unknown Protection: page read and write	success or wait	525929599
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	525938866
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	525939911
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeProcessSearchMode	object name not found	525940686
File opened	Path: C:\WINDOWS\system32\cmd.exe Access: read data or list directory and execute or traverse and read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	525952118
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 840000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	525953224
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility Name: DisableAppCompat	object name not found	525975976
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: 960000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	525977435
File opened	Path: C:\WINDOWS\system32\Apphelp.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	525979191
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	525982279
File opened	Path: C:\WINDOWS\system32\Apphelp.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	525987120
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	525988246
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525990758
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525991367
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	525991792
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	525994429
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 145000 Length: 12E51C Allocation Type: unknown Protection: page read and write	success or wait	525995252
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null	success or wait	525995827
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 970000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	525998600
File opened	Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null	object name not found	526000800
System info queried	Type: ProcessorInformation	success or wait	526001641
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: Wow64Information	success or wait	526002149
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	526002704
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: null	object name not found	526005801
File opened	Path: C:\WINDOWS\system32\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	526006576
Directory Information Queried	Path: C:\WINDOWS\system32Disposition: BothDirectoryInformation Filemask: cmd.exe	success or wait	526007630
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526011019
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	526011648
Directory Information Queried	Path: C:\Disposition: BothDirectoryInformation Filemask: WINDOWS	success or wait	526013086
File opened	Path: C:\WINDOWS\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	526014810
Directory Information Queried	Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: system32	success or wait	526015933
File opened	Path: C:\WINDOWS\system32\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	526017037
Directory Information Queried	Path: C:\WINDOWS\system32Disposition: BothDirectoryInformation Filemask: cmd.exe	success or wait	526020040
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526021103
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DeviceMap	success or wait	526023782
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	526074931
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77C01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	526078072
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77C01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	526078786
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77C01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	526079364
Memory attributes changed	PID: 1764 Path: C:\long sleep 2s.exe Base: 77C01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	526079965
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526080671
File opened	Path: C:\WINDOWS\system32\cmd.exe Access: read data or list directory and execute or traverse and read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526083358
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: AA0000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	526084572
File opened	Path: C:\WINDOWS\system32\cmd.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: null	success or wait	526095208
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: AA0000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	526096421
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526100451
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526107609
File opened	Path: C:\WINDOWS\system32\cmd.exe Access: read data or list directory and execute or traverse and read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526109024
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: AA0000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	526118438
File opened	Path: C:\WINDOWS\system32\cmd.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: null	success or wait	526121746
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: AA0000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	526122970
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526125020
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 146000 Length: 12E69C Allocation Type: unknown Protection: page read and write	success or wait	526129712
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526130181
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	526132314
Directory Information Queried	Path: C:\Disposition: BothDirectoryInformation Filemask: WINDOWS	success or wait	526133937
File opened	Path: C:\WINDOWS\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	526135301
Directory Information Queried	Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: system32	success or wait	526136310
File opened	Path: C:\WINDOWS\system32\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	526137829
Directory Information Queried	Path: C:\WINDOWS\system32Disposition: BothDirectoryInformation Filemask: cmd.exe	success or wait	526138886
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526141156
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	526146376
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: AuthenticodeEnabled	success or wait	526146865
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: Levels	object name not found	526148410
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: ItemData	success or wait	526150506
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: SaferFlags	success or wait	526151487
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: ItemData	success or wait	526154125
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: HashAlg	success or wait	526154902
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: ItemSize	success or wait	526155760
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: SaferFlags	success or wait	526158788
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: ItemData	success or wait	526160126
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: HashAlg	success or wait	526161304
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: ItemSize	success or wait	526162067
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: SaferFlags	success or wait	526162831
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: ItemData	success or wait	526180857
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: HashAlg	success or wait	526182313
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: ItemSize	success or wait	526183083
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: SaferFlags	success or wait	526185361
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: ItemData	success or wait	526187983
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: HashAlg	success or wait	526189149
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: ItemSize	success or wait	526189985
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: SaferFlags	success or wait	526190831
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: ItemData	success or wait	526192181
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: HashAlg	success or wait	526192954
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: ItemSize	success or wait	526194971
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: SaferFlags	success or wait	526196357
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: DefaultLevel	success or wait	526211802
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: PolicyScope	success or wait	526215881
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526219346
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	526220646
Directory Information Queried	Path: C:\Disposition: BothDirectoryInformation Filemask: WINDOWS	success or wait	526221619
File opened	Path: C:\WINDOWS\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	526223342
Directory Information Queried	Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: system32	success or wait	526224358
File opened	Path: C:\WINDOWS\system32\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	526225521
Directory Information Queried	Path: C:\WINDOWS\system32Disposition: BothDirectoryInformation Filemask: cmd.exe	success or wait	526226570
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526230125
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: 970000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	526230595
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cache	buffer overflow	526235492
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cache	success or wait	526236110
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 970000 Length: 12EDD8 Allocation Type: unknown Protection: page read and write	success or wait	526237147
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 970000 Length: 12EDD4 Allocation Type: unknown Protection: page read and write	success or wait	526237519
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: LogFileName	object name not found	526240070
System info queried	Type: WatchdogTimerHandler	success or wait	526244914
Process created	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Cmdline: cmd /c md C:\WINDOWS\system32\LogFiles Createflags: none	success or wait	526245228
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: BasicInformation	success or wait	526262040
Memory read	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDC008 Length: 4 Value: 00 00 D0 4A	success or wait	526262409
File opened	Path: C:\WINDOWS\system32\cmd.exe.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	526263851
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 147000 Length: 12ECF8 Allocation Type: unknown Protection: page read and write	success or wait	526264889
Memory read	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD00000 Length: 4096 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 1D ED D5 EA 59 8C BB B9 59 8C BB B9 59 8C BB B9 9A 83 B4 B9 5F 8C BB B9 59 8C BA B9 80 8C BB B9 9A 83 E6 B9 5E 8C BB B9 E6 83 DB B9 5B 8C BB B9 9A 83 E5 B9 58 8C BB B9 9A 83 E4 B9 6D 8C BB B9 9A 83 E1 B9 58 8C BB B9 52 69 63 68 59 8C BB B9 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 AF 5B 02 48 00 00 00 00 00 00 00 00 E0 00 0F 01 0B 01 07 0A 00 F8 01 00 00 F6 03 00 00 00 00	success or wait	526265340
Memory read	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD3E000 Length: 256 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 03 00 00 00 30 00 00 80 0B 00 00 00 80 00 00 80 0E 00 00 00 98 00 00 80 10 00 00 00 B0 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 01 00 00 00 C8 00 00 80 02 00 00 00 E0 00 00 80 03 00 00 00 F8 00 00 80 04 00 00 00 10 01 00 80 05 00 00 00 28 01 00 80 06 00 00 00 40 01 00 80 07 00 00 00 58 01 00 80 08 00 00 00 70 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 88 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 80 02 00 80 A0 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 B8 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 E0 01 00 00 00 00 00 00 00 00 00	success or wait	526271113
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: BasicInformation	success or wait	526276160
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 980000 Length: 12ED48 Allocation Type: unknown Protection: page read and write	success or wait	526279150
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 10000 Length: 12EE50 Allocation Type: unknown Protection: page read and write	success or wait	526280197
Memory written	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 10000 Length: 1972 Value: 3D 00 3A 00 3A 00 3D 00 3A 00 3A 00 5C 00 00 00 3D 00 5A 00 3A 00 3D 00 5A 00 3A 00 5C 00 00 00 41 00 4C 00 4C 00 55 00 53 00 45 00 52 00 53 00 50 00 52 00 4F 00 46 00 49 00 4C 00 45 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 6C 00 6C 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20	success or wait	526283230
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 20000 Length: 12EE50 Allocation Type: unknown Protection: page read and write	success or wait	526283770
Memory written	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 20000 Length: 1664 Value: 00 10 00 00 80 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 08 02 90 02 00 00 00 00 00 00 FC 00 FE 00 98 04 00 00 36 00 38 00 98 05 00 00 50 00 52 00 D0 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 36 00 38 00 24 06 00 00 1E 00 20 00 5C 06 00 00 00 00 02 00 7C 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	526286321
Memory written	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDC010 Length: 4 Value: 00 00 02 00	success or wait	526286767
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 30000 Length: 12EE50 Allocation Type: unknown Protection: page read and write	success or wait	526287213
Memory written	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 30000 Length: 388 Value: 53 00 68 00 69 00 6D 00 45 00 6E 00 67 00 2E 00 64 00 6C 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 01 00 00 AB ED 0D AC AA 3F 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	526290138
Memory written	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDC1E8 Length: 4 Value: 00 00 03 00	success or wait	526290591
Memory read	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDC010 Length: 4 Value: 00 00 02 00	success or wait	526290976
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 40000 Length: 12F0BC Allocation Type: unknown Protection: page read and write	success or wait	526293788
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 40000 Length: 12F0B8 Allocation Type: unknown Protection: page read and write	success or wait	526294175
Thread created	PID: 1492 TID: 1120 EIP: 7C810705 EAX: 4AD05046 Imagepath: C:\WINDOWS\system32\cmd.exe	success or wait	526295336
Thread resumed	TID: 1120 PID: 1492 Path: C:\WINDOWS\system32\cmd.exe	success or wait	526611207
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: BasicInformation	success or wait	526617386
File opened	Path: C:\WINDOWS\explorer.exe Access: read data or list directory and execute or traverse and read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526627559
Section loaded	Path: C:\WINDOWS\explorer.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 970000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	526628881
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null	success or wait	526634496
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 980000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	526635673
File opened	Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null	object name not found	526640875
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	526641902
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: null	object name not found	526646779
File opened	Path: C:\WINDOWS\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	526647547
Directory Information Queried	Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: explorer.exe	success or wait	526651621
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526654136
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	526656388
Directory Information Queried	Path: C:\Disposition: BothDirectoryInformation Filemask: WINDOWS	success or wait	526657380
File opened	Path: C:\WINDOWS\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	526662765
Directory Information Queried	Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: explorer.exe	success or wait	526663806
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526668214
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DeviceMap	success or wait	526668608
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526763261
File opened	Path: C:\WINDOWS\explorer.exe Access: read data or list directory and execute or traverse and read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526766476
Section loaded	Path: C:\WINDOWS\explorer.exe Access: write and read and execute Type: commit Baseaddress: AB0000 Size: 1036288 Protection: execute Mapped to pid: own pid	success or wait	526767711
File opened	Path: C:\WINDOWS\explorer.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: null	success or wait	526873733
Section loaded	Path: C:\WINDOWS\explorer.exe Access: query and read Type: commit Baseaddress: AB0000 Size: 1036288 Protection: readonly Mapped to pid: own pid	success or wait	526874950
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526877036
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526904440
File opened	Path: C:\WINDOWS\explorer.exe Access: read data or list directory and execute or traverse and read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526905190
Section loaded	Path: C:\WINDOWS\explorer.exe Access: write and read and execute Type: commit Baseaddress: AB0000 Size: 1036288 Protection: execute Mapped to pid: own pid	success or wait	526906391
File opened	Path: C:\WINDOWS\explorer.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: null	success or wait	526930023
Section loaded	Path: C:\WINDOWS\explorer.exe Access: query and read Type: commit Baseaddress: AB0000 Size: 1036288 Protection: readonly Mapped to pid: own pid	success or wait	526931226
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526938093
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526952743
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	526953366
Directory Information Queried	Path: C:\Disposition: BothDirectoryInformation Filemask: WINDOWS	success or wait	526961381
File opened	Path: C:\WINDOWS\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	526966676
Directory Information Queried	Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: explorer.exe	success or wait	526967794
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526968814
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	526987154
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	526987775
Directory Information Queried	Path: C:\Disposition: BothDirectoryInformation Filemask: WINDOWS	success or wait	526988799
File opened	Path: C:\WINDOWS\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	527008749
Directory Information Queried	Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: explorer.exe	success or wait	527009802
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	527010828
Section loaded	Path: C:\WINDOWS\explorer.exe Access: query and read Type: commit Baseaddress: 980000 Size: 1036288 Protection: readonly Mapped to pid: own pid	success or wait	527011304
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: LogFileName	object name not found	527018339
System info queried	Type: WatchdogTimerHandler	success or wait	527026283
Process created	PID: 1696 Path: C:\WINDOWS\explorer.exe Cmdline: explorer C:\ Createflags: none	success or wait	527026603
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: BasicInformation	success or wait	527028001
Memory read	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7FFDE008 Length: 4 Value: 00 00 00 01	success or wait	527028375
File opened	Path: C:\WINDOWS\explorer.exe.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	527039169
Memory read	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1000000 Length: 4096 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 97 A6 B0 91 D3 C7 DE C2 D3 C7 DE C2 D3 C7 DE C2 10 C8 D1 C2 D7 C7 DE C2 D3 C7 DF C2 48 C5 DE C2 10 C8 83 C2 C8 C7 DE C2 10 C8 80 C2 D2 C7 DE C2 10 C8 BE C2 FA C7 DE C2 10 C8 81 C2 CE C7 DE C2 10 C8 84 C2 D2 C7 DE C2 52 69 63 68 D3 C7 DE C2 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 30 5C 02 48 00 00 00 00 00 00 00 00 E0 00 0E 01 0B 01 07 0A 00 4E 04 00 00 7A 0B 00 00 00 00	success or wait	527040120
Memory read	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1048000 Length: 256 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 02 00 00 00 60 00 00 80 03 00 00 00 70 01 00 80 04 00 00 00 08 05 00 80 05 00 00 00 40 05 00 80 06 00 00 00 88 05 00 80 09 00 00 00 48 06 00 80 0E 00 00 00 60 06 00 80 10 00 00 00 00 07 00 80 18 00 00 00 18 07 00 80 F0 00 00 00 30 07 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 8F 00 00 00 48 07 00 80 91 00 00 00 60 07 00 80 92 00 00 00 78 07 00 80 93 00 00 00 90 07 00 80 94 00 00 00 A8 07 00 80 95 00 00 00 C0 07 00 80 96 00 00 00 D8 07 00 80 97 00 00 00 F0 07 00 80 98 00 00 00 08 08 00 80 99 00 00 00 20 08 00 80 9E 00 00 00 38 08 00 80 A2 00 00 00 50 08 00 80 A3 00 00 00 68 08 00 80 A4 00 00 00 80 08 00 80 A5 00 00 00 98 08 00 80 A6 00 00 00 B0 08 00 80 A7 00 00 00 C8 08 00 80 AA 00 00 00 E0 08 00	success or wait	527046365
Memory read	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1048718 Length: 24 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 7B 00 00 00 F0 19 00 80	success or wait	527047529
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: BasicInformation	success or wait	527047925
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 980000 Length: 12ED18 Allocation Type: unknown Protection: page read and write	success or wait	527048319
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 10000 Length: 12EE20 Allocation Type: unknown Protection: page read and write	success or wait	527055452
Memory written	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 10000 Length: 1972 Value: 3D 00 3A 00 3A 00 3D 00 3A 00 3A 00 5C 00 00 00 3D 00 5A 00 3A 00 3D 00 5A 00 3A 00 5C 00 00 00 41 00 4C 00 4C 00 55 00 53 00 45 00 52 00 53 00 50 00 52 00 4F 00 46 00 49 00 4C 00 45 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 6C 00 6C 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20	success or wait	527058456
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 20000 Length: 12EE20 Allocation Type: unknown Protection: page read and write	success or wait	527058917
Memory written	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 20000 Length: 1572 Value: 00 10 00 00 24 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 08 02 90 02 00 00 00 00 00 00 EA 00 EC 00 98 04 00 00 2E 00 30 00 84 05 00 00 18 00 1A 00 B4 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 05 00 00 00 2E 00 30 00 D0 05 00 00 1E 00 20 00 00 06 00 00 00 00 02 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	527060692
Memory written	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7FFDE010 Length: 4 Value: 00 00 02 00	success or wait	527066249
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 30000 Length: 12EE20 Allocation Type: unknown Protection: page read and write	success or wait	527072395
Memory written	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 30000 Length: 388 Value: 53 00 68 00 69 00 6D 00 45 00 6E 00 67 00 2E 00 64 00 6C 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 01 00 00 AB ED 0D AC 6A D0 02 00 B2 D1 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	527073333
Memory written	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7FFDE1E8 Length: 4 Value: 00 00 03 00	success or wait	527073940
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 40000 Length: 12F08C Allocation Type: unknown Protection: page read and write	success or wait	527074346
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 71000 Length: 12F088 Allocation Type: unknown Protection: page read and write	success or wait	527074726
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 71000 Length: 1000 New Protection: page read and write and page guard Old Protection: page read and write	success or wait	527076902
Thread created	PID: 1696 TID: 1976 EIP: 7C810705 EAX: 101A55F Imagepath: C:\WINDOWS\explorer.exe	success or wait	527082272
Thread resumed	TID: 1976 PID: 1696 Path: C:\WINDOWS\explorer.exe	success or wait	527488057
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: BasicInformation	success or wait	527489244
File opened	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point Overwritten: false	object name not found	530688647
File opened	Path: C:\long sleep 2s.exe Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: null	success or wait	530689848
File created	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: null	success or wait	530693545
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: EndOfFileInformation Data : unknown	success or wait	530694823
Section loaded	Path: C:\long sleep 2s.exe Access: query and write and read and execute and extend size Type: commit Baseaddress: 980000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	530697003
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	530768013
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531087680
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 13:09 29-10-2012 Change Time: 09:39 24-01-2012 File Attributes: none	success or wait	531088801
File opened	Path: C:\long sleep 2s.exe Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: null	success or wait	531089668
File created	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: null	success or wait	531098322
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: EndOfFileInformation Data : unknown	success or wait	531100588
Section loaded	Path: C:\long sleep 2s.exe Access: query and write and read and execute and extend size Type: commit Baseaddress: 980000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	531101499
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531134087
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531145683
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 13:09 29-10-2012 Change Time: 09:39 24-01-2012 File Attributes: none	success or wait	531145955
File opened	Path: C:\long sleep 2s.exe Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: null	success or wait	531147099
File created	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: null	success or wait	531147891
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: EndOfFileInformation Data : unknown	success or wait	531149654
Section loaded	Path: C:\long sleep 2s.exe Access: query and write and read and execute and extend size Type: commit Baseaddress: 980000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	531150497
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531182788
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531195030
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 13:09 29-10-2012 Change Time: 09:39 24-01-2012 File Attributes: none	success or wait	531195272
File opened	Path: C:\long sleep 2s.exe Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: null	success or wait	531196435
File created	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: null	success or wait	531197320
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: EndOfFileInformation Data : unknown	success or wait	531199457
Section loaded	Path: C:\long sleep 2s.exe Access: query and write and read and execute and extend size Type: commit Baseaddress: 980000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	531199976
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531231075
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531242091
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 13:09 29-10-2012 Change Time: 09:39 24-01-2012 File Attributes: none	success or wait	531242370
File opened	Path: C:\long sleep 2s.exe Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: null	success or wait	531243659
File created	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: null	success or wait	531244427
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: EndOfFileInformation Data : unknown	success or wait	531246478
Section loaded	Path: C:\long sleep 2s.exe Access: query and write and read and execute and extend size Type: commit Baseaddress: 980000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	531248348
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531282600
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531300694
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 13:09 29-10-2012 Change Time: 09:39 24-01-2012 File Attributes: none	success or wait	531300962
File opened	Path: C:\long sleep 2s.exe Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: null	success or wait	531303527
File created	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: null	success or wait	531304016
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: EndOfFileInformation Data : unknown	success or wait	531306107
Section loaded	Path: C:\long sleep 2s.exe Access: query and write and read and execute and extend size Type: commit Baseaddress: 980000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	531307391
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531344450
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531356248
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 13:09 29-10-2012 Change Time: 09:39 24-01-2012 File Attributes: none	success or wait	531356499
File opened	Path: C:\long sleep 2s.exe Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: null	success or wait	531357896
File created	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: null	success or wait	531358690
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: EndOfFileInformation Data : unknown	success or wait	531360435
Section loaded	Path: C:\long sleep 2s.exe Access: query and write and read and execute and extend size Type: commit Baseaddress: 980000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	531361279
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531392621
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531407201
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 13:09 29-10-2012 Change Time: 09:39 24-01-2012 File Attributes: none	success or wait	531407461
File opened	Path: C:\long sleep 2s.exe Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: null	success or wait	531408728
File created	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: null	success or wait	531413725
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: EndOfFileInformation Data : unknown	success or wait	531414905
Section loaded	Path: C:\long sleep 2s.exe Access: query and write and read and execute and extend size Type: commit Baseaddress: 980000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	531415887
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531450790
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531462338
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 13:09 29-10-2012 Change Time: 09:39 24-01-2012 File Attributes: none	success or wait	531462589
File opened	Path: C:\long sleep 2s.exe Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: null	success or wait	531463745
File created	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: null	success or wait	531464539
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: EndOfFileInformation Data : unknown	success or wait	531466295
Section loaded	Path: C:\long sleep 2s.exe Access: query and write and read and execute and extend size Type: commit Baseaddress: 980000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	531467104
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531498138
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531512109
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 13:09 29-10-2012 Change Time: 09:39 24-01-2012 File Attributes: none	success or wait	531512387
File opened	Path: C:\long sleep 2s.exe Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: null	success or wait	531514287
File created	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: null	success or wait	531514785
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: EndOfFileInformation Data : unknown	success or wait	531515947
Section loaded	Path: C:\long sleep 2s.exe Access: query and write and read and execute and extend size Type: commit Baseaddress: 980000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	531516959
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531548172
File write	Path: C:\WINDOWS\system32\LogFiles\smss.exe Offset: unknown Length: 65536 Value: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 ff cb 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 ac 59 9a f2 cd 37 c9 f2 cd 37 c9 f2 cd 37 c9 89 d1 3b c9 f6 cd 37 c9 71 d1 39 c9 e2 cd 37 c9 1a d2 3d c9 c7 cd 37 c9 f2 cd 37 c9 f1 cd 37 c9 90 d2 24 c9 fb cd 37 c9 f2 cd 36 c9 87 cd 37 c9 1a d2 3c c9 f1 cd 37 c9 4a cb 31 c9 f3 cd 37 c9 52 69 63 68 f2 cd 37 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 66 63 23 4b 00 00 00	success or wait	531560873
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 13:09 29-10-2012 Change Time: 09:39 24-01-2012 File Attributes: none	success or wait	531561152
File opened	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point Overwritten: false	success or wait	531562309
File other op	Path: C:\WINDOWS\system32\LogFiles\smss.exe New path: Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: readony and system and directory and archive and temporary	success or wait	531562763
File opened	Path: C:\WINDOWS\system32\cmd.exe Access: read data or list directory and execute or traverse and read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531564305
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 980000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	531565037
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null	success or wait	531565364
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 980000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	531565925
File opened	Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null	object name not found	531566312
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	531566698
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: null	object name not found	531567093
File opened	Path: C:\WINDOWS\system32\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	531567831
Directory Information Queried	Path: C:\WINDOWS\system32Disposition: BothDirectoryInformation Filemask: cmd.exe	success or wait	531568507
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	531569726
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	531569983
Directory Information Queried	Path: C:\Disposition: BothDirectoryInformation Filemask: WINDOWS	success or wait	531570667
File opened	Path: C:\WINDOWS\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	531571200
Directory Information Queried	Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: system32	success or wait	531571565
File opened	Path: C:\WINDOWS\system32\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	531571968
Directory Information Queried	Path: C:\WINDOWS\system32Disposition: BothDirectoryInformation Filemask: cmd.exe	success or wait	531578430
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	531579446
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DeviceMap	success or wait	531579580
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	531580359
File opened	Path: C:\WINDOWS\system32\cmd.exe Access: read data or list directory and execute or traverse and read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531580641
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: AB0000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	531581564
File opened	Path: C:\WINDOWS\system32\cmd.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: null	success or wait	531583550
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: AB0000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	531583982
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	531584895
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	531585693
File opened	Path: C:\WINDOWS\system32\cmd.exe Access: read data or list directory and execute or traverse and read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531585952
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: AB0000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	531586843
File opened	Path: C:\WINDOWS\system32\cmd.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: null	success or wait	531588854
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: AB0000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	531589284
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	531590149
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	531591053
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	531591933
Directory Information Queried	Path: C:\Disposition: BothDirectoryInformation Filemask: WINDOWS	success or wait	531592645
File opened	Path: C:\WINDOWS\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	531593603
Directory Information Queried	Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: system32	success or wait	531594258
File opened	Path: C:\WINDOWS\system32\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	531594789
Directory Information Queried	Path: C:\WINDOWS\system32Disposition: BothDirectoryInformation Filemask: cmd.exe	success or wait	531595165
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	531595540
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	531599408
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	531599632
Directory Information Queried	Path: C:\Disposition: BothDirectoryInformation Filemask: WINDOWS	success or wait	531599994
File opened	Path: C:\WINDOWS\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	531600372
Directory Information Queried	Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: system32	success or wait	531601199
File opened	Path: C:\WINDOWS\system32\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	531601889
Directory Information Queried	Path: C:\WINDOWS\system32Disposition: BothDirectoryInformation Filemask: cmd.exe	success or wait	531602837
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: DefaultHardErrorMode	success or wait	531603504
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: 980000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	531603815
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: LogFileName	object name not found	531604353
System info queried	Type: WatchdogTimerHandler	success or wait	531605876
Process created	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Cmdline: cmd /c C:\WINDOWS\system32\LogFiles\smss.exe Createflags: none	success or wait	531606008
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: BasicInformation	success or wait	531607324
Memory read	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDC008 Length: 4 Value: 00 00 D0 4A	success or wait	531607455
File opened	Path: C:\WINDOWS\system32\cmd.exe.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	531607881
Memory read	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD00000 Length: 4096 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 1D ED D5 EA 59 8C BB B9 59 8C BB B9 59 8C BB B9 9A 83 B4 B9 5F 8C BB B9 59 8C BA B9 80 8C BB B9 9A 83 E6 B9 5E 8C BB B9 E6 83 DB B9 5B 8C BB B9 9A 83 E5 B9 58 8C BB B9 9A 83 E4 B9 6D 8C BB B9 9A 83 E1 B9 58 8C BB B9 52 69 63 68 59 8C BB B9 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 AF 5B 02 48 00 00 00 00 00 00 00 00 E0 00 0F 01 0B 01 07 0A 00 F8 01 00 00 F6 03 00 00 00 00	success or wait	531608362
Memory read	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD3E000 Length: 256 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 03 00 00 00 30 00 00 80 0B 00 00 00 80 00 00 80 0E 00 00 00 98 00 00 80 10 00 00 00 B0 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 01 00 00 00 C8 00 00 80 02 00 00 00 E0 00 00 80 03 00 00 00 F8 00 00 80 04 00 00 00 10 01 00 80 05 00 00 00 28 01 00 80 06 00 00 00 40 01 00 80 07 00 00 00 58 01 00 80 08 00 00 00 70 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 88 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 80 02 00 80 A0 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 B8 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 E0 01 00 00 00 00 00 00 00 00 00	success or wait	531610301
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: BasicInformation	success or wait	531610566
Memory allocated	PID: 1764 Path: C:\long sleep 2s.exe Base: 980000 Length: 12ED48 Allocation Type: unknown Protection: page read and write	success or wait	531610720
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 10000 Length: 12EE50 Allocation Type: unknown Protection: page read and write	success or wait	531610862
Memory written	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 10000 Length: 1972 Value: 3D 00 3A 00 3A 00 3D 00 3A 00 3A 00 5C 00 00 00 3D 00 5A 00 3A 00 3D 00 5A 00 3A 00 5C 00 00 00 41 00 4C 00 4C 00 55 00 53 00 45 00 52 00 53 00 50 00 52 00 4F 00 46 00 49 00 4C 00 45 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 6C 00 6C 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20	success or wait	531611896
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 20000 Length: 12EE50 Allocation Type: unknown Protection: page read and write	success or wait	531612507
Memory written	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 20000 Length: 1676 Value: 00 10 00 00 8C 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 08 02 90 02 00 00 00 00 00 00 FC 00 FE 00 98 04 00 00 36 00 38 00 98 05 00 00 5C 00 5E 00 D0 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 36 00 38 00 30 06 00 00 1E 00 20 00 68 06 00 00 00 00 02 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	531613717
Memory written	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDC010 Length: 4 Value: 00 00 02 00	success or wait	531613887
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 30000 Length: 12EE50 Allocation Type: unknown Protection: page read and write	success or wait	531614580
Memory written	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 30000 Length: 388 Value: 53 00 68 00 69 00 6D 00 45 00 6E 00 67 00 2E 00 64 00 6C 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 01 00 00 AB ED 0D AC AA 3F 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	531619713
Memory written	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDC1E8 Length: 4 Value: 00 00 03 00	success or wait	531619891
Memory read	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7FFDC010 Length: 4 Value: 00 00 02 00	success or wait	531620041
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 40000 Length: 12F0BC Allocation Type: unknown Protection: page read and write	success or wait	531620174
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 40000 Length: 12F0B8 Allocation Type: unknown Protection: page read and write	success or wait	531620306
Thread created	PID: 260 TID: 116 EIP: 7C810705 EAX: 4AD05046 Imagepath: C:\WINDOWS\system32\cmd.exe	success or wait	531621091
Thread resumed	TID: 116 PID: 260 Path: C:\WINDOWS\system32\cmd.exe	success or wait	531699397
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: BasicInformation	success or wait	531700528
Process terminated	PID: 1764 Path: C:\long sleep 2s.exe	success or wait	531704926
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: Cookie	success or wait	531705396
Process information queried	Path: C:\long sleep 2s.exe PID: 1764 Info Class: Cookie	success or wait	531705523
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	531707341

Analysis File: cmd.exe PID: 1492 Parent PID: 1764

General

Start time:	09:39:47
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c md C:\WINDOWS\system32\LogFiles
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

File Activites

File Path	Access	Options	Content overwritten	Completion	Count	Source Address	Symbol
C:\	execute or traverse and synchronize	directory file and synchronous io non alert	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\ShimEng.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\AcGenral.DLL	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	3	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WINMM.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\MSACM32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\UxTheme.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\IMM32.DLL	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	3	7C90E457	KiUserApcDispatcher
\Device\KsecDD	read data or list directory and synchronize	synchronous io alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll.124.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202	execute or traverse and synchronize	directory file and synchronous io non alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Manifest	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll.124.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\sysmain.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file		success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\systest.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file		object name not found	1	7C90E457	KiUserApcDispatcher
\Device\NamedPipe\ShimViewer	write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize	no options		object name not found	3	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\AcGenral.DLL	read attributes and synchronize and generic read	synchronous io non alert and non directory file		success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Manifest	read attributes and synchronize and generic read	synchronous io non alert and non directory file		success or wait	1	7C90E457	KiUserApcDispatcher

File Created

File Path	Access	Attributes	Options	Completion	Count	Source Address	Symbol
C:\WINDOWS\system32\LogFiles	read data or list directory and synchronize	normal	directory file and synchronous io non alert and open for backup ident	success or wait	1	4AD0B2AC	CreateDirectoryW

File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address	Symbol
C:\	90028	NULL	NULL	success or wait	1	7C90E457	KiUserApcDispatcher

Section Activites

Section loaded by Windows

File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
unknown	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	330000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ShimEng.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	340000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\WINMM.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1
\KnownDlls\MSACM32.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	success or wait	1
\KnownDlls\UxTheme.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	490000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	970000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	970000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	440000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	440000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	read	commit	440000	4096	own pid	readonly	success or wait	1
\KnownDlls\comctl32.dll	write and read and execute	unknown	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	970000	618496	own pid	readonly	success or wait	1

Registry Activites

Key Value Queried

Key Path	Name	Completion	Count	Source Address	Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CWDIllegalInDLLSearch	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSAppCompat	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeDllSearchMode	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LeakTrack	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CriticalSectionTimeout	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole	RWLockResourceTimeOut	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAllForOle32	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableTypeLib	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAllForOle32	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio	SystemFormats	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM	NoPCMConverter	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00	Priority1	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	SmoothScroll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	EnableBalloonTips	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	SmoothScroll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	ChkAccDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions	ProductType	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopLogging	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	RsopLogging	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\ThemeManager	Compositing	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	LameButtonText	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DisableUNCCheck	object name not found	1	4AD04A2A	RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	EnableExtensions	success or wait	1	4AD04A4F	RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DelayedExpansion	object name not found	1	4AD04A88	RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DefaultColor	success or wait	1	4AD04AAD	RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	CompletionChar	success or wait	1	4AD04AE5	RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	PathCompletionChar	success or wait	1	4AD04B37	RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	AutoRun	success or wait	1	4AD04BB8	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	DisableUNCCheck	object name not found	1	4AD04A2A	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	EnableExtensions	success or wait	1	4AD04A4F	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	DelayedExpansion	object name not found	1	4AD04A88	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	DefaultColor	success or wait	1	4AD04AAD	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	CompletionChar	success or wait	1	4AD04AE5	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	PathCompletionChar	object name not found	1	4AD04B37	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	AutoRun	object name not found	1	4AD04BB8	RegQueryValueExW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale	00000409	success or wait	1	4AD056A7	setlocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups	1	success or wait	1	4AD056A7	setlocale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1	4AD04100	exit

Mutex Activites

Name	Completion	Count	Source Address	Symbol
\BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	1	7C90E457	KiUserApcDispatcher

Process Activites

PID	Process info class	Completion	Count	Source Address	Symbol
1492	Cookie	success or wait	9	7C90E457	KiUserApcDispatcher
1492	Wow64Information	success or wait	2	7C90E457	KiUserApcDispatcher
1492	ImageInformation	success or wait	1	7C90E457	KiUserApcDispatcher
1492	SessionInformation	success or wait	1	7C90E457	KiUserApcDispatcher
1492	DeviceMap	success or wait	1	4AD02A92	GetDriveTypeW

PID	Filepath	Completion	Count	Source Address	Symbol
1492	C:\WINDOWS\system32\cmd.exe	success or wait	1	4AD04100	exit

Memory Activites

Memory Allocated

PID	Filepath	Base	Length	Protection	Completion	Count	Source Address	Symbol
1492	C:\WINDOWS\system32\cmd.exe	150000	13FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	150000	13FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	151000	13F7F4	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	250000	13FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	250000	13FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	260000	13F340	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	261000	13F168	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	153000	13F420	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	470000	13F0C8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	470000	13F0CC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	472000	13EB64	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	473000	13EEA8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	480000	13E978	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	480000	13E97C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	481000	13E658	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	483000	13E70C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	4A0000	13F04C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	4A0000	13F050	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	4A1000	13ED2C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	30000	13F91C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	30000	13F920	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	31000	13F5FC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	33000	13F6B8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	154000	13F728	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	8F0000	13F52C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	8F0000	13F528	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	155000	13F5BC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	156000	13F55C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	157000	13EF90	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	158000	13F188	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	159000	13EFB0	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	440000	13F1B8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	440000	13F1BC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	441000	13EE98	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	443000	13EF4C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	34000	13EF58	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	970000	13FE10	page read and write	success or wait	1	4AD04578	VirtualAlloc

PID	Filepath	Base	Length	New Protection	Old Protection	Completion	Count	Source Address	Symbol
1492	C:\WINDOWS\system32\cmd.exe	7C801000	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	7C801000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	4AD01000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	4AD01000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77C11000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77C11000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77F11000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77F11000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	7E411000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	7E411000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	5CB71000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	5CB71000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	6F881000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	6F881000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77DD1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77DD1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77E71000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77E71000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77FE1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77FE1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	76B41000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	76B41000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	774E1000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	774E1000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77121000	1000	page read and write	page execute read	success or wait	6	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77121000	1000	page execute read	page read and write	success or wait	6	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77BE1000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77BE1000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77C01000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77C01000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	7C9C1000	2000	page read and write	page execute read	success or wait	8	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	7C9C1000	2000	page execute read	page read and write	success or wait	8	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77F61000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	77F61000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	769C1000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	769C1000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	5AD71000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	5AD71000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	76391000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	76391000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	773D1000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	773D1000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	5D091000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1492	C:\WINDOWS\system32\cmd.exe	5D091000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher

Memory Usage Statistics

Time	Private Usage (mb)	Workingset (mb)	Page File Usage (mb)
09:39:47	1	0	1

System Activites

System info class	Completion	Count	Source Address	Symbol
BasicInformation	success or wait	15	7C90E457	KiUserApcDispatcher
RangeStartInformation	success or wait	1	7C90E457	KiUserApcDispatcher
ProcessorInformation	success or wait	5	7C90E457	KiUserApcDispatcher

Chronological Activities

Operation	Data	Completion	Time
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CWDIllegalInDLLSearch	object name not found	526834973
System info queried	Type: BasicInformation	success or wait	526840945
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 150000 Length: 13FB14 Allocation Type: unknown Protection: page read and write	success or wait	526841344
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 150000 Length: 13FB18 Allocation Type: unknown Protection: page read and write	success or wait	526846408
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 151000 Length: 13F7F4 Allocation Type: unknown Protection: page read and write	success or wait	526872852
System info queried	Type: BasicInformation	success or wait	526880807
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 250000 Length: 13FB14 Allocation Type: unknown Protection: page read and write	success or wait	526881098
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 250000 Length: 13FB18 Allocation Type: unknown Protection: page read and write	success or wait	526881356
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	526882258
File control set	Path: C:\ Control Code: 90028 Input Buffer: NULL	success or wait	526884564
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	526885533
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C801000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	526899113
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C801000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	526900220
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: Cookie	success or wait	526910305
System info queried	Type: RangeStartInformation	success or wait	526910607
System info queried	Type: BasicInformation	success or wait	526910851
Section loaded	Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	526911221
System info queried	Type: BasicInformation	success or wait	526938532
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 260000 Length: 13F340 Allocation Type: unknown Protection: page read and write	success or wait	526939021
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	526940161
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	526961924
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	526965063
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	526975274
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	526981937
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	526985421
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	526990507
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 261000 Length: 13F168 Allocation Type: unknown Protection: page read and write	success or wait	526990838
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527015930
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527016608
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	527016981
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77C11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527022931
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77C11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527023493
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77C11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527023820
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77C11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527024134
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527025236
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527033781
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	527034156
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	527035665
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527053217
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527053743
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527054094
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527055193
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527066594
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527067214
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527067578
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527068270
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527068599
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527071388
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527077822
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527078297
Section loaded	Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	527078822
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 153000 Length: 13F420 Allocation Type: unknown Protection: page read and write	success or wait	527079126
File opened	Path: C:\WINDOWS\system32\ShimEng.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	527079698
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	527081413
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	527111199
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5CB71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527485940
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5CB71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527486471
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5CB71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527486791
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5CB71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527487112
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null	success or wait	527490522
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 340000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	527491615
File opened	Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null	object name not found	527504629
System info queried	Type: ProcessorInformation	success or wait	527505426
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: Wow64Information	success or wait	527505692
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	527506138
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: null	object name not found	527507076
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: Wow64Information	success or wait	527514906
System info queried	Type: BasicInformation	success or wait	527515158
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 470000 Length: 13F0C8 Allocation Type: unknown Protection: page read and write	success or wait	527515464
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 470000 Length: 13F0CC Allocation Type: unknown Protection: page read and write	success or wait	527515747
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: null	object name not found	527516998
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 472000 Length: 13EB64 Allocation Type: unknown Protection: page read and write	success or wait	527517885
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 473000 Length: 13EEA8 Allocation Type: unknown Protection: page read and write	success or wait	527528897
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null	success or wait	527529540
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	527531263
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	527532282
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	527542234
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	527543260
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	527554072
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	527555108
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527582311
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527582782
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527583175
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527583653
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527583986
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527586339
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	527594937
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527596487
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527597051
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527606001
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527606604
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	527607037
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527609300
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527617013
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527617410
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527617919
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527618307
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527618828
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	527619858
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527627958
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527628513
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527628938
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527637132
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527637570
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527638070
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527638452
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527638831
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527639178
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527649013
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527649349
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527649691
Section loaded	Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	527650088
File opened	Path: C:\WINDOWS\system32\WINMM.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	527650660
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	527651712
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527661760
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527662293
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527664304
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527664665
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527665030
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527670350
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527679363
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527679789
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527680147
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527680496
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	527680895
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527687625
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527688124
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527688482
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527688867
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527694869
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527695875
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527696238
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527701132
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527701502
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527701874
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527702229
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527702700
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527703055
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527708972
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527709307
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527709769
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	527710170
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527718388
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527718931
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527719290
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527719669
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527720026
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527720881
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527726090
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527726474
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527726829
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527727198
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527727549
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527728969
Section loaded	Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	527737221
File opened	Path: C:\WINDOWS\system32\MSACM32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	527737793
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	527738848
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527751898
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527752393
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527752754
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527753107
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527753465
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527758712
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527759084
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527759435
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527759790
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527760229
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	527760642
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77C01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527767130
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77C01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527767651
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77C01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527768015
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77C01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527768945
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	527773771
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	527776053
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	527776597
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	527782319
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	527782715
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	527783145
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	527783700
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	527784060
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	527784420
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	527790325
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	527790707
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	527791069
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	527791423
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	527791848
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527812915
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527815424
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527820624
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527821034
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527821421
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527822059
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527822451
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527823297
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527826478
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527827015
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	527827369
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	527828008
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	527828364
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	527830735
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527836718
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527837181
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527837515
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527837833
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	527838224
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527842614
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527843208
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527843572
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527843717
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527854258
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527854626
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527854984
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527855444
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527855801
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527856566
Section loaded	Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	527860785
File opened	Path: C:\WINDOWS\system32\UxTheme.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	527873810
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	527877748
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527885145
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527885631
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527890693
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527895341
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527895711
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527896148
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527896502
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527896857
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527901603
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527901975
System info queried	Type: BasicInformation	success or wait	527904161
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 480000 Length: 13E978 Allocation Type: unknown Protection: page read and write	success or wait	527911581
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 480000 Length: 13E97C Allocation Type: unknown Protection: page read and write	success or wait	527911912
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 481000 Length: 13E658 Allocation Type: unknown Protection: page read and write	success or wait	527912312
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 490000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	527913604
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 483000 Length: 13E70C Allocation Type: unknown Protection: page read and write	success or wait	527920033
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: Cookie	success or wait	527920556
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: Cookie	success or wait	527920856
Mutant created	Name: \BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	527921433
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: null	object name not found	527927386
System info queried	Type: BasicInformation	success or wait	527928095
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 4A0000 Length: 13F04C Allocation Type: unknown Protection: page read and write	success or wait	527928444
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 4A0000 Length: 13F050 Allocation Type: unknown Protection: page read and write	success or wait	527928764
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 4A1000 Length: 13ED2C Allocation Type: unknown Protection: page read and write	success or wait	527929151
System info queried	Type: BasicInformation	success or wait	527929770
System info queried	Type: ProcessorInformation	success or wait	527935214
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: ImageInformation	success or wait	527939375
System info queried	Type: BasicInformation	success or wait	527942649
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 30000 Length: 13F91C Allocation Type: unknown Protection: page read and write	success or wait	527942976
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 30000 Length: 13F920 Allocation Type: unknown Protection: page read and write	success or wait	527943262
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 31000 Length: 13F5FC Allocation Type: unknown Protection: page read and write	success or wait	527943615
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 33000 Length: 13F6B8 Allocation Type: unknown Protection: page read and write	success or wait	527993382
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: Cookie	success or wait	527994307
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: Cookie	success or wait	527994566
System info queried	Type: BasicInformation	success or wait	527994956
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode	object name not found	527995997
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528002021
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	528003112
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528009342
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	528026548
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528028280
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	528036059
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528037749
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528038594
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528044308
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528044721
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528045078
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528045493
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528045841
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528046530
System info queried	Type: BasicInformation	success or wait	528052120
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	528053250
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs	success or wait	528057004
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 154000 Length: 13F728 Allocation Type: unknown Protection: page read and write	success or wait	528059554
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack	object name not found	528065262
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	528066659
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 8F0000 Length: 13F52C Allocation Type: unknown Protection: page read and write	success or wait	528067899
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 8F0000 Length: 13F528 Allocation Type: unknown Protection: page read and write	success or wait	528074463
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	528074954
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	success or wait	528077599
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	success or wait	528078662
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave2	object name not found	528079684
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave3	object name not found	528080698
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave4	object name not found	528088563
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave5	object name not found	528089599
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave6	object name not found	528090711
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave7	object name not found	528091727
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave8	object name not found	528092737
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave9	object name not found	528093749
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	528100198
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	528101257
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	success or wait	528102279
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	success or wait	528103372
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi2	object name not found	528104533
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi3	object name not found	528105554
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi4	object name not found	528111425
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi5	object name not found	528112446
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi6	object name not found	528113460
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi7	object name not found	528120661
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi8	object name not found	528121686
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi9	object name not found	528122702
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	528123776
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	528127196
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	success or wait	528131890
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	success or wait	528133096
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux2	object name not found	528134121
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux3	object name not found	528135175
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux4	object name not found	528136223
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux5	object name not found	528139269
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux6	object name not found	528143383
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux7	object name not found	528144441
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux8	object name not found	528145452
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux9	object name not found	528146462
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm Name: wheel	success or wait	528147821
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	528155441
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	528156497
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	success or wait	528157564
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	success or wait	528158612
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer2	object name not found	528159636
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer3	object name not found	528163364
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer4	object name not found	528167745
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer5	object name not found	528168761
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer6	object name not found	528169773
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer7	object name not found	528170828
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer8	object name not found	528171838
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer9	object name not found	528175248
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 155000 Length: 13F5BC Allocation Type: unknown Protection: page read and write	success or wait	528180247
File opened	Path: \Device\KsecDD Access: read data or list directory and synchronize Options: synchronous io alert Overwritten: false	success or wait	528180778
System info queried	Type: BasicInformation	success or wait	528187051
System info queried	Type: ProcessorInformation	success or wait	528192472
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout	success or wait	528193025
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: RWLockResourceTimeOut	object name not found	528193979
System info queried	Type: BasicInformation	success or wait	528194719
System info queried	Type: ProcessorInformation	success or wait	528214357
System info queried	Type: BasicInformation	success or wait	528215309
System info queried	Type: ProcessorInformation	success or wait	528215611
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll	object name not found	528216082
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32	object name not found	528216406
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib	object name not found	528216720
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAll	object name not found	528220997
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAllForOle32	object name not found	528221322
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 156000 Length: 13F55C Allocation Type: unknown Protection: page read and write	success or wait	528226051
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Name: SystemFormats	success or wait	528233442
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	buffer overflow	528240723
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	success or wait	528241096
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 157000 Length: 13EF90 Allocation Type: unknown Protection: page read and write	success or wait	528246904
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: fdwSupport	success or wait	528247570
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFormatTags	success or wait	528248117
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: aFormatTagCache	success or wait	528248660
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFilterTags	success or wait	528249257
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	buffer overflow	528254695
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	success or wait	528255060
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: fdwSupport	success or wait	528255900
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFormatTags	success or wait	528256441
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: aFormatTagCache	success or wait	528261583
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFilterTags	success or wait	528262129
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	buffer overflow	528263349
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	success or wait	528263712
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: fdwSupport	success or wait	528285693
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFormatTags	success or wait	528289555
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: aFormatTagCache	success or wait	528290111
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFilterTags	success or wait	528290689
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	buffer overflow	528297089
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	success or wait	528297458
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: fdwSupport	success or wait	528298309
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFormatTags	success or wait	528300697
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: aFormatTagCache	success or wait	528305041
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFilterTags	success or wait	528305577
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	buffer overflow	528306745
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	success or wait	528309036
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: fdwSupport	success or wait	528312806
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFormatTags	success or wait	528313352
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: aFormatTagCache	success or wait	528313892
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFilterTags	success or wait	528314469
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	buffer overflow	528323439
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	success or wait	528323814
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: fdwSupport	success or wait	528324660
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFormatTags	success or wait	528326744
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: aFormatTagCache	success or wait	528330643
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFilterTags	success or wait	528331179
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	buffer overflow	528332427
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	success or wait	528335944
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: fdwSupport	success or wait	528340004
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFormatTags	success or wait	528342638
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: aFormatTagCache	success or wait	528347537
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFilterTags	success or wait	528348127
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	buffer overflow	528363565
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	success or wait	528365118
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: fdwSupport	success or wait	528369383
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFormatTags	success or wait	528369927
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: aFormatTagCache	success or wait	528370467
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFilterTags	success or wait	528371001
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 158000 Length: 13F188 Allocation Type: unknown Protection: page read and write	success or wait	528379001
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	buffer overflow	528379506
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	success or wait	528379882
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: fdwSupport	success or wait	528380839
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFormatTags	success or wait	528381382
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: aFormatTagCache	success or wait	528388203
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFilterTags	success or wait	528389407
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	buffer overflow	528390584
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	success or wait	528390959
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: fdwSupport	success or wait	528397836
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFormatTags	success or wait	528398380
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: aFormatTagCache	success or wait	528398921
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFilterTags	success or wait	528399453
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM Name: NoPCMConverter	object name not found	528427507
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 159000 Length: 13EFB0 Allocation Type: unknown Protection: page read and write	success or wait	528428319
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 Name: Priority1	object name not found	528437947
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	528456471
File opened	Path: C:\WINDOWS\system32\SHELL32.dll Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528464652
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 970000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	528465723
File opened	Path: C:\WINDOWS\system32\SHELL32.dll.124.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	528466621
File opened	Path: C:\WINDOWS\system32\SHELL32.dll.124.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	528467826
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202 Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	528511500
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528512956
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	528514525
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528527048
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	528528665
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528535536
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528535973
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528536356
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528536731
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528543059
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528543509
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528543949
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528544378
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528544804
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528545268
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528551887
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528552270
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528552696
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528553188
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528555351
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 440000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	528556545
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: null	success or wait	528565321
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	528580061
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528582163
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	528589053
File opened	Path: C:\WINDOWS\WindowsShell.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	528590750
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll	object name not found	528636013
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: EnableBalloonTips	object name not found	528640876
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	528651990
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528655002
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528660577
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528660947
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528661346
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528661816
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528662270
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528664128
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528668350
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528668722
Memory attributes changed	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528670359
System info queried	Type: BasicInformation	success or wait	528676680
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 440000 Length: 13F1B8 Allocation Type: unknown Protection: page read and write	success or wait	528677079
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 440000 Length: 13F1BC Allocation Type: unknown Protection: page read and write	success or wait	528677449
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 441000 Length: 13EE98 Allocation Type: unknown Protection: page read and write	success or wait	528677946
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 443000 Length: 13EF4C Allocation Type: unknown Protection: page read and write	success or wait	528680445
File opened	Path: C:\WINDOWS\system32\comctl32.dll Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528682060
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	528685981
File opened	Path: C:\WINDOWS\system32\comctl32.dll.124.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	528687095
File opened	Path: C:\WINDOWS\system32\comctl32.dll.124.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	528702660
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: SessionInformation	success or wait	528709743
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll	object name not found	528722172
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	528725351
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: ChkAccDebugLevel	object name not found	528731357
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions Name: ProductType	success or wait	528779357
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Personal	success or wait	528785064
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Local Settings	success or wait	528785598
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopDebugLevel	object name not found	528790788
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	528791767
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopLogging	object name not found	528792298
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	528794534
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: RsopLogging	object name not found	528798862
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	528799804
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 34000 Length: 13EF58 Allocation Type: unknown Protection: page read and write	success or wait	528804885
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	528805485
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: Compositing	object name not found	528807623
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: LameButtonText	object name not found	528813886
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DisableUNCCheck	object name not found	528855744
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: EnableExtensions	success or wait	528857038
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DelayedExpansion	object name not found	528857628
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DefaultColor	success or wait	528861213
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: CompletionChar	success or wait	528862432
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: PathCompletionChar	success or wait	528863017
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: AutoRun	success or wait	528867032
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: DisableUNCCheck	object name not found	528868804
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: EnableExtensions	success or wait	528870791
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: DelayedExpansion	object name not found	528872495
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: DefaultColor	success or wait	528873082
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: CompletionChar	success or wait	528873664
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: PathCompletionChar	object name not found	528874288
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: AutoRun	object name not found	528874774
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	528885584
Memory allocated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe Base: 970000 Length: 13FE10 Allocation Type: unknown Protection: page read and write	success or wait	528887297
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale Name: 00000409	success or wait	528894375
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups Name: 1	success or wait	528895559
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: DeviceMap	success or wait	528902544
File created	Path: C:\WINDOWS\system32\LogFiles Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: null	success or wait	528903119
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: Cookie	success or wait	529103266
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: Cookie	success or wait	529103880
Process terminated	PID: 1492 Path: C:\WINDOWS\system32\cmd.exe	success or wait	529104839
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: Cookie	success or wait	529107586
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 1492 Info Class: Cookie	success or wait	529114949
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	529139193

Analysis File: explorer.exe PID: 1696 Parent PID: 1764

General

Start time:	09:39:47
Start date:	24/01/2012
Path:	C:\WINDOWS\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer C:\
Imagebase:	0x7c900000
File size:	1033728 bytes
MD5 hash:	12896823FB95BFB3DC9B46BCAEDC9923

File Activites

File Path	Access	Options	Content overwritten	Completion	Count	Source Address	Symbol
C:\	execute or traverse and synchronize	directory file and synchronous io non alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\BROWSEUI.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHDOCVW.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\CRYPT32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\MSASN1.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\CRYPTUI.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\CRYPTUI.dll.2.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\CRYPTUI.dll.2.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\NETAPI32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WINTRUST.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\UxTheme.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\ShimEng.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\AcGenral.DLL	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	3	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WINMM.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\MSACM32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\IMM32.DLL	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	3	7C90E457	KiUserApcDispatcher
\Device\KsecDD	read data or list directory and synchronize	synchronous io alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\BROWSEUI.dll.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\BROWSEUI.dll.123.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202	execute or traverse and synchronize	directory file and synchronous io non alert	false	success or wait	7	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Manifest	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\urlmon.dll.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\urlmon.dll.123.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WININET.dll.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WININET.dll.123.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\RichEd20.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHDOCVW.dll.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHDOCVW.dll.123.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll.124.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll.124.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\explorer.exe	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	101AAC4	CreateActCtxW
C:\WINDOWS\explorer.exe.123.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	101AAC4	CreateActCtxW
C:\WINDOWS\explorer.exe.123.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	101AAC4	CreateActCtxW
C:\WINDOWS\system32\SETUPAPI.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C817077	unknown
IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3131303066333036662020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C817077	unknown
STORAGE#Volume#1&30a96598&0&SignatureF4ACF4ACOffset7E00Length3BFEFCE00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	read attributes and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C817077	unknown
C:\WINDOWS\AppPatch\sysmain.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file		success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\systest.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file		object name not found	1	7C90E457	KiUserApcDispatcher
\Device\NamedPipe\ShimViewer	write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize	no options		object name not found	4	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\AcGenral.DLL	read attributes and synchronize and generic read	synchronous io non alert and non directory file		success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Manifest	read attributes and synchronize and generic read	synchronous io non alert and non directory file		success or wait	1	7C90E457	KiUserApcDispatcher
WMIDataDevice	read attributes and synchronize and generic read and generic write	non directory file	true	success or wait	3	7C90E457	KiUserApcDispatcher
\pipe\lsarpc	read attributes and synchronize and generic read and generic write	non directory file	true	success or wait	2	7C817077	unknown
MountPointManager	read attributes and synchronize	synchronous io non alert and non directory file	true	success or wait	6	7C817077	unknown

File Path	Offset	Length	Value	Completion	Count	Source Address	Symbol
\lsarpc	0	72	05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 b8 10 b8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab 00 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00	success or wait	2	7C817077	unknown

File Path	Offset	Length	Completion	Count	Source Address	Symbol
\lsarpc	0	1024	pending	2	7C817077	unknown

File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address	Symbol
C:\	90028	NULL	NULL	success or wait	1	7C90E457	KiUserApcDispatcher
\lsarpc	11C017	05 00 00 03 10 00 00 00 40 00 00 00 01 00 00 00 28 00 00 00 00 00 2C 00 00 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 00 02 00 01 00 00 08 00 00	........@.......(.....,.........................................	pending	2	7C817077	unknown
\lsarpc	11C017	05 00 00 03 10 00 00 00 6A 00 00 00 02 00 00 00 52 00 00 00 00 00 1F 00 00 00 00 00 68 A3 46 85 7F B4 50 40 8E 95 5C DF C8 2F 2C 1A 2A 00 2C 00 00 00 02 00 16 00 00 00 00 00 00 00 15 00 00 00 53 00 65 00 4C 00 6F 00 61 00 64 00 44 00 72 00 69 00 76 00 65 00 72 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 00	........j.......R...........h.F...P@..\../,.*.,.................S.e.L.o.a.d.D.r.i.v.e.r.P.r.i.v.i.l.e.g.e.	pending	1	7C817077	unknown
\lsarpc	11C017	05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 68 A3 46 85 7F B4 50 40 8E 95 5C DF C8 2F 2C 1A	........,...................h.F...P@..\../,.	pending	1	7C817077	unknown
\lsarpc	11C017	05 00 00 03 10 00 00 00 62 00 00 00 02 00 00 00 4A 00 00 00 00 00 1F 00 00 00 00 00 4A AA 6B 66 7A BA AD 49 92 2F 76 AF 4C 50 E0 04 22 00 24 00 00 00 02 00 12 00 00 00 00 00 00 00 11 00 00 00 53 00 65 00 55 00 6E 00 64 00 6F 00 63 00 6B 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 00	........b.......J...........J.kfz..I./v.LP..".$.................S.e.U.n.d.o.c.k.P.r.i.v.i.l.e.g.e.	pending	1	7C817077	unknown
\lsarpc	11C017	05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 4A AA 6B 66 7A BA AD 49 92 2F 76 AF 4C 50 E0 04	........,...................J.kfz..I./v.LP..	pending	1	7C817077	unknown
\lsarpc	PipeInformation	unknown		success or wait	2	7C817077	unknown
\lsarpc	CompletionInformation	unknown		success or wait	2	7C817077	unknown

Section Activites

Section loaded by Windows

File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
unknown	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	270000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\BROWSEUI.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\browseui.dll	query and write and read and execute	image	75F80000	1036288	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1
\KnownDlls\SHDOCVW.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\shdocvw.dll	query and write and read and execute	image	7E290000	1511424	own pid	read write	success or wait	1
\KnownDlls\CRYPT32.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\crypt32.dll	query and write and read and execute	image	77A80000	610304	own pid	read write	success or wait	1
\KnownDlls\MSASN1.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\msasn1.dll	query and write and read and execute	image	77B20000	73728	own pid	read write	success or wait	1
\KnownDlls\CRYPTUI.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\cryptui.dll	query and write and read and execute	image	754D0000	524288	own pid	read write	success or wait	1
\KnownDlls\NETAPI32.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\WININET.dll	write and read and execute	unknown	3D930000	942080	own pid	read write	success or wait	1
\KnownDlls\Normaliz.dll	write and read and execute	unknown	400000	36864	own pid	read write	success or wait	1
\KnownDlls\urlmon.dll	write and read and execute	unknown	78130000	1257472	own pid	read write	success or wait	1
\KnownDlls\iertutil.dll	write and read and execute	unknown	3DFD0000	2002944	own pid	read write	success or wait	1
\KnownDlls\WINTRUST.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\wintrust.dll	query and write and read and execute	image	76C30000	188416	own pid	read write	success or wait	1
\KnownDlls\IMAGEHLP.dll	write and read and execute	unknown	76C90000	163840	own pid	read write	success or wait	1
\KnownDlls\WLDAP32.dll	write and read and execute	unknown	76F60000	180224	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\UxTheme.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\KnownDlls\ShimEng.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	290000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	410000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	410000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
\KnownDlls\WINMM.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\MSACM32.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	3E0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	360000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	360000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\browseui.dll	read	commit	860000	1028096	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	860000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	390000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	390000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	read	commit	390000	4096	own pid	readonly	success or wait	1
\KnownDlls\RichEd20.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\riched20.dll	query and write and read and execute	image	74E30000	446464	own pid	read write	success or wait	1
C:\WINDOWS\system32\shdocvw.dll	read	commit	AA0000	1499136	own pid	readonly	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1100000	8462336	own pid	readonly	success or wait	1
\KnownDlls\comctl32.dll	write and read and execute	unknown	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	AC0000	618496	own pid	readonly	success or wait	1
C:\WINDOWS\explorer.exe	read	commit	B70000	1036288	own pid	readonly	success or wait	1
\KnownDlls\SETUPAPI.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\setupapi.dll	query and write and read and execute	image	77920000	995328	own pid	read write	success or wait	1
unknown	query and write and read	commit	B50000	4096	own pid	read write	success or wait	1

Registry Activites

Key Path	Name	Completion	Count	Source Address	Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CWDIllegalInDLLSearch	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSAppCompat	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LeakTrack	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeDllSearchMode	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CriticalSectionTimeout	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole	RWLockResourceTimeOut	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAllForOle32	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableTypeLib	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAllForOle32	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	SmoothScroll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	EnableBalloonTips	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	DisableImprovedZoneCheck	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN	explorer.exe	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ldap	LdapClientIntegrity	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib	NULL	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32	NULL	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32	NULL	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32	NULL	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32	NULL	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	SmoothScroll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\ThemeManager	Compositing	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	LameButtonText	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio	SystemFormats	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM	NoPCMConverter	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00	Priority1	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	ChkAccDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions	ProductType	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopLogging	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	RsopLogging	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoNetHood	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoNetHood	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoPropertiesMyComputer	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoPropertiesMyComputer	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoInternetIcon	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoInternetIcon	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoCommonGroups	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoCommonGroups	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoControlPanel	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoControlPanel	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoSetFolders	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoSetFolders	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32	NULL	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP	seed	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SYSTEM\Setup	OsLoaderPath	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SYSTEM\Setup	OsLoaderPath	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemPartition	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemPartition	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	SourcePath	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	SourcePath	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	DevicePath	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogLevel	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogLevel	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogPath	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName	ComputerName	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	Hostname	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	Domain	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc	MaxRpcSize	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName	ComputerName	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e9036068-1842-11df-9766-806d6172696f}	Data	buffer overflow	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e9036068-1842-11df-9766-806d6172696f}	Data	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e9036068-1842-11df-9766-806d6172696f}	Generation	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0d6ab97b-ade6-11de-bdcc-806d6172696f}	Data	buffer overflow	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0d6ab97b-ade6-11de-bdcc-806d6172696f}	Data	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0d6ab97b-ade6-11de-bdcc-806d6172696f}	Generation	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0d6ab97b-ade6-11de-bdcc-806d6172696f}	Generation	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	DriveMask	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	SeparateProcess	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	SeparateProcess	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer	ShellState	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer	ShellState	success or wait	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	ForceActiveDesktopOn	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	ForceActiveDesktopOn	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoActiveDesktop	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoActiveDesktop	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoWebView	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoWebView	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	ClassicShell	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	ClassicShell	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	DontShowSuperHidden	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	DontShowSuperHidden	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoNetCrawling	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoNetCrawling	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NoSimpleStartMenu	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoSimpleStartMenu	object name not found	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowCompColor	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideFileExt	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	DontPrettyPath	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowInfoTip	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideIcons	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	MapNetDrvBtn	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	WebView	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Filter	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowSuperHidden	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	SeparateProcess	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	NoNetCrawling	success or wait	1	7C817077	unknown
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer	DesktopProcess	object name not found	1	7C817077	unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1	102340F	ExitProcess

Mutex Activites

Name	Completion	Count	Source Address	Symbol
\BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	1	7C90E457	KiUserApcDispatcher
unknown	success or wait	5	7C90E457	KiUserApcDispatcher

Process Activites

PID	Process info class	Completion	Count	Source Address	Symbol
1696	Cookie	success or wait	9	7C90E457	KiUserApcDispatcher
1696	Wow64Information	success or wait	3	7C90E457	KiUserApcDispatcher
1696	ImageInformation	success or wait	1	7C90E457	KiUserApcDispatcher
1696	SessionInformation	success or wait	1	7C90E457	KiUserApcDispatcher
1696	DefaultHardErrorMode	success or wait	1	101A582	SetErrorMode
1696	DeviceMap	success or wait	5	7C817077	unknown
1696	QuotaLimits	success or wait	1	7C817077	unknown
1696	VmCounters	success or wait	1	7C817077	unknown
1552	BasicInformation	success or wait	1	7C817077	unknown

Process Terminated

PID	Filepath	Completion	Count	Source Address	Symbol
1696	C:\WINDOWS\explorer.exe	success or wait	1	102340F	ExitProcess

Thread Activites

TID	PID	EIP	EAX (Usermode EIP)	Filepath	Completion	Count	Source Address	Symbol
2000	1696	7C8106F9	77DF848A	C:\WINDOWS\explorer.exe	success or wait	1	7C90E457	KiUserApcDispatcher

TID	PID	Path	Completion	Count	Source Address	Symbol
2000	1696	C:\WINDOWS\explorer.exe	success or wait	1	7C90E457	KiUserApcDispatcher

Memory Activites

PID	Filepath	Base	Length	Protection	Completion	Count	Source Address	Symbol
1696	C:\WINDOWS\explorer.exe	90000	7FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	90000	7FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	91000	7F7F4	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	190000	7FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	190000	7FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	1A0000	7F340	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	1A1000	7F168	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	93000	7F3D0	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3C0000	7F0C8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3C0000	7F0CC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3C2000	7EB64	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3C3000	7EEA8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3D0000	7E978	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3D0000	7E97C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3D1000	7E658	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3D3000	7E70C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	410000	7F04C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	410000	7F050	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	411000	7ED2C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	94000	7F788	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	370000	7F91C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	370000	7F920	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	371000	7F5FC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	373000	7F6B8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	95000	7F5BC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	96000	7F244	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	97000	7F680	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	98000	7F680	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	99000	7F67C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	9A000	7F6E4	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	9B000	7F448	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	9C000	7F6CC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	860000	7F918	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	860000	7F91C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	861000	7F5F8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	863000	7F590	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	960000	7F368	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	991000	7F364	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	865000	7F4FC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	9A0000	7F9A0	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	9A0000	7F9A4	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	9E000	7F418	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	374000	7EFA4	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	9F000	7F24C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	AB0000	7F1B8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	AB0000	7F1BC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	AB1000	7EE98	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	AB3000	7EF4C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	AC0000	7F52C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	AC0000	7F528	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	A0000	7EEE8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	A1000	7EF90	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	A2000	7EFB0	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	A3000	7EA88	page read and write	success or wait	1	7C817077	unknown
1696	C:\WINDOWS\explorer.exe	A4000	7EFEC	page read and write	success or wait	1	7C817077	unknown
1696	C:\WINDOWS\explorer.exe	A5000	7EE70	page read and write	success or wait	1	7C817077	unknown
1696	C:\WINDOWS\explorer.exe	A6000	7FAAC	page read and write	success or wait	1	102340F	ExitProcess

PID	Filepath	Base	Length	New Protection	Old Protection	Completion	Count	Source Address	Symbol
1696	C:\WINDOWS\explorer.exe	7C801000	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	7C801000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77DD1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77DD1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77E71000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77E71000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77FE1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77FE1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	1001000	1000	page read and write	page execute read	success or wait	8	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	1001000	1000	page execute read	page read and write	success or wait	8	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	75F81000	1000	page read and write	page execute read	success or wait	6	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	75F81000	1000	page execute read	page read and write	success or wait	6	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77F11000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77F11000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	7E411000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	7E411000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77C11000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77C11000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	774E1000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	774E1000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77F61000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77F61000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77121000	1000	page read and write	page execute read	success or wait	6	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77121000	1000	page execute read	page read and write	success or wait	6	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	7E291000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	7E291000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77A81000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77A81000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77B21000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77B21000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	754D1000	1000	page read and write	page execute read	success or wait	9	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	754D1000	1000	page execute read	page read and write	success or wait	9	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	5B861000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	5B861000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77C01000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77C01000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3D931000	1000	page read and write	page execute read	success or wait	9	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3D931000	1000	page execute read	page read and write	success or wait	9	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	401000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	401000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	78131000	1000	page read and write	page execute read	success or wait	10	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	78131000	1000	page execute read	page read and write	success or wait	10	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3DFD1000	1000	page read and write	page execute read	success or wait	6	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3DFD1000	1000	page execute read	page read and write	success or wait	6	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	76C31000	1000	page read and write	page execute read	success or wait	8	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	76C31000	1000	page execute read	page read and write	success or wait	8	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	76C91000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	76C91000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	76F61000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	76F61000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	7C9C1000	2000	page read and write	page execute read	success or wait	8	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	7C9C1000	2000	page execute read	page read and write	success or wait	8	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	5AD71000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	5AD71000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	5CB71000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	5CB71000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	6F881000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	6F881000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	76B41000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	76B41000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77BE1000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77BE1000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	769C1000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	769C1000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	1001268	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	1001000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77DD1218	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77DD1000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77E71178	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77E71000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77FE1098	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77FE1000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	75F811EC	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	75F81000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77F110B4	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77F11000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	7E41133C	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	7E411000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77C110D0	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77C11000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	774E1218	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	774E1000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77F61438	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77F61000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	7712129C	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77121000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	7E2911E8	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	7E291000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77A81188	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77A81000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77B2103C	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77B21000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	754D12F8	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	754D1000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	5B8611BC	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	5B861000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77C01050	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	77C01000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3D9314B0	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
1696	C:\WINDOWS\explorer.exe	3D931000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher

Memory Usage Statistics

Time	Private Usage (mb)	Workingset (mb)	Page File Usage (mb)
09:39:47	0	0	0

System Activites

System info class	Completion	Count	Source Address	Symbol
BasicInformation	success or wait	20	7C90E457	KiUserApcDispatcher
RangeStartInformation	success or wait	1	7C90E457	KiUserApcDispatcher
ProcessorInformation	success or wait	7	7C90E457	KiUserApcDispatcher
PerformanceInformation	success or wait	1	7C817077	unknown

Timing Activites

Time	Completion	Count	Source Address	Symbol
129718679881093750	success or wait	1	7C817077	unknown

Windows UI Activites

HWND	Message	LParam	WParam	Completion	Count	Source Address	Symbol
10084	40B	0	2356	success	1	7C817077	unknown

Process Token Activites

Status	Privilege	Completion	Count	Source Address	Symbol
on	Load Driver	success or wait	2	7C817077	unknown

Chronological Activities

Operation	Data	Completion	Time
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CWDIllegalInDLLSearch	object name not found	527500350
System info queried	Type: BasicInformation	success or wait	527502592
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 90000 Length: 7FB14 Allocation Type: unknown Protection: page read and write	success or wait	527503069
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 90000 Length: 7FB18 Allocation Type: unknown Protection: page read and write	success or wait	527504355
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 91000 Length: 7F7F4 Allocation Type: unknown Protection: page read and write	success or wait	527511716
System info queried	Type: BasicInformation	success or wait	527512008
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 190000 Length: 7FB14 Allocation Type: unknown Protection: page read and write	success or wait	527512294
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 190000 Length: 7FB18 Allocation Type: unknown Protection: page read and write	success or wait	527512549
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	527514743
File control set	Path: C:\ Control Code: 90028 Input Buffer: NULL	success or wait	527523705
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	527524627
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C801000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527526028
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C801000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527537892
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: Cookie	success or wait	527538764
System info queried	Type: RangeStartInformation	success or wait	527539061
System info queried	Type: BasicInformation	success or wait	527539307
Section loaded	Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	527539677
System info queried	Type: BasicInformation	success or wait	527549001
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1A0000 Length: 7F340 Allocation Type: unknown Protection: page read and write	success or wait	527549492
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	527550612
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	527552103
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	527562308
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	527563669
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	527587175
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	527588916
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	527597817
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1A1000 Length: 7F168 Allocation Type: unknown Protection: page read and write	success or wait	527598151
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	527599128
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527609747
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527610356
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527610682
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527611223
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	527611613
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527620791
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527621428
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527625592
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527630673
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527631030
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527631415
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	527631830
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527640765
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527641205
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527641585
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527641984
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527642360
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527652880
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527653228
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527653568
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527653879
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527654379
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527655426
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527670513
Section loaded	Path: \KnownDlls\BROWSEUI.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	527670888
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 93000 Length: 7F3D0 Allocation Type: unknown Protection: page read and write	success or wait	527671206
File opened	Path: C:\WINDOWS\system32\BROWSEUI.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	527672023
Section loaded	Path: C:\WINDOWS\system32\browseui.dll Access: query and write and read and execute Type: image Baseaddress: 75F80000 Size: 1036288 Protection: read write Mapped to pid: own pid	success or wait	527673056
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	527684273
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F81000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527693685
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F81000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527697080
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	527697475
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527703995
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527704517
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527704871
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527705231
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	527705645
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527713756
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527714505
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527714892
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527715366
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527721122
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527721649
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527721991
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527722589
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F81000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527722905
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F81000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527723239
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F81000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527729157
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F81000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527729559
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	527729950
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77C11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527736199
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77C11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527746801
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77C11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527747164
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77C11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527747508
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F81000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527747823
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F81000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527748315
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	527750937
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527755448
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527755930
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527756278
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527763348
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527763709
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527764226
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527764576
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527764930
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527765274
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527769159
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527769515
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527769969
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527770316
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527770762
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F81000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527771079
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F81000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527779311
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	527779712
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527781233
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527782097
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527785475
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527785844
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527786192
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527786710
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527787058
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527789501
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527809152
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527809655
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F81000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527809978
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F81000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527810554
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527810909
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527811437
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527815717
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527816180
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527816479
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527816770
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527817062
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527819604
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527823581
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527823878
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	527824241
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527831519
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527832135
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527832825
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527833170
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527833494
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527833964
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527839175
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527839515
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527839835
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527840162
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527840480
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527840790
Section loaded	Path: \KnownDlls\SHDOCVW.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	527848462
File opened	Path: C:\WINDOWS\system32\SHDOCVW.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	527849245
Section loaded	Path: C:\WINDOWS\system32\shdocvw.dll Access: query and write and read and execute Type: image Baseaddress: 7E290000 Size: 1511424 Protection: read write Mapped to pid: own pid	success or wait	527850297
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E291000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527858591
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E291000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527877944
Section loaded	Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	527878344
File opened	Path: C:\WINDOWS\system32\CRYPT32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	527879169
Section loaded	Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid	success or wait	527880225
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77A81000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527890931
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77A81000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527891523
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77A81000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527891884
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77A81000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527892333
Section loaded	Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	527892749
File opened	Path: C:\WINDOWS\system32\MSASN1.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	527893556
Section loaded	Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	527897793
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77B21000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527907380
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77B21000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527907836
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77B21000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527908216
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77B21000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527908593
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77B21000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527909010
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77B21000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527915721
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77A81000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527916076
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77A81000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527916597
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77A81000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527916950
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77A81000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527917404
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77A81000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527917757
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77A81000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527921828
Section loaded	Path: \KnownDlls\CRYPTUI.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	527922119
File opened	Path: C:\WINDOWS\system32\CRYPTUI.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	527922985
Section loaded	Path: C:\WINDOWS\system32\cryptui.dll Access: query and write and read and execute Type: image Baseaddress: 754D0000 Size: 524288 Protection: read write Mapped to pid: own pid	success or wait	527932470
File opened	Path: C:\WINDOWS\system32\CRYPTUI.dll.2.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	527939231
File opened	Path: C:\WINDOWS\system32\CRYPTUI.dll.2.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	527947651
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527989657
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527998796
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527999170
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	527999582
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	527999939
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528000367
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528000715
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528005114
Section loaded	Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	528005586
File opened	Path: C:\WINDOWS\system32\NETAPI32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528006399
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	528007475
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5B861000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528022143
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5B861000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528022623
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5B861000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528023008
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5B861000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528023466
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5B861000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528026260
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5B861000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528030770
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5B861000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528031165
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5B861000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528031599
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5B861000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528031982
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5B861000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528032364
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528035811
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528039008
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528039371
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528039718
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528040067
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528040409
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	528043966
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77C01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528048177
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77C01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528048722
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77C01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528049107
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77C01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528059798
Section loaded	Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid	success or wait	528060238
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528061939
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528064592
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528070029
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528070460
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528070842
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528071282
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528071658
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528074254
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528082308
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528083038
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528083796
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528084281
Section loaded	Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 400000 Size: 36864 Protection: read write Mapped to pid: own pid	success or wait	528084736
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 401000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528096368
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 401000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528096857
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 401000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528097273
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 401000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528097685
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 401000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528109038
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 401000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528109528
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528109904
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528110277
Section loaded	Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid	success or wait	528110729
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528117774
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528118396
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528119191
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528119645
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528120445
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528127656
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528128082
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528128548
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528128958
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528129394
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528130825
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528139779
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528140201
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528140792
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528141210
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528141671
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528142374
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528151498
Section loaded	Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid	success or wait	528152041
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3DFD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528153932
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3DFD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528163683
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3DFD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528164154
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3DFD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528164603
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3DFD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528165100
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3DFD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528165860
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3DFD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528166316
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3DFD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528175602
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3DFD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528176080
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3DFD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528176580
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3DFD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528177034
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3DFD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528177517
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528177926
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 78131000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528190109
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528190492
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528190923
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528191206
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528191585
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528191926
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528197337
Section loaded	Path: \KnownDlls\WINTRUST.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	528197771
File opened	Path: C:\WINDOWS\system32\WINTRUST.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528198639
Section loaded	Path: C:\WINDOWS\system32\wintrust.dll Access: query and write and read and execute Type: image Baseaddress: 76C30000 Size: 188416 Protection: read write Mapped to pid: own pid	success or wait	528217578
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528227821
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528228372
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528228759
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528229275
Section loaded	Path: \KnownDlls\IMAGEHLP.dll Access: write and read and execute Type: unknown Baseaddress: 76C90000 Size: 163840 Protection: read write Mapped to pid: own pid	success or wait	528229729
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C91000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528239049
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C91000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528243600
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C91000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528244033
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C91000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528245214
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528245591
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528251719
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528252116
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528252624
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528253009
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528253406
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528253783
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528257099
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528257488
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528257865
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528258243
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76C31000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528259353
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528259703
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528266480
Section loaded	Path: \KnownDlls\WLDAP32.dll Access: write and read and execute Type: unknown Baseaddress: 76F60000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	528267777
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528269416
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528285950
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528286400
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528286845
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528287223
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528287663
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E291000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528288449
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E291000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528294336
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E291000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528294674
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E291000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528295157
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E291000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528295479
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E291000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528295798
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E291000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528296406
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E291000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528301751
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	528302173
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	528303801
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	528309678
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	528310015
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	528310379
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	528310700
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	528311220
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	528311542
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	528319839
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	528320266
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	528320607
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	528320930
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	528321249
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	528321566
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	528327536
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	528327870
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	528328472
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528328853
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528329342
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528329639
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528336115
Section loaded	Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	528336497
File opened	Path: C:\WINDOWS\system32\UxTheme.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528337252
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	528338281
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528343707
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528344159
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528344486
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528344881
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528346628
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528349908
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528350240
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528350564
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528350925
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528351252
Section loaded	Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	528353977
File opened	Path: C:\WINDOWS\system32\ShimEng.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528364507
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	528365968
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5CB71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528374352
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5CB71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528374869
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5CB71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528375185
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5CB71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528382185
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null	success or wait	528383234
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 290000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	528384306
File opened	Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null	object name not found	528385527
System info queried	Type: ProcessorInformation	success or wait	528386315
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: Wow64Information	success or wait	528392449
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	528392903
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: null	object name not found	528393883
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: Wow64Information	success or wait	528394658
System info queried	Type: BasicInformation	success or wait	528394906
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3C0000 Length: 7F0C8 Allocation Type: unknown Protection: page read and write	success or wait	528400526
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3C0000 Length: 7F0CC Allocation Type: unknown Protection: page read and write	success or wait	528400852
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: null	object name not found	528401479
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3C2000 Length: 7EB64 Allocation Type: unknown Protection: page read and write	success or wait	528402396
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3C3000 Length: 7EEA8 Allocation Type: unknown Protection: page read and write	success or wait	528403021
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null	success or wait	528422126
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528426033
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	528429955
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528431945
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	528435389
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528440262
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	528441567
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528460550
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528461602
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528462043
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528507236
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528508206
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528508536
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528508864
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528509205
Section loaded	Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	528509599
File opened	Path: C:\WINDOWS\system32\WINMM.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528520225
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	528522049
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528525509
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528532176
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528532547
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528532899
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528533258
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528533731
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528534550
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528539584
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528539955
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528540308
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528540641
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528540964
Section loaded	Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	528542808
File opened	Path: C:\WINDOWS\system32\MSACM32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528548299
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	528549941
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528559526
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528560031
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528560438
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528560793
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528561154
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528561575
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528576820
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528577189
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528577553
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528577909
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528578257
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528578582
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528586115
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528586450
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	528586851
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528588675
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528627599
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528627979
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528628454
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528628813
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528629176
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528630615
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528636470
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528636838
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528637204
System info queried	Type: BasicInformation	success or wait	528638351
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D0000 Length: 7E978 Allocation Type: unknown Protection: page read and write	success or wait	528638709
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D0000 Length: 7E97C Allocation Type: unknown Protection: page read and write	success or wait	528639311
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D1000 Length: 7E658 Allocation Type: unknown Protection: page read and write	success or wait	528644142
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 3E0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	528645066
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D3000 Length: 7E70C Allocation Type: unknown Protection: page read and write	success or wait	528647008
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: Cookie	success or wait	528648659
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: Cookie	success or wait	528656041
Mutant created	Name: \BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	528656587
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: null	object name not found	528658717
System info queried	Type: BasicInformation	success or wait	528659434
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 410000 Length: 7F04C Allocation Type: unknown Protection: page read and write	success or wait	528659781
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 410000 Length: 7F050 Allocation Type: unknown Protection: page read and write	success or wait	528665013
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 411000 Length: 7ED2C Allocation Type: unknown Protection: page read and write	success or wait	528665444
System info queried	Type: BasicInformation	success or wait	528666069
System info queried	Type: ProcessorInformation	success or wait	528666379
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null	success or wait	528670641
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: null	object name not found	528672292
System info queried	Type: BasicInformation	success or wait	528672969
System info queried	Type: ProcessorInformation	success or wait	528678798
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001268 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528679387
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 1001000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528679687
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77DD1218 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528697175
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528697485
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77E71178 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528697796
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528698088
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77FE1098 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528698392
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528698682
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F811EC Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528715309
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 75F81000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528715616
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F110B4 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528716055
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528716351
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E41133C Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528716705
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528716997
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77C110D0 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528728229
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77C11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528728536
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1218 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528728858
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528729194
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F61438 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528729540
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528729834
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7712129C Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528779541
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528779849
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E2911E8 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528780210
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 7E291000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528780503
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77A81188 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528780866
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77A81000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528781157
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77B2103C Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528786717
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77B21000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528787018
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D12F8 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528787327
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 754D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528787618
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5B8611BC Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528787926
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 5B861000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528788218
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77C01050 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528796202
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 77C01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528796509
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D9314B0 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	528796849
Memory attributes changed	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 3D931000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	528797142
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: ImageInformation	success or wait	528825205
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 94000 Length: 7F788 Allocation Type: unknown Protection: page read and write	success or wait	528871865
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack	object name not found	528878057
System info queried	Type: BasicInformation	success or wait	528879127
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode	object name not found	528880192
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528888924
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	528889969
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	528892679
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	528899226
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	529096399
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	529097583
System info queried	Type: BasicInformation	success or wait	529126589
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	529127756
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs	success or wait	529130116
System info queried	Type: BasicInformation	success or wait	529379832
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 370000 Length: 7F91C Allocation Type: unknown Protection: page read and write	success or wait	529381974
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 370000 Length: 7F920 Allocation Type: unknown Protection: page read and write	success or wait	529382435
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 371000 Length: 7F5FC Allocation Type: unknown Protection: page read and write	success or wait	529383067
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 373000 Length: 7F6B8 Allocation Type: unknown Protection: page read and write	success or wait	529390545
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: Cookie	success or wait	529392123
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: Cookie	success or wait	529392385
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 95000 Length: 7F5BC Allocation Type: unknown Protection: page read and write	success or wait	529399012
File opened	Path: \Device\KsecDD Access: read data or list directory and synchronize Options: synchronous io alert Overwritten: false	success or wait	529411354
System info queried	Type: BasicInformation	success or wait	529421570
System info queried	Type: ProcessorInformation	success or wait	529421865
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout	success or wait	529422896
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: RWLockResourceTimeOut	object name not found	529423826
System info queried	Type: BasicInformation	success or wait	529474470
System info queried	Type: ProcessorInformation	success or wait	529474775
System info queried	Type: BasicInformation	success or wait	529477489
System info queried	Type: ProcessorInformation	success or wait	529477843
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll	object name not found	529478316
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32	object name not found	529478944
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib	object name not found	529479259
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAll	object name not found	529480524
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAllForOle32	object name not found	529480849
File opened	Path: C:\WINDOWS\system32\BROWSEUI.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	529485056
Section loaded	Path: C:\WINDOWS\system32\browseui.dll Access: read Type: commit Baseaddress: 860000 Size: 1028096 Protection: readonly Mapped to pid: own pid	success or wait	529486138
File opened	Path: C:\WINDOWS\system32\BROWSEUI.dll.123.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	529490953
File opened	Path: C:\WINDOWS\system32\BROWSEUI.dll.123.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	529495858
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 96000 Length: 7F244 Allocation Type: unknown Protection: page read and write	success or wait	529529808
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202 Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	529530837
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	529532709
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 860000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	529534333
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	529537553
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	529554813
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	529575099
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 390000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	529576694
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: null	success or wait	529580716
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	529583861
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	529588317
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	529589499
File opened	Path: C:\WINDOWS\WindowsShell.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	529591009
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll	object name not found	529627262
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: EnableBalloonTips	object name not found	529631189
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 97000 Length: 7F680 Allocation Type: unknown Protection: page read and write	success or wait	529644315
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 98000 Length: 7F680 Allocation Type: unknown Protection: page read and write	success or wait	529646983
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 99000 Length: 7F67C Allocation Type: unknown Protection: page read and write	success or wait	529648229
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 9A000 Length: 7F6E4 Allocation Type: unknown Protection: page read and write	success or wait	529649075
File opened	Path: C:\WINDOWS\system32\urlmon.dll.123.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	529662581
File opened	Path: C:\WINDOWS\system32\urlmon.dll.123.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	529663634
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 9B000 Length: 7F448 Allocation Type: unknown Protection: page read and write	success or wait	529700338
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202 Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	529702228
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Name: DisableImprovedZoneCheck	object name not found	529710202
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Name: explorer.exe	success or wait	529730073
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 9C000 Length: 7F6CC Allocation Type: unknown Protection: page read and write	success or wait	529738784
System info queried	Type: BasicInformation	success or wait	529739341
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 860000 Length: 7F918 Allocation Type: unknown Protection: page read and write	success or wait	529739715
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 860000 Length: 7F91C Allocation Type: unknown Protection: page read and write	success or wait	529741002
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 861000 Length: 7F5F8 Allocation Type: unknown Protection: page read and write	success or wait	529741464
File opened	Path: WMIDataDevice Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: normal Content Overwritten: true	success or wait	529742071
File opened	Path: WMIDataDevice Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: normal Content Overwritten: true	success or wait	529748511
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 863000 Length: 7F590 Allocation Type: unknown Protection: page read and write	success or wait	529749165
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 960000 Length: 7F368 Allocation Type: unknown Protection: page read and write	success or wait	529749622
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 991000 Length: 7F364 Allocation Type: unknown Protection: page read and write	success or wait	529750243
Thread created	PID: 1696 TID: 2000 EIP: 7C8106F9 EAX: 77DF848A Imagepath: C:\WINDOWS\explorer.exe	success or wait	529751974
Thread resumed	TID: 2000 PID: 1696 Path: C:\WINDOWS\explorer.exe	success or wait	529753591
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 865000 Length: 7F4FC Allocation Type: unknown Protection: page read and write	success or wait	529756403
File opened	Path: C:\WINDOWS\system32\WININET.dll.123.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	529764285
File opened	Path: C:\WINDOWS\system32\WININET.dll.123.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	529765532
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202 Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	529801281
System info queried	Type: BasicInformation	success or wait	529811289
System info queried	Type: ProcessorInformation	success or wait	529811594
System info queried	Type: BasicInformation	success or wait	529813408
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 9A0000 Length: 7F9A0 Allocation Type: unknown Protection: page read and write	success or wait	529814396
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 9A0000 Length: 7F9A4 Allocation Type: unknown Protection: page read and write	success or wait	529814687
Mutant created	Name: unknown	success or wait	529815714
Mutant created	Name: unknown	success or wait	529816019
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ldap Name: LdapClientIntegrity	success or wait	529816582
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 9E000 Length: 7F418 Allocation Type: unknown Protection: page read and write	success or wait	529817497
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202 Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	529818482
Section loaded	Path: \KnownDlls\RichEd20.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	529821413
File opened	Path: C:\WINDOWS\system32\RichEd20.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	529823223
Section loaded	Path: C:\WINDOWS\system32\riched20.dll Access: query and write and read and execute Type: image Baseaddress: 74E30000 Size: 446464 Protection: read write Mapped to pid: own pid	success or wait	529824411
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 374000 Length: 7EFA4 Allocation Type: unknown Protection: page read and write	success or wait	529854977
File opened	Path: C:\WINDOWS\system32\SHDOCVW.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	529857211
Section loaded	Path: C:\WINDOWS\system32\shdocvw.dll Access: read Type: commit Baseaddress: AA0000 Size: 1499136 Protection: readonly Mapped to pid: own pid	success or wait	529859261
File opened	Path: C:\WINDOWS\system32\SHDOCVW.dll.123.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	529883461
File opened	Path: C:\WINDOWS\system32\SHDOCVW.dll.123.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	529885822
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202 Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	529900589
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib Name: NULL	success or wait	529905740
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32 Name: NULL	success or wait	529906692
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32 Name: NULL	success or wait	529908080
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32 Name: NULL	success or wait	529909049
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32 Name: NULL	success or wait	529909700
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	529910332
File opened	Path: C:\WINDOWS\system32\SHELL32.dll Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	529911479
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1100000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	529912099
File opened	Path: C:\WINDOWS\system32\SHELL32.dll.124.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	529912989
File opened	Path: C:\WINDOWS\system32\SHELL32.dll.124.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	529913601
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: 9F000 Length: 7F24C Allocation Type: unknown Protection: page read and write	success or wait	529927408
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202 Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	529927761
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	529928852
System info queried	Type: BasicInformation	success or wait	529937723
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: AB0000 Length: 7F1B8 Allocation Type: unknown Protection: page read and write	success or wait	529937865
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: AB0000 Length: 7F1BC Allocation Type: unknown Protection: page read and write	success or wait	529937994
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: AB1000 Length: 7EE98 Allocation Type: unknown Protection: page read and write	success or wait	529938287
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: AB3000 Length: 7EF4C Allocation Type: unknown Protection: page read and write	success or wait	529938565
File opened	Path: C:\WINDOWS\system32\comctl32.dll Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	529939124
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: AC0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	529939549
File opened	Path: C:\WINDOWS\system32\comctl32.dll.124.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	529939922
File opened	Path: C:\WINDOWS\system32\comctl32.dll.124.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	529940828
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: SessionInformation	success or wait	529943955
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll	object name not found	529944996
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: Compositing	object name not found	529946721
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: LameButtonText	object name not found	529947623
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	529948713
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: AC0000 Length: 7F52C Allocation Type: unknown Protection: page read and write	success or wait	529949460
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: AC0000 Length: 7F528 Allocation Type: unknown Protection: page read and write	success or wait	529949714
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	529949861
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	success or wait	529950222
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	success or wait	529950607
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave2	object name not found	529950980
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave3	object name not found	529951392
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave4	object name not found	529952197
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave5	object name not found	529952616
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave6	object name not found	529953243
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave7	object name not found	529954184
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave8	object name not found	529954851
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave9	object name not found	529955227
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	529955725
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	529956095
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	success or wait	529956479
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	success or wait	529957072
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi2	object name not found	529957454
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi3	object name not found	529957811
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi4	object name not found	529958621
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi5	object name not found	529959026
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi6	object name not found	529959653
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi7	object name not found	529960568
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi8	object name not found	529961237
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi9	object name not found	529961597
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	529962125
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	529962495
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	success or wait	529962851
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	success or wait	529963230
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux2	object name not found	529963603
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux3	object name not found	529963959
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux4	object name not found	529964760
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux5	object name not found	529965180
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux6	object name not found	529966387
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux7	object name not found	529967286
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux8	object name not found	529967951
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux9	object name not found	529968326
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm Name: wheel	success or wait	529968907
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	529969374
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	529969745
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	success or wait	529970119
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	success or wait	529970969
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer2	object name not found	529971639
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer3	object name not found	529972036
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer4	object name not found	529972954
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer5	object name not found	529973602
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer6	object name not found	529973976
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer7	object name not found	529974481
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer8	object name not found	529974839
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer9	object name not found	529975196
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Name: SystemFormats	success or wait	529975992
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: A0000 Length: 7EEE8 Allocation Type: unknown Protection: page read and write	success or wait	529977341
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	buffer overflow	529977660
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	success or wait	529978343
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: fdwSupport	success or wait	529983777
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFormatTags	success or wait	529984158
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: aFormatTagCache	success or wait	529984347
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFilterTags	success or wait	529984531
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	buffer overflow	529985414
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	success or wait	529985541
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: fdwSupport	success or wait	529986143
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFormatTags	success or wait	529986916
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: aFormatTagCache	success or wait	529987121
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFilterTags	success or wait	529987306
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	buffer overflow	529988166
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	success or wait	529988383
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: fdwSupport	success or wait	529988695
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFormatTags	success or wait	529989050
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: aFormatTagCache	success or wait	529989237
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFilterTags	success or wait	529989421
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	buffer overflow	529990335
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	success or wait	529990731
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: fdwSupport	success or wait	529991036
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFormatTags	success or wait	529991782
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: aFormatTagCache	success or wait	529991997
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFilterTags	success or wait	529992489
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	buffer overflow	529993238
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	success or wait	529993378
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: fdwSupport	success or wait	529993690
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFormatTags	success or wait	529994381
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: aFormatTagCache	success or wait	529994595
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFilterTags	success or wait	529995022
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	buffer overflow	529996306
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	success or wait	529996580
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: fdwSupport	success or wait	530001103
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFormatTags	success or wait	530001322
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: aFormatTagCache	success or wait	530001518
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFilterTags	success or wait	530001709
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	buffer overflow	530002849
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	success or wait	530003546
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: fdwSupport	success or wait	530004139
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFormatTags	success or wait	530004484
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: aFormatTagCache	success or wait	530004678
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFilterTags	success or wait	530004870
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	buffer overflow	530005319
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	success or wait	530005915
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: A1000 Length: 7EF90 Allocation Type: unknown Protection: page read and write	success or wait	530006410
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: fdwSupport	success or wait	530007193
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFormatTags	success or wait	530007677
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: aFormatTagCache	success or wait	530007874
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFilterTags	success or wait	530008211
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	buffer overflow	530009276
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	success or wait	530009413
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: fdwSupport	success or wait	530010213
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFormatTags	success or wait	530010671
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: aFormatTagCache	success or wait	530010870
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFilterTags	success or wait	530011649
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	buffer overflow	530012507
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	success or wait	530012644
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: fdwSupport	success or wait	530012988
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFormatTags	success or wait	530013185
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: aFormatTagCache	success or wait	530013409
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFilterTags	success or wait	530014161
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM Name: NoPCMConverter	object name not found	530020146
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: A2000 Length: 7EFB0 Allocation Type: unknown Protection: page read and write	success or wait	530020903
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 Name: Priority1	object name not found	530023350
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	530023938
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: ChkAccDebugLevel	object name not found	530024286
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions Name: ProductType	success or wait	530026066
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Personal	success or wait	530030568
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Local Settings	success or wait	530030779
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopDebugLevel	object name not found	530031693
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	530032875
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopLogging	object name not found	530033071
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	530033872
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: RsopLogging	object name not found	530034063
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	530034411
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	530034749
File opened	Path: WMIDataDevice Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: normal Content Overwritten: true	success or wait	530040398
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: DefaultHardErrorMode	success or wait	530043095
File opened	Path: C:\WINDOWS\explorer.exe Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	530043634
Section loaded	Path: C:\WINDOWS\explorer.exe Access: read Type: commit Baseaddress: B70000 Size: 1036288 Protection: readonly Mapped to pid: own pid	success or wait	530044028
File opened	Path: C:\WINDOWS\explorer.exe.123.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	530044384
File opened	Path: C:\WINDOWS\explorer.exe.123.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	530044800
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202 Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	530057930
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoNetHood	object name not found	530067279
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoNetHood	object name not found	530067766
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoPropertiesMyComputer	object name not found	530068204
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoPropertiesMyComputer	object name not found	530068642
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoInternetIcon	object name not found	530069069
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoInternetIcon	object name not found	530069540
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoCommonGroups	object name not found	530070259
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoCommonGroups	object name not found	530070690
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoControlPanel	object name not found	530071273
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoControlPanel	object name not found	530075553
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoSetFolders	object name not found	530076141
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoSetFolders	object name not found	530076656
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Name: NULL	success or wait	530077418
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: DeviceMap	success or wait	530077884
Section loaded	Path: \KnownDlls\SETUPAPI.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	530078162
File opened	Path: C:\WINDOWS\system32\SETUPAPI.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	530078524
Section loaded	Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid	success or wait	530079000
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: Wow64Information	success or wait	530084773
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	530085061
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP Name: seed	success or wait	530085622
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: OsLoaderPath	success or wait	530086164
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: OsLoaderPath	success or wait	530086462
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemPartition	success or wait	530087014
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemPartition	success or wait	530087309
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: SourcePath	success or wait	530087886
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: SourcePath	success or wait	530088199
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackSourcePath	success or wait	530088746
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackSourcePath	success or wait	530089045
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackCachePath	success or wait	530092932
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackCachePath	success or wait	530094321
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: DriverCachePath	success or wait	530094922
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: DriverCachePath	success or wait	530095219
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion Name: DevicePath	success or wait	530095777
Mutant created	Name: unknown	success or wait	530096270
Mutant created	Name: unknown	success or wait	530096476
Mutant created	Name: unknown	success or wait	530096680
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogLevel	success or wait	530096984
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogLevel	success or wait	530097283
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogPath	object name not found	530097590
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName	success or wait	530098247
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Hostname	success or wait	530098793
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Domain	success or wait	530099335
System info queried	Type: BasicInformation	success or wait	530100241
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Name: MaxRpcSize	object name not found	530100538
System time queried	Time: 129718679881093750	success or wait	530101087
System info queried	Type: PerformanceInformation	success or wait	530101384
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: QuotaLimits	success or wait	530101736
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: VmCounters	success or wait	530101954
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName	success or wait	530102410
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: A3000 Length: 7EA88 Allocation Type: unknown Protection: page read and write	success or wait	530103138
File opened	Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: true	success or wait	530103487
File other op	Path: \lsarpc New path: Disposition: PipeInformation Data : unknown	success or wait	530103883
File other op	Path: \lsarpc New path: Disposition: CompletionInformation Data : unknown	success or wait	530104134
File write	Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 b8 10 b8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab 00 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00	success or wait	530114763
File read	Path: \lsarpc Offset: 0 Length: 1024	pending	530115552
File control set	Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,.........................................	pending	530115997
File control set	Path: \lsarpc Control Code: 11C017 Input Buffer: ........j.......R...........h.F...P@..\../,.*.,.................S.e.L.o.a.d.D.r.i.v.e.r.P.r.i.v.i.l.e.g.e.	pending	530116733
File control set	Path: \lsarpc Control Code: 11C017 Input Buffer: ........,...................h.F...P@..\../,.	pending	530117269
File opened	Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: true	success or wait	530118351
File other op	Path: \lsarpc New path: Disposition: PipeInformation Data : unknown	success or wait	530118725
File other op	Path: \lsarpc New path: Disposition: CompletionInformation Data : unknown	success or wait	530118968
File write	Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 b8 10 b8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab 00 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00	success or wait	530128241
File read	Path: \lsarpc Offset: 0 Length: 1024	pending	530129008
File control set	Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,.........................................	pending	530129374
File control set	Path: \lsarpc Control Code: 11C017 Input Buffer: ........b.......J...........J.kfz..I./v.LP..".$.................S.e.U.n.d.o.c.k.P.r.i.v.i.l.e.g.e.	pending	530130029
File control set	Path: \lsarpc Control Code: 11C017 Input Buffer: ........,...................J.kfz..I./v.LP..	pending	530130555
Privilege adjusted	Privilege: Load Driver On or off: on	success or wait	530131528
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: A4000 Length: 7EFEC Allocation Type: unknown Protection: page read and write	success or wait	530131893
Privilege adjusted	Privilege: Load Driver On or off: on	success or wait	530145109
File opened	Path: IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3131303066333036662020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	530148448
File opened	Path: IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3131303066333036662020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	530149630
File opened	Path: MountPointManager Access: read attributes and synchronize Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	530151172
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: A5000 Length: 7EE70 Allocation Type: unknown Protection: page read and write	success or wait	530153267
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e9036068-1842-11df-9766-806d6172696f} Name: Data	buffer overflow	530157702
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e9036068-1842-11df-9766-806d6172696f} Name: Data	success or wait	530158017
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e9036068-1842-11df-9766-806d6172696f} Name: Generation	success or wait	530159116
File opened	Path: STORAGE#Volume#1&30a96598&0&SignatureF4ACF4ACOffset7E00Length3BFEFCE00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	530159600
File opened	Path: STORAGE#Volume#1&30a96598&0&SignatureF4ACF4ACOffset7E00Length3BFEFCE00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Access: read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	530160575
File opened	Path: MountPointManager Access: read attributes and synchronize Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	530161838
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0d6ab97b-ade6-11de-bdcc-806d6172696f} Name: Data	buffer overflow	530163985
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0d6ab97b-ade6-11de-bdcc-806d6172696f} Name: Data	success or wait	530164252
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0d6ab97b-ade6-11de-bdcc-806d6172696f} Name: Generation	success or wait	530165197
File opened	Path: MountPointManager Access: read attributes and synchronize Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	530165687
File opened	Path: MountPointManager Access: read attributes and synchronize Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	530167858
Key value replaced with same	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0d6ab97b-ade6-11de-bdcc-806d6172696f} Name: BaseClass Type: unicode Data: Drive Old data:	success or wait	530174459
File opened	Path: MountPointManager Access: read attributes and synchronize Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	530174854
File opened	Path: MountPointManager Access: read attributes and synchronize Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	530177144
Key value replaced with same	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9036068-1842-11df-9766-806d6172696f} Name: BaseClass Type: unicode Data: Drive Old data:	success or wait	530180248
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: DeviceMap	success or wait	530180563
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: DeviceMap	success or wait	530180754
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: DeviceMap	success or wait	530180917
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0d6ab97b-ade6-11de-bdcc-806d6172696f} Name: Generation	success or wait	530181379
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} Name: DriveMask	success or wait	530182294
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: DeviceMap	success or wait	530182657
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: SeparateProcess	object name not found	530183111
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: SeparateProcess	object name not found	530183528
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer Name: ShellState	success or wait	530187908
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer Name: ShellState	success or wait	530188174
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: ForceActiveDesktopOn	object name not found	530188601
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: ForceActiveDesktopOn	object name not found	530189015
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoActiveDesktop	object name not found	530189431
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoActiveDesktop	object name not found	530189839
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoWebView	object name not found	530190289
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoWebView	object name not found	530190698
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: ClassicShell	object name not found	530191141
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: ClassicShell	object name not found	530197533
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: DontShowSuperHidden	object name not found	530198016
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: DontShowSuperHidden	object name not found	530198430
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoNetCrawling	object name not found	530198855
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoNetCrawling	object name not found	530199262
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Name: NoSimpleStartMenu	object name not found	530199678
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Name: NoSimpleStartMenu	object name not found	530200085
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: Hidden	success or wait	530200515
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowCompColor	success or wait	530200752
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: HideFileExt	success or wait	530200968
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: DontPrettyPath	success or wait	530201183
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowInfoTip	success or wait	530201399
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: HideIcons	success or wait	530201614
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: MapNetDrvBtn	success or wait	530201831
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: WebView	success or wait	530202056
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: Filter	success or wait	530202271
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: ShowSuperHidden	success or wait	530202487
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: SeparateProcess	success or wait	530202742
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: NoNetCrawling	success or wait	530202960
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer Name: DesktopProcess	object name not found	530206928
Section loaded	Path: unknown Access: query and write and read Type: commit Baseaddress: B50000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	530207891
Message posted	HWND: 10084 Message: 40B WParam: 0 LParam: 2356	success	530209377
Process information queried	Path: unknown PID: 1552 Info Class: BasicInformation	success or wait	530209521
Process terminated	PID: 1696 Path: C:\WINDOWS\explorer.exe	success or wait	530212507
Memory allocated	PID: 1696 Path: C:\WINDOWS\explorer.exe Base: A6000 Length: 7FAAC Allocation Type: unknown Protection: page read and write	success or wait	530213681
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: Cookie	success or wait	530214266
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: Cookie	success or wait	530214412
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: Cookie	success or wait	530218907
Process information queried	Path: C:\WINDOWS\explorer.exe PID: 1696 Info Class: Cookie	success or wait	530219032
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	530219259

Analysis File: cmd.exe PID: 260 Parent PID: 1764

General

Start time:	09:39:48
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c C:\WINDOWS\system32\LogFiles\smss.exe
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

File Activites

File Path	Access	Options	Content overwritten	Completion	Count	Source Address	Symbol
C:\	execute or traverse and synchronize	directory file and synchronous io non alert	false	success or wait	6	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\ShimEng.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\AcGenral.DLL	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	3	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WINMM.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\MSACM32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\UxTheme.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\IMM32.DLL	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	3	7C90E457	KiUserApcDispatcher
\Device\KsecDD	read data or list directory and synchronize	synchronous io alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll.124.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202	execute or traverse and synchronize	directory file and synchronous io non alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Manifest	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll.124.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\LogFiles\	read data or list directory and synchronize	directory file and synchronous io non alert and open for backup ident	false	success or wait	5	4AD01B4B	FindFirstFileW
C:\WINDOWS\system32\LogFiles\smss.exe	read data or list directory and execute or traverse and read attributes and synchronize	synchronous io non alert and non directory file	false	success or wait	3	4AD031C5	CreateProcessW
C:\WINDOWS\system32\Apphelp.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	4AD031C5	CreateProcessW
C:\WINDOWS\	read data or list directory and synchronize	directory file and synchronous io non alert and open for backup ident	false	success or wait	3	4AD031C5	CreateProcessW
C:\WINDOWS\system32\	read data or list directory and synchronize	directory file and synchronous io non alert and open for backup ident	false	success or wait	3	4AD031C5	CreateProcessW
C:\WINDOWS\system32\LogFiles\smss.exe.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	4AD031C5	CreateProcessW
C:\WINDOWS\AppPatch\sysmain.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	true	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\systest.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	true	object name not found	2	7C90E457	KiUserApcDispatcher
\Device\NamedPipe\ShimViewer	write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize	no options	true	object name not found	4	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\AcGenral.DLL	read attributes and synchronize and generic read	synchronous io non alert and non directory file	true	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Manifest	read attributes and synchronize and generic read	synchronous io non alert and non directory file	true	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\LogFiles\smss.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	true	success or wait	2	4AD031C5	CreateProcessW

Directory Information Queried

File Path	Disposition	File Mask	Completion	Count	Source Address	Symbol
C:\WINDOWS\system32\LogFiles	BothDirectoryInformation	smss.exe	success or wait	5	4AD01B4B	FindFirstFileW
C:\	BothDirectoryInformation	WINDOWS	success or wait	3	4AD031C5	CreateProcessW
C:\WINDOWS	BothDirectoryInformation	system32	success or wait	3	4AD031C5	CreateProcessW
C:\WINDOWS\system32	BothDirectoryInformation	LogFiles	success or wait	3	4AD031C5	CreateProcessW

File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address	Symbol
C:\	90028	NULL	NULL	success or wait	1	7C90E457	KiUserApcDispatcher

Section Activites

Section loaded by Windows

File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
unknown	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	330000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ShimEng.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	340000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\WINMM.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1
\KnownDlls\MSACM32.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	success or wait	1
\KnownDlls\UxTheme.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	490000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	970000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	970000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	440000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	440000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	read	commit	440000	4096	own pid	readonly	success or wait	1
\KnownDlls\comctl32.dll	write and read and execute	unknown	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	970000	618496	own pid	readonly	success or wait	1
C:\WINDOWS\system32\LogFiles\smss.exe	query and write and read and execute and extend size	image	970000	618496	own pid	readonly	success or wait	1
\BaseNamedObjects\ShimSharedMemory	write	unknown	980000	57344	own pid	read write	success or wait	1
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	990000	126976	own pid	execute	success or wait	1
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	990000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\system32\LogFiles\smss.exe	write and read and execute	commit	AC0000	69632	own pid	execute	success or wait	1
C:\WINDOWS\system32\LogFiles\smss.exe	query and read	commit	AC0000	69632	own pid	readonly	success or wait	1
C:\WINDOWS\system32\LogFiles\smss.exe	write and read and execute	commit	AC0000	69632	own pid	execute	success or wait	1
C:\WINDOWS\system32\LogFiles\smss.exe	query and read	commit	AC0000	69632	own pid	readonly	success or wait	1
C:\WINDOWS\system32\LogFiles\smss.exe	query and read	commit	990000	69632	own pid	readonly	success or wait	1

Registry Activites

Key Value Queried

Key Path	Name	Completion	Count	Source Address	Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CWDIllegalInDLLSearch	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSAppCompat	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeDllSearchMode	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LeakTrack	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CriticalSectionTimeout	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole	RWLockResourceTimeOut	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAllForOle32	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableTypeLib	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAllForOle32	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio	SystemFormats	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM	NoPCMConverter	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00	Priority1	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	SmoothScroll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	EnableBalloonTips	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	SmoothScroll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	ChkAccDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions	ProductType	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopLogging	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	RsopLogging	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\ThemeManager	Compositing	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	LameButtonText	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DisableUNCCheck	object name not found	1	4AD04A2A	RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	EnableExtensions	success or wait	1	4AD04A4F	RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DelayedExpansion	object name not found	1	4AD04A88	RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DefaultColor	success or wait	1	4AD04AAD	RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	CompletionChar	success or wait	1	4AD04AE5	RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	PathCompletionChar	success or wait	1	4AD04B37	RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	AutoRun	success or wait	1	4AD04BB8	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	DisableUNCCheck	object name not found	1	4AD04A2A	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	EnableExtensions	success or wait	1	4AD04A4F	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	DelayedExpansion	object name not found	1	4AD04A88	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	DefaultColor	success or wait	1	4AD04AAD	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	CompletionChar	success or wait	1	4AD04AE5	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	PathCompletionChar	object name not found	1	4AD04B37	RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor	AutoRun	object name not found	1	4AD04BB8	RegQueryValueExW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale	00000409	success or wait	1	4AD056A7	setlocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups	1	success or wait	1	4AD056A7	setlocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility	DisableAppCompat	object name not found	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	Levels	object name not found	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	success or wait	1	4AD031C5	CreateProcessW
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	buffer overflow	1	4AD031C5	CreateProcessW
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	success or wait	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	LogFileName	object name not found	1	4AD031C5	CreateProcessW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1	4AD04100	exit

Mutex Activites

Name	Completion	Count	Source Address	Symbol
\BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	1	7C90E457	KiUserApcDispatcher

Process Activites

Process Created

PID	Filepath	Cmdline	Flags	Completion	Count	Source Address	Symbol
2036	C:\WINDOWS\system32\LogFiles\smss.exe	C:\WINDOWS\system32\LogFiles\smss.exe	suspended	success or wait	1	4AD031C5	CreateProcessW

PID	Process info class	Completion	Count	Source Address	Symbol
260	Cookie	success or wait	9	7C90E457	KiUserApcDispatcher
260	Wow64Information	success or wait	3	7C90E457	KiUserApcDispatcher
260	ImageInformation	success or wait	1	7C90E457	KiUserApcDispatcher
260	SessionInformation	success or wait	1	7C90E457	KiUserApcDispatcher
260	DeviceMap	success or wait	4	4AD02A92	GetDriveTypeW
260	DefaultHardErrorMode	success or wait	13	4AD01AF9	SetErrorMode
2036	BasicInformation	success or wait	2	4AD031C5	CreateProcessW
2036	BasicInformation	success or wait	1	4AD02D01	GetExitCodeProcess

PID	Filepath	Completion	Count	Source Address	Symbol
260	C:\WINDOWS\system32\cmd.exe	success or wait	1	4AD04100	exit

Thread Activites

TID	PID	EIP	EAX (Usermode EIP)	Filepath	Completion	Count	Source Address	Symbol
776	2036	7C810705	14006D83	C:\WINDOWS\system32\LogFiles\smss.exe	success or wait	1	4AD031C5	CreateProcessW

TID	PID	Path	Completion	Count	Source Address	Symbol
776	2036	C:\WINDOWS\system32\LogFiles\smss.exe	success or wait	1	4AD031C5	CreateProcessW

Memory Activites

PID	Filepath	Base	Length	Value	Completion	Count	Source Address	Symbol
2036	C:\WINDOWS\system32\LogFiles\smss.exe	7FFDE008	4	00 00 00 14	success or wait	1	4AD031C5	CreateProcessW
2036	C:\WINDOWS\system32\LogFiles\smss.exe	14000000	4096	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 FF CB 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 B6 AC 59 9A F2 CD 37 C9 F2 CD 37 C9 F2 CD 37 C9 89 D1 3B C9 F6 CD 37 C9 71 D1 39 C9 E2 CD 37 C9 1A D2 3D C9 C7 CD 37 C9 F2 CD 37 C9 F1 CD 37 C9 90 D2 24 C9 FB CD 37 C9 F2 CD 36 C9 87 CD 37 C9 1A D2 3C C9 F1 CD 37 C9 4A CB 31 C9 F3 CD 37 C9 52 69 63 68 F2 CD 37 C9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 66 63 23 4B 00 00 00	success or wait	1	4AD031C5	CreateProcessW
2036	C:\WINDOWS\system32\LogFiles\smss.exe	1400F000	256	00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 03 00 00 00 28 00 00 80 0E 00 00 00 58 00 00 80 10 00 00 00 70 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 01 00 00 00 88 00 00 80 02 00 00 00 A0 00 00 80 03 00 00 00 B8 00 00 80 04 00 00 00 D0 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 78 01 00 80 E8 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 00 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 04 08 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 04 08 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 04 08 00 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 04 08 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 04 08 00 00 58 01 00	success or wait	1	4AD031C5	CreateProcessW

PID	Filepath	Base	Length	Value	Completion	Count	Source Address	Symbol
2036	C:\WINDOWS\system32\LogFiles\smss.exe	10000	2012	3D 00 3A 00 3A 00 3D 00 3A 00 3A 00 5C 00 00 00 3D 00 43 00 3A 00 3D 00 43 00 3A 00 5C 00 00 00 3D 00 5A 00 3A 00 3D 00 5A 00 3A 00 5C 00 00 00 41 00 4C 00 4C 00 55 00 53 00 45 00 52 00 53 00 50 00 52 00 4F 00 46 00 49 00 4C 00 45 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 6C 00 6C 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C	success or wait	1	4AD031C5	CreateProcessW
2036	C:\WINDOWS\system32\LogFiles\smss.exe	20000	1712	00 10 00 00 B0 06 00 00 00 00 00 00 00 00 00 00 02 00 34 00 00 00 00 00 03 00 00 00 07 00 00 00 0B 00 00 00 06 00 08 02 90 02 00 00 0E 00 00 00 0E 01 10 01 98 04 00 00 4A 00 4C 00 A8 05 00 00 4A 00 4C 00 F4 05 00 00 00 00 01 00 00 00 00 00 01 00 00 00 64 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 4A 00 4C 00 40 06 00 00 1E 00 20 00 8C 06 00 00 00 00 02 00 AC 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1	4AD031C5	CreateProcessW
2036	C:\WINDOWS\system32\LogFiles\smss.exe	7FFDE010	4	00 00 02 00	success or wait	1	4AD031C5	CreateProcessW
2036	C:\WINDOWS\system32\LogFiles\smss.exe	30000	388	53 00 68 00 69 00 6D 00 45 00 6E 00 67 00 2E 00 64 00 6C 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 01 00 00 AB ED 0D AC B8 C8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1	4AD031C5	CreateProcessW
2036	C:\WINDOWS\system32\LogFiles\smss.exe	7FFDE1E8	4	00 00 03 00	success or wait	1	4AD031C5	CreateProcessW

Memory Allocated

PID	Filepath	Base	Length	Protection	Completion	Count	Source Address	Symbol
260	C:\WINDOWS\system32\cmd.exe	150000	13FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	150000	13FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	151000	13F7F4	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	250000	13FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	250000	13FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	260000	13F340	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	261000	13F168	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	153000	13F420	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	470000	13F0C8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	470000	13F0CC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	472000	13EB64	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	473000	13EEA8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	480000	13E978	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	480000	13E97C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	481000	13E658	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	483000	13E70C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	4A0000	13F04C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	4A0000	13F050	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	4A1000	13ED2C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	30000	13F91C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	30000	13F920	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	31000	13F5FC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	33000	13F6B8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	154000	13F728	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	8F0000	13F52C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	8F0000	13F528	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	155000	13F5BC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	156000	13F55C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	157000	13EF90	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	158000	13F188	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	159000	13EFB0	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	440000	13F1B8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	440000	13F1BC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	441000	13EE98	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	443000	13EF4C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	34000	13EF58	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	970000	13FE10	page read and write	success or wait	1	4AD04578	VirtualAlloc
260	C:\WINDOWS\system32\cmd.exe	15A000	13BB90	page read and write	success or wait	1	7C817077	unknown
260	C:\WINDOWS\system32\cmd.exe	15F000	13BB90	page read and write	success or wait	1	7C817077	unknown
260	C:\WINDOWS\system32\cmd.exe	990000	13ED7C	page read and write	success or wait	1	4AD031C5	CreateProcessW
260	C:\WINDOWS\system32\cmd.exe	990000	13ED78	page read and write	success or wait	1	4AD031C5	CreateProcessW
260	C:\WINDOWS\system32\cmd.exe	164000	13EC9C	page read and write	success or wait	1	4AD031C5	CreateProcessW
260	C:\WINDOWS\system32\cmd.exe	9A0000	13ECEC	page read and write	success or wait	1	4AD031C5	CreateProcessW
2036	C:\WINDOWS\system32\LogFiles\smss.exe	10000	13EDF4	page read and write	success or wait	1	4AD031C5	CreateProcessW
2036	C:\WINDOWS\system32\LogFiles\smss.exe	20000	13EDF4	page read and write	success or wait	1	4AD031C5	CreateProcessW
2036	C:\WINDOWS\system32\LogFiles\smss.exe	30000	13EDF4	page read and write	success or wait	1	4AD031C5	CreateProcessW
2036	C:\WINDOWS\system32\LogFiles\smss.exe	40000	13F060	page read and write	success or wait	1	4AD031C5	CreateProcessW
2036	C:\WINDOWS\system32\LogFiles\smss.exe	13E000	13F05C	page read and write	success or wait	1	4AD031C5	CreateProcessW

PID	Filepath	Base	Length	New Protection	Old Protection	Completion	Count	Source Address	Symbol
260	C:\WINDOWS\system32\cmd.exe	7C801000	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	7C801000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	4AD01000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	4AD01000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77C11000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77C11000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77F11000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77F11000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	7E411000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	7E411000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	5CB71000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	5CB71000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	6F881000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	6F881000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77DD1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77DD1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77E71000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77E71000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77FE1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77FE1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	76B41000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	76B41000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	774E1000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	774E1000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77121000	1000	page read and write	page execute read	success or wait	6	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77121000	1000	page execute read	page read and write	success or wait	6	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77BE1000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77BE1000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77C01000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77C01000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	7C9C1000	2000	page read and write	page execute read	success or wait	8	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	7C9C1000	2000	page execute read	page read and write	success or wait	8	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77F61000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77F61000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	769C1000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	769C1000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	5AD71000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	5AD71000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	76391000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	76391000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	773D1000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	773D1000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	5D091000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	5D091000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
260	C:\WINDOWS\system32\cmd.exe	77B41000	1000	page read and write	page execute read	success or wait	2	4AD031C5	CreateProcessW
260	C:\WINDOWS\system32\cmd.exe	77B41000	1000	page execute read	page read and write	success or wait	2	4AD031C5	CreateProcessW
2036	C:\WINDOWS\system32\LogFiles\smss.exe	13E000	1000	page read and write and page guard	page read and write	success or wait	1	4AD031C5	CreateProcessW

System Activites

System info class	Completion	Count	Source Address	Symbol
BasicInformation	success or wait	15	7C90E457	KiUserApcDispatcher
RangeStartInformation	success or wait	1	7C90E457	KiUserApcDispatcher
ProcessorInformation	success or wait	6	7C90E457	KiUserApcDispatcher
WatchdogTimerHandler	success or wait	1	4AD031C5	CreateProcessW

Chronological Activities

Operation	Data	Completion	Time
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CWDIllegalInDLLSearch	object name not found	531702700
System info queried	Type: BasicInformation	success or wait	531704128
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 150000 Length: 13FB14 Allocation Type: unknown Protection: page read and write	success or wait	531704244
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 150000 Length: 13FB18 Allocation Type: unknown Protection: page read and write	success or wait	531705625
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 151000 Length: 13F7F4 Allocation Type: unknown Protection: page read and write	success or wait	531705768
System info queried	Type: BasicInformation	success or wait	531705865
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 250000 Length: 13FB14 Allocation Type: unknown Protection: page read and write	success or wait	531705964
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 250000 Length: 13FB18 Allocation Type: unknown Protection: page read and write	success or wait	531706052
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	531742246
File control set	Path: C:\ Control Code: 90028 Input Buffer: NULL	success or wait	531742673
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	531743843
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C801000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531766826
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C801000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531767243
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: Cookie	success or wait	531767554
System info queried	Type: RangeStartInformation	success or wait	531768559
System info queried	Type: BasicInformation	success or wait	531768653
Section loaded	Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	531768789
System info queried	Type: BasicInformation	success or wait	531769711
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 260000 Length: 13F340 Allocation Type: unknown Protection: page read and write	success or wait	531769887
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	531770283
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	531771801
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	531773087
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	531773902
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	531774270
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	531775293
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	531775433
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 261000 Length: 13F168 Allocation Type: unknown Protection: page read and write	success or wait	531775801
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531780307
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531780562
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	531780711
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77C11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531781595
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77C11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531781820
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77C11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531781940
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77C11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531782871
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531782980
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 4AD01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531783536
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	531783996
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	531784455
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531785399
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531785850
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531786553
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531786689
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531787096
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531787467
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531787599
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531787855
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531787987
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531788138
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531788254
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531788884
Section loaded	Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	531789332
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 153000 Length: 13F420 Allocation Type: unknown Protection: page read and write	success or wait	531789450
File opened	Path: C:\WINDOWS\system32\ShimEng.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531790221
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	531790883
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	531791132
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5CB71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531792623
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5CB71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531793072
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5CB71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531793753
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5CB71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531793874
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	531794537
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 340000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	531798491
File opened	Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	object name not found	531798826
System info queried	Type: ProcessorInformation	success or wait	531799597
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: Wow64Information	success or wait	531799698
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	531799867
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: true	object name not found	531801009
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: Wow64Information	success or wait	531801556
System info queried	Type: BasicInformation	success or wait	531801793
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 470000 Length: 13F0C8 Allocation Type: unknown Protection: page read and write	success or wait	531801906
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 470000 Length: 13F0CC Allocation Type: unknown Protection: page read and write	success or wait	531802009
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: true	object name not found	531802246
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 472000 Length: 13EB64 Allocation Type: unknown Protection: page read and write	success or wait	531802569
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 473000 Length: 13EEA8 Allocation Type: unknown Protection: page read and write	success or wait	531803449
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	531804168
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531805050
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	531805989
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531807123
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	531807503
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531808585
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	531809203
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531810650
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531810968
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531811111
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531811283
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531811417
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531811535
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	531811678
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531813407
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531814404
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531814541
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531814775
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	531824978
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531826003
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531826284
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531826436
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531827425
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531827582
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531828018
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	531828367
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531828880
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531829050
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531829199
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531829814
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531829972
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531830199
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531830594
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531830727
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531830848
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531831603
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531831724
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531832133
Section loaded	Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	531832414
File opened	Path: C:\WINDOWS\system32\WINMM.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531832615
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	531832989
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531834066
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531834278
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531834409
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531834796
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531834923
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531835631
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531835777
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531836210
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531836489
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531836618
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	531836765
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531837234
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531837878
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531838011
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531838405
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531839104
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531839575
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531839713
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531839991
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531840120
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531840256
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531840395
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531840569
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531840697
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531841334
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531841455
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531841871
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	531842707
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531843549
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531843744
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531843886
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531844024
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531844153
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531844798
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531844935
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531845321
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531846020
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531846162
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531846572
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531846848
Section loaded	Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	531846998
File opened	Path: C:\WINDOWS\system32\MSACM32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531847226
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	531847683
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531849037
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531849539
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531850235
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531850366
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531850779
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531851081
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531851211
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531851338
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531851477
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531851604
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	531851752
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77C01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531852901
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77C01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531853095
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77C01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531853228
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77C01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531853930
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	531854084
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	531854887
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	531855102
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	531855245
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	531855386
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	531855514
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	531856739
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	531857127
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	531857262
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	531857958
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	531858095
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	531858505
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	531858783
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	531858939
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531863049
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531863686
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531863834
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531864236
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531864948
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531865432
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531865583
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531865868
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531866011
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531866204
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	531866344
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	531866581
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	531866710
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	531867397
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531867525
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531867942
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531868625
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531868773
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	531869195
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531869783
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531870010
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531870143
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531870311
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531870886
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531871896
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531872035
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531872484
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531872763
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531872895
Section loaded	Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	531873043
File opened	Path: C:\WINDOWS\system32\UxTheme.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531873266
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	531873658
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531875009
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531875751
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531876161
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531876325
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531876604
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531876764
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531876893
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531877034
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531877161
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531877290
System info queried	Type: BasicInformation	success or wait	531878504
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 480000 Length: 13E978 Allocation Type: unknown Protection: page read and write	success or wait	531878636
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 480000 Length: 13E97C Allocation Type: unknown Protection: page read and write	success or wait	531878755
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 481000 Length: 13E658 Allocation Type: unknown Protection: page read and write	success or wait	531879515
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 490000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	531880467
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 483000 Length: 13E70C Allocation Type: unknown Protection: page read and write	success or wait	531881114
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: Cookie	success or wait	531881296
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: Cookie	success or wait	531881403
Mutant created	Name: \BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	531882061
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: true	object name not found	531882908
System info queried	Type: BasicInformation	success or wait	531883169
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 4A0000 Length: 13F04C Allocation Type: unknown Protection: page read and write	success or wait	531883863
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 4A0000 Length: 13F050 Allocation Type: unknown Protection: page read and write	success or wait	531883981
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 4A1000 Length: 13ED2C Allocation Type: unknown Protection: page read and write	success or wait	531884399
System info queried	Type: BasicInformation	success or wait	531884817
System info queried	Type: ProcessorInformation	success or wait	531884929
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: ImageInformation	success or wait	531885398
System info queried	Type: BasicInformation	success or wait	531886354
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 30000 Length: 13F91C Allocation Type: unknown Protection: page read and write	success or wait	531886938
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 30000 Length: 13F920 Allocation Type: unknown Protection: page read and write	success or wait	531887052
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 31000 Length: 13F5FC Allocation Type: unknown Protection: page read and write	success or wait	531887181
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 33000 Length: 13F6B8 Allocation Type: unknown Protection: page read and write	success or wait	531888013
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: Cookie	success or wait	531888906
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: Cookie	success or wait	531889002
System info queried	Type: BasicInformation	success or wait	531889147
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode	object name not found	531890031
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531890554
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	531890978
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531892395
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	531892782
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531894459
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	531894842
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531895969
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531896145
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531896535
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531897269
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531897405
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531897863
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	531898205
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	531898358
System info queried	Type: BasicInformation	success or wait	531898608
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	531899615
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs	success or wait	531900934
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 154000 Length: 13F728 Allocation Type: unknown Protection: page read and write	success or wait	531901856
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack	object name not found	531902371
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	531903759
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 8F0000 Length: 13F52C Allocation Type: unknown Protection: page read and write	success or wait	531904137
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 8F0000 Length: 13F528 Allocation Type: unknown Protection: page read and write	success or wait	531904425
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	531904592
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	success or wait	531904983
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	success or wait	531905403
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave2	object name not found	531905772
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave3	object name not found	531906137
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave4	object name not found	531907046
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave5	object name not found	531907435
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave6	object name not found	531908058
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave7	object name not found	531908968
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave8	object name not found	531909628
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave9	object name not found	531909995
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	531910529
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	531910909
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	success or wait	531911277
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	success or wait	531911691
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi2	object name not found	531912061
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi3	object name not found	531912428
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi4	object name not found	531913268
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi5	object name not found	531913697
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi6	object name not found	531914511
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi7	object name not found	531915477
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi8	object name not found	531916218
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi9	object name not found	531916610
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	531917148
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	531917528
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	success or wait	531917895
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	success or wait	531918307
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux2	object name not found	531918676
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux3	object name not found	531919040
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux4	object name not found	531919874
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux5	object name not found	531920262
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux6	object name not found	531920884
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux7	object name not found	531921896
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux8	object name not found	531922547
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux9	object name not found	531922914
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm Name: wheel	success or wait	531927813
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	531928131
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	531928981
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	success or wait	531929614
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	success or wait	531929998
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer2	object name not found	531930931
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer3	object name not found	531931585
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer4	object name not found	531931954
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer5	object name not found	531932464
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer6	object name not found	531932833
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer7	object name not found	531933198
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer8	object name not found	531933576
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer9	object name not found	531933941
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 155000 Length: 13F5BC Allocation Type: unknown Protection: page read and write	success or wait	531934395
File opened	Path: \Device\KsecDD Access: read data or list directory and synchronize Options: synchronous io alert Overwritten: false	success or wait	531935019
System info queried	Type: BasicInformation	success or wait	531936985
System info queried	Type: ProcessorInformation	success or wait	531937662
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout	success or wait	531937872
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: RWLockResourceTimeOut	object name not found	531938636
System info queried	Type: BasicInformation	success or wait	531938909
System info queried	Type: ProcessorInformation	success or wait	531939030
System info queried	Type: BasicInformation	success or wait	531939128
System info queried	Type: ProcessorInformation	success or wait	531939236
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll	object name not found	531939863
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32	object name not found	531939985
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib	object name not found	531940098
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAll	object name not found	531941181
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAllForOle32	object name not found	531941582
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 156000 Length: 13F55C Allocation Type: unknown Protection: page read and write	success or wait	531942607
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Name: SystemFormats	success or wait	531943188
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	buffer overflow	531945296
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	success or wait	531945432
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 157000 Length: 13EF90 Allocation Type: unknown Protection: page read and write	success or wait	531946093
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: fdwSupport	success or wait	531946314
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFormatTags	success or wait	531946539
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: aFormatTagCache	success or wait	531946750
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFilterTags	success or wait	531946942
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	buffer overflow	531947836
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	success or wait	531948222
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: fdwSupport	success or wait	531953766
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFormatTags	success or wait	531953976
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: aFormatTagCache	success or wait	531954185
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFilterTags	success or wait	531954377
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	buffer overflow	531955265
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	success or wait	531955652
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: fdwSupport	success or wait	531956852
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFormatTags	success or wait	531957058
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: aFormatTagCache	success or wait	531957401
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFilterTags	success or wait	531957596
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	buffer overflow	531958034
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	success or wait	531958166
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: fdwSupport	success or wait	531958945
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFormatTags	success or wait	531959404
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: aFormatTagCache	success or wait	531960171
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFilterTags	success or wait	531960370
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	buffer overflow	531961226
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	success or wait	531961358
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: fdwSupport	success or wait	531961679
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFormatTags	success or wait	531961900
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: aFormatTagCache	success or wait	531962735
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFilterTags	success or wait	531962934
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	buffer overflow	531964186
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	success or wait	531964607
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: fdwSupport	success or wait	531965074
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFormatTags	success or wait	531965271
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: aFormatTagCache	success or wait	531965479
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFilterTags	success or wait	531965671
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	buffer overflow	531966562
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	success or wait	531966953
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: fdwSupport	success or wait	531972374
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFormatTags	success or wait	531972611
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: aFormatTagCache	success or wait	531972838
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFilterTags	success or wait	531973031
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	buffer overflow	531973920
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	success or wait	531974312
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: fdwSupport	success or wait	531975204
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFormatTags	success or wait	531975690
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: aFormatTagCache	success or wait	531976034
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFilterTags	success or wait	531976229
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 158000 Length: 13F188 Allocation Type: unknown Protection: page read and write	success or wait	531976627
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	buffer overflow	531976803
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	success or wait	531977408
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: fdwSupport	success or wait	531978011
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFormatTags	success or wait	531978772
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: aFormatTagCache	success or wait	531978974
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFilterTags	success or wait	531979450
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	buffer overflow	531980025
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	success or wait	531980175
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: fdwSupport	success or wait	531980507
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFormatTags	success or wait	531981167
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: aFormatTagCache	success or wait	531981369
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFilterTags	success or wait	531981820
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM Name: NoPCMConverter	object name not found	531989211
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 159000 Length: 13EFB0 Allocation Type: unknown Protection: page read and write	success or wait	531989522
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 Name: Priority1	object name not found	531991878
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	531993088
File opened	Path: C:\WINDOWS\system32\SHELL32.dll Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	531993784
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 970000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	531994195
File opened	Path: C:\WINDOWS\system32\SHELL32.dll.124.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	531994525
File opened	Path: C:\WINDOWS\system32\SHELL32.dll.124.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	531995516
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202 Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	532011072
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532011628
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	532012317
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532012946
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	532018165
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532019331
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532019494
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532019896
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532020606
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532020769
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532021313
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532021620
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532021776
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532021914
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532022099
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532022238
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532022374
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532022972
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532023155
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532024267
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 440000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	532025667
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: true	success or wait	532026698
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	532027133
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532028904
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	532029597
File opened	Path: C:\WINDOWS\WindowsShell.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	532030568
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll	object name not found	532043954
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: EnableBalloonTips	object name not found	532045018
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	532047579
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532048198
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532048400
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532048529
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532048666
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532049272
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532049442
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532049590
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532049721
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532050099
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532050289
System info queried	Type: BasicInformation	success or wait	532051434
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 440000 Length: 13F1B8 Allocation Type: unknown Protection: page read and write	success or wait	532051575
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 440000 Length: 13F1BC Allocation Type: unknown Protection: page read and write	success or wait	532051703
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 441000 Length: 13EE98 Allocation Type: unknown Protection: page read and write	success or wait	532052019
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 443000 Length: 13EF4C Allocation Type: unknown Protection: page read and write	success or wait	532052501
File opened	Path: C:\WINDOWS\system32\comctl32.dll Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532053063
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	532053475
File opened	Path: C:\WINDOWS\system32\comctl32.dll.124.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	532054345
File opened	Path: C:\WINDOWS\system32\comctl32.dll.124.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	532055066
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: SessionInformation	success or wait	532058248
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll	object name not found	532059045
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	532065785
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: ChkAccDebugLevel	object name not found	532066413
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions Name: ProductType	success or wait	532067079
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Personal	success or wait	532067649
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Local Settings	success or wait	532067844
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopDebugLevel	object name not found	532069030
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	532070450
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopLogging	object name not found	532070644
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	532071137
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: RsopLogging	object name not found	532071847
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	532072200
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 34000 Length: 13EF58 Allocation Type: unknown Protection: page read and write	success or wait	532072971
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	532073166
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: Compositing	object name not found	532078994
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: LameButtonText	object name not found	532079608
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DisableUNCCheck	object name not found	532083435
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: EnableExtensions	success or wait	532083659
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DelayedExpansion	object name not found	532083951
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DefaultColor	success or wait	532084196
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: CompletionChar	success or wait	532084404
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: PathCompletionChar	success or wait	532085098
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: AutoRun	success or wait	532085317
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: DisableUNCCheck	object name not found	532086607
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: EnableExtensions	success or wait	532087116
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: DelayedExpansion	object name not found	532087333
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: DefaultColor	success or wait	532087717
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: CompletionChar	success or wait	532087930
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: PathCompletionChar	object name not found	532088139
Key value queried	Path: HKEY_USERS\Software\Microsoft\Command Processor Name: AutoRun	object name not found	532088384
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	532089008
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 970000 Length: 13FE10 Allocation Type: unknown Protection: page read and write	success or wait	532090149
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 15A000 Length: 13BB90 Allocation Type: unknown Protection: page read and write	success or wait	532090596
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 15F000 Length: 13BB90 Allocation Type: unknown Protection: page read and write	success or wait	532091365
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale Name: 00000409	success or wait	532092232
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups Name: 1	success or wait	532092824
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DeviceMap	success or wait	532093646
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DeviceMap	success or wait	532093829
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	532094017
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DefaultHardErrorMode	success or wait	532095422
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DefaultHardErrorMode	success or wait	532095818
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DefaultHardErrorMode	success or wait	532096545
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DeviceMap	success or wait	532097136
File opened	Path: C:\WINDOWS\system32\LogFiles\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	532097330
Directory Information Queried	Path: C:\WINDOWS\system32\LogFilesDisposition: BothDirectoryInformation Filemask: smss.exe	success or wait	532097919
File opened	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read data or list directory and execute or traverse and read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532098442
Section loaded	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	532098911
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility Name: DisableAppCompat	object name not found	532165937
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: 980000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	532166903
File opened	Path: C:\WINDOWS\system32\Apphelp.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532171101
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 990000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	532177215
File opened	Path: C:\WINDOWS\system32\Apphelp.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532189283
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	532198662
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532199907
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532200171
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532201268
Memory attributes changed	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 77B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532201505
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	532202424
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 990000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	532203158
File opened	Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	object name not found	532203669
System info queried	Type: ProcessorInformation	success or wait	532203989
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: Wow64Information	success or wait	532204125
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	532205018
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: true	object name not found	532205792
File opened	Path: C:\WINDOWS\system32\LogFiles\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	532206288
Directory Information Queried	Path: C:\WINDOWS\system32\LogFilesDisposition: BothDirectoryInformation Filemask: smss.exe	success or wait	532207215
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DefaultHardErrorMode	success or wait	532207994
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	532208275
Directory Information Queried	Path: C:\Disposition: BothDirectoryInformation Filemask: WINDOWS	success or wait	532209761
File opened	Path: C:\WINDOWS\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	532210185
Directory Information Queried	Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: system32	success or wait	532211141
File opened	Path: C:\WINDOWS\system32\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	532211861
Directory Information Queried	Path: C:\WINDOWS\system32Disposition: BothDirectoryInformation Filemask: LogFiles	success or wait	532212430
File opened	Path: C:\WINDOWS\system32\LogFiles\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	532213064
Directory Information Queried	Path: C:\WINDOWS\system32\LogFilesDisposition: BothDirectoryInformation Filemask: smss.exe	success or wait	532213956
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DefaultHardErrorMode	success or wait	532214633
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DeviceMap	success or wait	532215337
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DefaultHardErrorMode	success or wait	532222671
File opened	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read data or list directory and execute or traverse and read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532223203
Section loaded	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 69632 Protection: execute Mapped to pid: own pid	success or wait	532223805
File opened	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: true	success or wait	532225200
Section loaded	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	532225943
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DefaultHardErrorMode	success or wait	532228127
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DefaultHardErrorMode	success or wait	532228521
File opened	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read data or list directory and execute or traverse and read attributes and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532228795
Section loaded	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 69632 Protection: execute Mapped to pid: own pid	success or wait	532229720
File opened	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: true	success or wait	532231800
Section loaded	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	532237282
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DefaultHardErrorMode	success or wait	532239366
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DefaultHardErrorMode	success or wait	532240447
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	532240823
Directory Information Queried	Path: C:\Disposition: BothDirectoryInformation Filemask: WINDOWS	success or wait	532241179
File opened	Path: C:\WINDOWS\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	532242047
Directory Information Queried	Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: system32	success or wait	532243599
File opened	Path: C:\WINDOWS\system32\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	532244585
Directory Information Queried	Path: C:\WINDOWS\system32Disposition: BothDirectoryInformation Filemask: LogFiles	success or wait	532245283
File opened	Path: C:\WINDOWS\system32\LogFiles\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	532245849
Directory Information Queried	Path: C:\WINDOWS\system32\LogFilesDisposition: BothDirectoryInformation Filemask: smss.exe	success or wait	532246258
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DefaultHardErrorMode	success or wait	532247103
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	532248046
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: AuthenticodeEnabled	success or wait	532248226
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: Levels	object name not found	532249777
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: ItemData	success or wait	532250665
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: SaferFlags	success or wait	532250966
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: ItemData	success or wait	532252128
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: HashAlg	success or wait	532252706
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: ItemSize	success or wait	532253553
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} Name: SaferFlags	success or wait	532254139
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: ItemData	success or wait	532254791
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: HashAlg	success or wait	532255075
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: ItemSize	success or wait	532255349
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} Name: SaferFlags	success or wait	532256098
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: ItemData	success or wait	532261175
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: HashAlg	success or wait	532262056
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: ItemSize	success or wait	532263934
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} Name: SaferFlags	success or wait	532267031
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: ItemData	success or wait	532267534
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: HashAlg	success or wait	532269621
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: ItemSize	success or wait	532269903
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} Name: SaferFlags	success or wait	532270183
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: ItemData	success or wait	532273039
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: HashAlg	success or wait	532273324
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: ItemSize	success or wait	532273884
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} Name: SaferFlags	success or wait	532274166
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: DefaultLevel	success or wait	532285310
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: PolicyScope	success or wait	532290234
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DefaultHardErrorMode	success or wait	532292536
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	532292776
Directory Information Queried	Path: C:\Disposition: BothDirectoryInformation Filemask: WINDOWS	success or wait	532293136
File opened	Path: C:\WINDOWS\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	532294050
Directory Information Queried	Path: C:\WINDOWSDisposition: BothDirectoryInformation Filemask: system32	success or wait	532294426
File opened	Path: C:\WINDOWS\system32\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	532296818
Directory Information Queried	Path: C:\WINDOWS\system32Disposition: BothDirectoryInformation Filemask: LogFiles	success or wait	532297212
File opened	Path: C:\WINDOWS\system32\LogFiles\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Overwritten: false	success or wait	532298501
Directory Information Queried	Path: C:\WINDOWS\system32\LogFilesDisposition: BothDirectoryInformation Filemask: smss.exe	success or wait	532298913
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: DefaultHardErrorMode	success or wait	532299417
Section loaded	Path: C:\WINDOWS\system32\LogFiles\smss.exe Access: query and read Type: commit Baseaddress: 990000 Size: 69632 Protection: readonly Mapped to pid: own pid	success or wait	532299591
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cache	buffer overflow	532301262
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cache	success or wait	532301491
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 990000 Length: 13ED7C Allocation Type: unknown Protection: page read and write	success or wait	532302730
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 990000 Length: 13ED78 Allocation Type: unknown Protection: page read and write	success or wait	532302872
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: LogFileName	object name not found	532307846
System info queried	Type: WatchdogTimerHandler	success or wait	532309739
Process created	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Cmdline: C:\WINDOWS\system32\LogFiles\smss.exe Createflags: suspended	success or wait	532309877
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: BasicInformation	success or wait	532310852
Memory read	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7FFDE008 Length: 4 Value: 00 00 00 14	success or wait	532310991
File opened	Path: C:\WINDOWS\system32\LogFiles\smss.exe.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	532311451
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 164000 Length: 13EC9C Allocation Type: unknown Protection: page read and write	success or wait	532311911
Memory read	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 14000000 Length: 4096 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 FF CB 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 B6 AC 59 9A F2 CD 37 C9 F2 CD 37 C9 F2 CD 37 C9 89 D1 3B C9 F6 CD 37 C9 71 D1 39 C9 E2 CD 37 C9 1A D2 3D C9 C7 CD 37 C9 F2 CD 37 C9 F1 CD 37 C9 90 D2 24 C9 FB CD 37 C9 F2 CD 36 C9 87 CD 37 C9 1A D2 3C C9 F1 CD 37 C9 4A CB 31 C9 F3 CD 37 C9 52 69 63 68 F2 CD 37 C9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 66 63 23 4B 00 00 00	success or wait	532312060
Memory read	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400F000 Length: 256 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 03 00 00 00 28 00 00 80 0E 00 00 00 58 00 00 80 10 00 00 00 70 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 01 00 00 00 88 00 00 80 02 00 00 00 A0 00 00 80 03 00 00 00 B8 00 00 80 04 00 00 00 D0 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 78 01 00 80 E8 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 00 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 04 08 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 04 08 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 04 08 00 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 04 08 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 04 08 00 00 58 01 00	success or wait	532314012
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: BasicInformation	success or wait	532315947
Memory allocated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe Base: 9A0000 Length: 13ECEC Allocation Type: unknown Protection: page read and write	success or wait	532316160
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 10000 Length: 13EDF4 Allocation Type: unknown Protection: page read and write	success or wait	532316879
Memory written	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 10000 Length: 2012 Value: 3D 00 3A 00 3A 00 3D 00 3A 00 3A 00 5C 00 00 00 3D 00 43 00 3A 00 3D 00 43 00 3A 00 5C 00 00 00 3D 00 5A 00 3A 00 3D 00 5A 00 3A 00 5C 00 00 00 41 00 4C 00 4C 00 55 00 53 00 45 00 52 00 53 00 50 00 52 00 4F 00 46 00 49 00 4C 00 45 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 6C 00 6C 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 3D 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C	success or wait	532318148
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 20000 Length: 13EDF4 Allocation Type: unknown Protection: page read and write	success or wait	532318690
Memory written	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 20000 Length: 1712 Value: 00 10 00 00 B0 06 00 00 00 00 00 00 00 00 00 00 02 00 34 00 00 00 00 00 03 00 00 00 07 00 00 00 0B 00 00 00 06 00 08 02 90 02 00 00 0E 00 00 00 0E 01 10 01 98 04 00 00 4A 00 4C 00 A8 05 00 00 4A 00 4C 00 F4 05 00 00 00 00 01 00 00 00 00 00 01 00 00 00 64 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 4A 00 4C 00 40 06 00 00 1E 00 20 00 8C 06 00 00 00 00 02 00 AC 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	532319619
Memory written	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7FFDE010 Length: 4 Value: 00 00 02 00	success or wait	532320597
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 30000 Length: 13EDF4 Allocation Type: unknown Protection: page read and write	success or wait	532320738
Memory written	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 30000 Length: 388 Value: 53 00 68 00 69 00 6D 00 45 00 6E 00 67 00 2E 00 64 00 6C 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 01 00 00 AB ED 0D AC B8 C8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	532321343
Memory written	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7FFDE1E8 Length: 4 Value: 00 00 03 00	success or wait	532322071
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 40000 Length: 13F060 Allocation Type: unknown Protection: page read and write	success or wait	532322229
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 13E000 Length: 13F05C Allocation Type: unknown Protection: page read and write	success or wait	532322653
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 13E000 Length: 1000 New Protection: page read and write and page guard Old Protection: page read and write	success or wait	532322900
Thread created	PID: 2036 TID: 776 EIP: 7C810705 EAX: 14006D83 Imagepath: C:\WINDOWS\system32\LogFiles\smss.exe	success or wait	532323222
Thread resumed	TID: 776 PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe	success or wait	532494146
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: BasicInformation	success or wait	534071665
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: Cookie	success or wait	534107921
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: Cookie	success or wait	534113229
Process terminated	PID: 260 Path: C:\WINDOWS\system32\cmd.exe	success or wait	534113855
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: Cookie	success or wait	534122024
Process information queried	Path: C:\WINDOWS\system32\cmd.exe PID: 260 Info Class: Cookie	success or wait	534122436
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	534142795

Analysis File: smss.exe PID: 2036 Parent PID: 260

General

Start time:	09:39:48
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\LogFiles\smss.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\system32\LogFiles\smss.exe
Imagebase:	0x77dd0000
File size:	69632 bytes
MD5 hash:	8EBD97EE5F259CB2F1B38DA1F1040CF0

File Activites

File Path	Access	Options	Content overwritten	Completion	Count	Source Address	Symbol
C:\	execute or traverse and synchronize	directory file and synchronous io non alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WS2_32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WS2HELP.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\ShimEng.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\AcGenral.DLL	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	3	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WINMM.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\MSACM32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\UxTheme.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\IMM32.DLL	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	3	7C90E457	KiUserApcDispatcher
\Device\KsecDD	read data or list directory and synchronize	synchronous io alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll.124.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202	execute or traverse and synchronize	directory file and synchronous io non alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Manifest	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll.124.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\sysmain.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	true	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\systest.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	true	object name not found	1	7C90E457	KiUserApcDispatcher
\Device\NamedPipe\ShimViewer	write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize	no options	true	object name not found	3	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\AcGenral.DLL	read attributes and synchronize and generic read	synchronous io non alert and non directory file	true	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Manifest	read attributes and synchronize and generic read	synchronous io non alert and non directory file	true	success or wait	1	7C90E457	KiUserApcDispatcher

File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address	Symbol
C:\	90028	NULL	NULL	success or wait	1	7C90E457	KiUserApcDispatcher

Section Activites

Section loaded by Windows

File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
unknown	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	330000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\WS2_32.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\WS2HELP.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\ShimEng.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	340000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
\KnownDlls\WINMM.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1
\KnownDlls\MSACM32.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	success or wait	1
\KnownDlls\UxTheme.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	490000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	970000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	970000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	440000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	440000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	read	commit	440000	4096	own pid	readonly	success or wait	1
\KnownDlls\comctl32.dll	write and read and execute	unknown	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	970000	618496	own pid	readonly	success or wait	1

Registry Activites

Key Path	Name	Completion	Count	Source Address	Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CWDIllegalInDLLSearch	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSAppCompat	success or wait	3	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeDllSearchMode	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSUserEnabled	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LeakTrack	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CriticalSectionTimeout	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole	RWLockResourceTimeOut	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAllForOle32	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableTypeLib	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAllForOle32	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio	SystemFormats	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM	NoPCMConverter	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00	Priority1	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	SmoothScroll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	EnableBalloonTips	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	SmoothScroll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	ChkAccDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions	ProductType	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopLogging	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	RsopLogging	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\ThemeManager	Compositing	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	LameButtonText	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc	MaxRpcSize	object name not found	1	14001722	OpenSCManagerA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1	14006058	ExitProcess

Mutex Activites

Name	Completion	Count	Source Address	Symbol
\BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	1	7C90E457	KiUserApcDispatcher

Process Activites

PID	Process info class	Completion	Count	Source Address	Symbol
2036	Cookie	success or wait	9	7C90E457	KiUserApcDispatcher
2036	Wow64Information	success or wait	2	7C90E457	KiUserApcDispatcher
2036	ImageInformation	success or wait	1	7C90E457	KiUserApcDispatcher
2036	SessionInformation	success or wait	1	7C90E457	KiUserApcDispatcher
2036	DefaultHardErrorMode	success or wait	2	14001110	PathFileExistsA
2036	QuotaLimits	success or wait	1	14001722	OpenSCManagerA
2036	VmCounters	success or wait	1	14001722	OpenSCManagerA

Process Terminated

PID	Filepath	Completion	Count	Source Address	Symbol
2036	C:\WINDOWS\system32\LogFiles\smss.exe	success or wait	1	14006058	ExitProcess

Memory Activites

Memory Allocated

PID	Filepath	Base	Length	Protection	Completion	Count	Source Address	Symbol
2036	C:\WINDOWS\system32\LogFiles\smss.exe	150000	13FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	150000	13FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	151000	13F7F4	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	250000	13FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	250000	13FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	260000	13F340	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	261000	13F168	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	153000	13F3EC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	470000	13F0C8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	470000	13F0CC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	472000	13EB64	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	473000	13EEA8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	480000	13E978	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	480000	13E97C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	481000	13E658	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	483000	13E70C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	4A0000	13F04C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	4A0000	13F050	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	4A1000	13ED2C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	154000	13F788	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	420000	13F91C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	420000	13F920	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	421000	13F5FC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	423000	13F6B8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	155000	13F308	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	8F0000	13F52C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	8F0000	13F528	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	156000	13F70C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	157000	13F188	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	158000	13EF90	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	159000	13EFB0	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	440000	13F1B8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	440000	13F1BC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	441000	13EE98	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	443000	13EF4C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	424000	13EF58	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	970000	13FF1C	page read and write	success or wait	1	1400813A	HeapCreate
2036	C:\WINDOWS\system32\LogFiles\smss.exe	970000	13FF20	page read and write	success or wait	1	1400813A	HeapCreate
2036	C:\WINDOWS\system32\LogFiles\smss.exe	971000	13FC4C	page read and write	success or wait	1	7C817077	unknown
2036	C:\WINDOWS\system32\LogFiles\smss.exe	980000	13FE78	page read and write	success or wait	1	140098EB	VirtualAlloc
2036	C:\WINDOWS\system32\LogFiles\smss.exe	980000	13FE68	page read and write	success or wait	1	14009977	VirtualAlloc
2036	C:\WINDOWS\system32\LogFiles\smss.exe	15A000	13F4D8	page read and write	success or wait	1	14001722	OpenSCManagerA

PID	Filepath	Base	Length	New Protection	Old Protection	Completion	Count	Source Address	Symbol
2036	C:\WINDOWS\system32\LogFiles\smss.exe	7C801000	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	7C801000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	1400B000	1000	page read and write	page write copy	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	1400B000	1000	page write copy	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77F11000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77F11000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	7E411000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	7E411000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	1400B000	1000	page read and write	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	1400B000	1000	page read and write	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77DD1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77DD1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77E71000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77E71000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77FE1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77FE1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	71AB1000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	71AB1000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77C11000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77C11000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	71AA1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	71AA1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77F61000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77F61000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	5CB71000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	5CB71000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	6F881000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	6F881000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	76B41000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	76B41000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	774E1000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	774E1000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77121000	1000	page read and write	page execute read	success or wait	6	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77121000	1000	page execute read	page read and write	success or wait	6	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77BE1000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77BE1000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77C01000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	77C01000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	7C9C1000	2000	page read and write	page execute read	success or wait	8	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	7C9C1000	2000	page execute read	page read and write	success or wait	8	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	769C1000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	769C1000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	5AD71000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	5AD71000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	76391000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	76391000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	773D1000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	773D1000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	5D091000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
2036	C:\WINDOWS\system32\LogFiles\smss.exe	5D091000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher

System Activites

System info class	Completion	Count	Source Address	Symbol
BasicInformation	success or wait	18	7C90E457	KiUserApcDispatcher
RangeStartInformation	success or wait	1	7C90E457	KiUserApcDispatcher
ProcessorInformation	success or wait	6	7C90E457	KiUserApcDispatcher
PerformanceInformation	success or wait	1	14001722	OpenSCManagerA

Timing Activites

Time	Completion	Count	Source Address	Symbol
129718679888750000	success or wait	1	14001722	OpenSCManagerA

Chronological Activities

Operation	Data	Completion	Time
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CWDIllegalInDLLSearch	object name not found	532496117
System info queried	Type: BasicInformation	success or wait	532496899
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 150000 Length: 13FB14 Allocation Type: unknown Protection: page read and write	success or wait	532497013
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 150000 Length: 13FB18 Allocation Type: unknown Protection: page read and write	success or wait	532497665
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 151000 Length: 13F7F4 Allocation Type: unknown Protection: page read and write	success or wait	532498404
System info queried	Type: BasicInformation	success or wait	532498525
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 250000 Length: 13FB14 Allocation Type: unknown Protection: page read and write	success or wait	532499152
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 250000 Length: 13FB18 Allocation Type: unknown Protection: page read and write	success or wait	532499246
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	532500944
File control set	Path: C:\ Control Code: 90028 Input Buffer: NULL	success or wait	532501315
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	532501933
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C801000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532502982
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C801000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532503678
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: Cookie	success or wait	532503987
System info queried	Type: RangeStartInformation	success or wait	532504431
System info queried	Type: BasicInformation	success or wait	532504518
Section loaded	Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	532504648
System info queried	Type: BasicInformation	success or wait	532505495
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 260000 Length: 13F340 Allocation Type: unknown Protection: page read and write	success or wait	532505679
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	532506379
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	532506954
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	532508080
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	532509159
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	532509985
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	532510901
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	532511033
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 261000 Length: 13F168 Allocation Type: unknown Protection: page read and write	success or wait	532511147
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page write copy	success or wait	532512913
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page write copy Old Protection: page read and write	success or wait	532513509
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	532513643
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	532514495
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532515599
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532516156
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532516280
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532516406
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532517080
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532517588
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532517721
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532518313
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532518431
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532518578
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532519174
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532519349
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	532519462
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	532519582
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	532519982
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532520553
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532521274
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532521406
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532521888
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	532522384
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532523417
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532523661
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532524053
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532524263
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532524385
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532524519
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	532525218
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532526385
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532526542
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532527144
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532527305
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532527452
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532527627
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532528196
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532528343
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532528491
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532528687
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	532528793
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	532529523
Section loaded	Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	532529664
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 153000 Length: 13F3EC Allocation Type: unknown Protection: page read and write	success or wait	532530057
File opened	Path: C:\WINDOWS\system32\WS2_32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532530654
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	532531029
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	532531278
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532533054
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532533210
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532533326
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532534018
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	532534164
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532535571
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532536268
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532536412
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532536547
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532536669
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532537123
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532537238
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532537390
Section loaded	Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	532537527
File opened	Path: C:\WINDOWS\system32\WS2HELP.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532537788
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	532543562
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AA1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532545233
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AA1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532545406
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AA1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532546011
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AA1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532546158
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AA1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532546284
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AA1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532546720
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	532546879
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	532547001
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	532547679
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532548878
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532549035
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532549614
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532549750
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532549867
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532550067
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532550450
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532550564
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532550715
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532550892
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	532550994
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	532551660
Section loaded	Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	532551892
File opened	Path: C:\WINDOWS\system32\ShimEng.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532552423
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	532553114
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5CB71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532554536
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5CB71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532554723
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5CB71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532554875
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5CB71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532554987
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	532555355
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 340000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	532556289
File opened	Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	object name not found	532557017
System info queried	Type: ProcessorInformation	success or wait	532557637
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: Wow64Information	success or wait	532557731
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	532557893
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: true	object name not found	532558763
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: Wow64Information	success or wait	532559286
System info queried	Type: BasicInformation	success or wait	532559414
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 470000 Length: 13F0C8 Allocation Type: unknown Protection: page read and write	success or wait	532559521
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 470000 Length: 13F0CC Allocation Type: unknown Protection: page read and write	success or wait	532559620
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: true	object name not found	532560395
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 472000 Length: 13EB64 Allocation Type: unknown Protection: page read and write	success or wait	532560999
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 473000 Length: 13EEA8 Allocation Type: unknown Protection: page read and write	success or wait	532561761
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	532562295
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532562872
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	532563718
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532564957
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	532565350
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532567482
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	532567850
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532569188
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532569365
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532569510
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532569723
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532569846
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532569964
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532570648
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532570798
Section loaded	Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	532571410
File opened	Path: C:\WINDOWS\system32\WINMM.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532572034
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	532572416
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532573693
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532574125
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532574253
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532574375
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532574539
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532574706
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532574830
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532575523
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532575658
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532576064
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	532576544
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532577584
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532577786
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532577916
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532578318
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532578444
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532578670
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532578796
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532578924
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532579581
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532579759
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532579913
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532580399
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532580532
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532580695
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532581140
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532581310
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	532581451
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532582751
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532582985
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532583111
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532583243
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532583918
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532584108
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532584518
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532585007
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532585140
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532585277
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532585899
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532586028
Section loaded	Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	532586182
File opened	Path: C:\WINDOWS\system32\MSACM32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532587157
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	532591992
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532594019
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532594212
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532594340
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532594928
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532595075
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532595229
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532595631
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532595755
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532595878
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532596529
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	532596693
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532597800
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532598657
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532598807
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532599203
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	532599353
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	532599968
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	532600159
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	532600834
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	532600980
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	532601401
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	532601936
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	532602065
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	532602191
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	532602790
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	532602926
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	532603054
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	532603484
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	532603610
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	532603810
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	532604480
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	532604994
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532605115
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532605611
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532605729
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532605841
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	532606474
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532607514
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532607724
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532608383
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532608566
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532608974
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532609433
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532609566
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532609726
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532610314
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532610459
Section loaded	Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	532610608
File opened	Path: C:\WINDOWS\system32\UxTheme.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532611179
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	532611557
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532613176
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532613682
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532613811
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532613961
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532614562
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532614725
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532615116
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532615321
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532615449
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532615576
System info queried	Type: BasicInformation	success or wait	532616794
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 480000 Length: 13E978 Allocation Type: unknown Protection: page read and write	success or wait	532616921
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 480000 Length: 13E97C Allocation Type: unknown Protection: page read and write	success or wait	532617034
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 481000 Length: 13E658 Allocation Type: unknown Protection: page read and write	success or wait	532617503
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 490000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	532617857
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 483000 Length: 13E70C Allocation Type: unknown Protection: page read and write	success or wait	532619401
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: Cookie	success or wait	532619582
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: Cookie	success or wait	532619726
Mutant created	Name: \BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	532619918
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: true	object name not found	532620984
System info queried	Type: BasicInformation	success or wait	532621539
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 4A0000 Length: 13F04C Allocation Type: unknown Protection: page read and write	success or wait	532621663
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 4A0000 Length: 13F050 Allocation Type: unknown Protection: page read and write	success or wait	532622105
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 4A1000 Length: 13ED2C Allocation Type: unknown Protection: page read and write	success or wait	532622242
System info queried	Type: BasicInformation	success or wait	532622461
System info queried	Type: ProcessorInformation	success or wait	532623035
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: ImageInformation	success or wait	532623524
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	532624069
System info queried	Type: BasicInformation	success or wait	532625404
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode	object name not found	532625762
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532626668
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	532627389
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532629224
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	532630263
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532630910
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	532631827
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532633036
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532633670
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532633814
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532633971
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532634108
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532634522
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532634648
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532634818
System info queried	Type: BasicInformation	success or wait	532635058
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	532635469
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs	success or wait	532640637
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 154000 Length: 13F788 Allocation Type: unknown Protection: page read and write	success or wait	532642155
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	532642417
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSUserEnabled	success or wait	532643035
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack	object name not found	532643615
System info queried	Type: BasicInformation	success or wait	532644617
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 420000 Length: 13F91C Allocation Type: unknown Protection: page read and write	success or wait	532644744
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 420000 Length: 13F920 Allocation Type: unknown Protection: page read and write	success or wait	532644849
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 421000 Length: 13F5FC Allocation Type: unknown Protection: page read and write	success or wait	532645642
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 423000 Length: 13F6B8 Allocation Type: unknown Protection: page read and write	success or wait	532646092
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: Cookie	success or wait	532646405
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: Cookie	success or wait	532646961
System info queried	Type: BasicInformation	success or wait	532647093
System info queried	Type: ProcessorInformation	success or wait	532647197
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 155000 Length: 13F308 Allocation Type: unknown Protection: page read and write	success or wait	532647439
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	532647965
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 8F0000 Length: 13F52C Allocation Type: unknown Protection: page read and write	success or wait	532648323
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 8F0000 Length: 13F528 Allocation Type: unknown Protection: page read and write	success or wait	532648476
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	532648633
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	success or wait	532649133
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	success or wait	532650042
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave2	object name not found	532650704
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave3	object name not found	532651057
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave4	object name not found	532651769
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave5	object name not found	532652126
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave6	object name not found	532652476
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave7	object name not found	532653305
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave8	object name not found	532653705
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave9	object name not found	532654484
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	532654837
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	532655199
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	success or wait	532656403
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	success or wait	532656797
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi2	object name not found	532657154
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi3	object name not found	532657904
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi4	object name not found	532658257
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi5	object name not found	532658609
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi6	object name not found	532659471
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi7	object name not found	532660106
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi8	object name not found	532660460
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi9	object name not found	532660875
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	532661229
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	532661590
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	success or wait	532662789
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	success or wait	532663158
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux2	object name not found	532663511
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux3	object name not found	532664224
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux4	object name not found	532664607
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux5	object name not found	532664955
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux6	object name not found	532665807
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux7	object name not found	532666426
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux8	object name not found	532666777
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux9	object name not found	532667202
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm Name: wheel	success or wait	532667652
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	532668511
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	532669167
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	success or wait	532669523
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	success or wait	532670250
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer2	object name not found	532670607
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer3	object name not found	532670958
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer4	object name not found	532672376
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer5	object name not found	532672997
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer6	object name not found	532673351
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer7	object name not found	532673766
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer8	object name not found	532674118
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer9	object name not found	532674469
File opened	Path: \Device\KsecDD Access: read data or list directory and synchronize Options: synchronous io alert Overwritten: false	success or wait	532675789
System info queried	Type: BasicInformation	success or wait	532677492
System info queried	Type: ProcessorInformation	success or wait	532678140
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout	success or wait	532678338
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: RWLockResourceTimeOut	object name not found	532679161
System info queried	Type: BasicInformation	success or wait	532679451
System info queried	Type: ProcessorInformation	success or wait	532679560
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 156000 Length: 13F70C Allocation Type: unknown Protection: page read and write	success or wait	532679938
System info queried	Type: BasicInformation	success or wait	532680052
System info queried	Type: ProcessorInformation	success or wait	532680221
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll	object name not found	532680387
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32	object name not found	532680501
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib	object name not found	532681180
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAll	object name not found	532681722
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAllForOle32	object name not found	532682195
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Name: SystemFormats	success or wait	532683714
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 157000 Length: 13F188 Allocation Type: unknown Protection: page read and write	success or wait	532685082
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	buffer overflow	532690334
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	success or wait	532690484
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: fdwSupport	success or wait	532691260
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFormatTags	success or wait	532691475
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: aFormatTagCache	success or wait	532691935
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFilterTags	success or wait	532692122
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	buffer overflow	532692573
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	success or wait	532692700
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: fdwSupport	success or wait	532693555
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFormatTags	success or wait	532694031
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: aFormatTagCache	success or wait	532694558
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFilterTags	success or wait	532694745
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	buffer overflow	532695668
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	success or wait	532695817
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: fdwSupport	success or wait	532696362
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFormatTags	success or wait	532696564
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: aFormatTagCache	success or wait	532696803
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFilterTags	success or wait	532696995
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	buffer overflow	532697978
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	success or wait	532698112
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: fdwSupport	success or wait	532699034
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFormatTags	success or wait	532699224
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: aFormatTagCache	success or wait	532699897
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFilterTags	success or wait	532700367
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	buffer overflow	532700836
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	success or wait	532700963
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: fdwSupport	success or wait	532701824
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFormatTags	success or wait	532702300
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: aFormatTagCache	success or wait	532702823
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFilterTags	success or wait	532703010
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	buffer overflow	532707922
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	success or wait	532708079
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: fdwSupport	success or wait	532708436
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFormatTags	success or wait	532708626
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: aFormatTagCache	success or wait	532709368
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFilterTags	success or wait	532709661
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	buffer overflow	532713720
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	success or wait	532713879
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: fdwSupport	success or wait	532716994
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFormatTags	success or wait	532717190
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: aFormatTagCache	success or wait	532717379
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFilterTags	success or wait	532718141
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	buffer overflow	532718908
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	success or wait	532719041
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 158000 Length: 13EF90 Allocation Type: unknown Protection: page read and write	success or wait	532719879
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: fdwSupport	success or wait	532720120
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFormatTags	success or wait	532720581
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: aFormatTagCache	success or wait	532720810
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFilterTags	success or wait	532720996
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	buffer overflow	532722079
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	success or wait	532722495
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: fdwSupport	success or wait	532722910
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFormatTags	success or wait	532723099
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: aFormatTagCache	success or wait	532723898
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFilterTags	success or wait	532724356
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	buffer overflow	532724813
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	success or wait	532724944
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: fdwSupport	success or wait	532725817
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFormatTags	success or wait	532726293
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: aFormatTagCache	success or wait	532726809
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFilterTags	success or wait	532726999
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM Name: NoPCMConverter	object name not found	532734234
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 159000 Length: 13EFB0 Allocation Type: unknown Protection: page read and write	success or wait	532734526
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 Name: Priority1	object name not found	532736869
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	532738404
File opened	Path: C:\WINDOWS\system32\SHELL32.dll Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532739382
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 970000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	532739768
File opened	Path: C:\WINDOWS\system32\SHELL32.dll.124.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	532740548
File opened	Path: C:\WINDOWS\system32\SHELL32.dll.124.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	532741033
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202 Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	532755107
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532755686
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	532761741
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532763641
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	532764206
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532765489
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532765591
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532766136
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532766269
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532766441
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532766597
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532766748
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532767433
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532767590
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532768046
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532768522
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532768659
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532768794
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532769433
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532770554
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 440000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	532770979
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: true	success or wait	532772579
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	532773339
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532774400
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	532775291
File opened	Path: C:\WINDOWS\WindowsShell.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	532775718
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll	object name not found	532788641
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: EnableBalloonTips	object name not found	532789579
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	532791832
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532793044
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532793235
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532793650
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532794157
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532794292
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532794452
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532795064
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532795208
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	532795342
Memory attributes changed	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	532795849
System info queried	Type: BasicInformation	success or wait	532796186
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 440000 Length: 13F1B8 Allocation Type: unknown Protection: page read and write	success or wait	532796327
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 440000 Length: 13F1BC Allocation Type: unknown Protection: page read and write	success or wait	532797014
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 441000 Length: 13EE98 Allocation Type: unknown Protection: page read and write	success or wait	532797187
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 443000 Length: 13EF4C Allocation Type: unknown Protection: page read and write	success or wait	532797735
File opened	Path: C:\WINDOWS\system32\comctl32.dll Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	532798660
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	532799074
File opened	Path: C:\WINDOWS\system32\comctl32.dll.124.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	532804824
File opened	Path: C:\WINDOWS\system32\comctl32.dll.124.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	532805549
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: SessionInformation	success or wait	532807912
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll	object name not found	532809108
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	532810608
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: ChkAccDebugLevel	object name not found	532811295
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions Name: ProductType	success or wait	532812162
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Personal	success or wait	532813062
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Local Settings	success or wait	532813254
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopDebugLevel	object name not found	532814249
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	532815238
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopLogging	object name not found	532815425
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	532816251
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: RsopLogging	object name not found	532816449
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 424000 Length: 13EF58 Allocation Type: unknown Protection: page read and write	success or wait	532817118
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	532817305
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	532821522
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: Compositing	object name not found	532822913
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: LameButtonText	object name not found	532823977
System info queried	Type: BasicInformation	success or wait	532826985
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 970000 Length: 13FF1C Allocation Type: unknown Protection: page read and write	success or wait	532827446
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 970000 Length: 13FF20 Allocation Type: unknown Protection: page read and write	success or wait	532827571
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 971000 Length: 13FC4C Allocation Type: unknown Protection: page read and write	success or wait	532827773
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 980000 Length: 13FE78 Allocation Type: unknown Protection: page read and write	success or wait	532828406
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 980000 Length: 13FE68 Allocation Type: unknown Protection: page read and write	success or wait	532828548
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: DefaultHardErrorMode	success or wait	532830513
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: DefaultHardErrorMode	success or wait	532830983
System info queried	Type: BasicInformation	success or wait	532831757
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Name: MaxRpcSize	object name not found	532831993
System time queried	Time: 129718679888750000	success or wait	532832897
System info queried	Type: PerformanceInformation	success or wait	532833135
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: QuotaLimits	success or wait	532833687
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: VmCounters	success or wait	532833872
Memory allocated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 15A000 Length: 13F4D8 Allocation Type: unknown Protection: page read and write	success or wait	532844681
Process terminated	PID: 2036 Path: C:\WINDOWS\system32\LogFiles\smss.exe	success or wait	533880917
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: Cookie	success or wait	533881570
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: Cookie	success or wait	533882700
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: Cookie	success or wait	533887119
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 2036 Info Class: Cookie	success or wait	533889022
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	533891938

Analysis File: smss.exe PID: 988 Parent PID: 664

General

Start time:	09:39:48
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\LogFiles\smss.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x71aa0000
File size:	69632 bytes
MD5 hash:	8EBD97EE5F259CB2F1B38DA1F1040CF0

File Activites

File Path	Access	Options	Content overwritten	Completion	Count	Source Address	Symbol
C:\WINDOWS\system32\	execute or traverse and synchronize	directory file and synchronous io non alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WS2_32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WS2HELP.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\ShimEng.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\AcGenral.DLL	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	3	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WINMM.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\MSACM32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\UxTheme.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\IMM32.DLL	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	3	7C90E457	KiUserApcDispatcher
\Device\KsecDD	read data or list directory and synchronize	synchronous io alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll.124.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202	execute or traverse and synchronize	directory file and synchronous io non alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Manifest	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll.124.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
pipe\	read attributes and synchronize	synchronous io non alert	false	success or wait	1	140011A4	StartServiceCtrlDispatcherA
C:\WINDOWS\AppPatch\sysmain.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	true	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\systest.sdb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	true	object name not found	1	7C90E457	KiUserApcDispatcher
\Device\NamedPipe\ShimViewer	write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize	no options	true	object name not found	3	7C90E457	KiUserApcDispatcher
C:\WINDOWS\AppPatch\AcGenral.DLL	read attributes and synchronize and generic read	synchronous io non alert and non directory file	true	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Manifest	read attributes and synchronize and generic read	synchronous io non alert and non directory file	true	success or wait	1	7C90E457	KiUserApcDispatcher
\pipe\net\NtControlPipe20	read attributes and synchronize and generic read and generic write	synchronous io non alert and non directory file	true	success or wait	1	140011A4	StartServiceCtrlDispatcherA

File Path	Offset	Length	Value	Completion	Count	Source Address	Symbol
\net\NtControlPipe20	unknown	4	dc 03 00 00	success or wait	2	140011A4	StartServiceCtrlDispatcherA

File Path	Offset	Length	Completion	Count	Source Address	Symbol
\net\NtControlPipe20	unknown	534	success or wait	1	140011A4	StartServiceCtrlDispatcherA
\net\NtControlPipe20	unknown	534	unknown	1	140011A4	StartServiceCtrlDispatcherA

File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address	Symbol
C:\WINDOWS\system32	90028	NULL	NULL	success or wait	1	7C90E457	KiUserApcDispatcher
\	110018	80 2E 0F F7 FF FF FF FF 26 00 00 00 01 10 6E 00 65 00 74 00 5C 00 4E 00 74 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 50 00 69 00 70 00 65 00 32 00 30 00	........&.....n.e.t.\.N.t.C.o.n.t.r.o.l.P.i.p.e.2.0.	success or wait	1	140011A4	StartServiceCtrlDispatcherA
\net\NtControlPipe20	PipeInformation	unknown		success or wait	1	140011A4	StartServiceCtrlDispatcherA

Section Activites

Section loaded by Windows

File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
unknown	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	330000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\WS2_32.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\WS2HELP.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\ShimEng.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	340000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
\KnownDlls\WINMM.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1
\KnownDlls\MSACM32.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	success or wait	1
\KnownDlls\UxTheme.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	490000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	6F0000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	6F0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	440000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	440000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	read	commit	440000	4096	own pid	readonly	success or wait	1
\KnownDlls\comctl32.dll	write and read and execute	unknown	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	6F0000	618496	own pid	readonly	success or wait	1

Registry Activites

Key Path	Name	Completion	Count	Source Address	Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CWDIllegalInDLLSearch	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSAppCompat	success or wait	2	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	Installed	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeDllSearchMode	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSUserEnabled	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LeakTrack	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	wave9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	midi9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	aux9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer2	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer3	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer4	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer5	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer6	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer7	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer8	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	mixer9	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CriticalSectionTimeout	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole	RWLockResourceTimeOut	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAllForOle32	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableTypeLib	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAllForOle32	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio	SystemFormats	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.imaadpcm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msadpcm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg711	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msgsm610	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.trspch	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msg723	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.msaudio1	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.sl_anet	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.iac2	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	buffer overflow	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	msacm.l3acm	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	fdwSupport	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFormatTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	aFormatTagCache	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm	cFilterTags	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM	NoPCMConverter	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00	Priority1	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	SmoothScroll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	SmoothScroll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	ChkAccDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions	ProductType	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Personal	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Local Settings	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	RsopLogging	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	RsopLogging	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System	UserEnvDebugLevel	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\ThemeManager	Compositing	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	LameButtonText	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc	MaxRpcSize	object name not found	1	14001722	OpenSCManagerA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent		success or wait	1	140011A4	StartServiceCtrlDispatcherA

Mutex Activites

Name	Completion	Count	Source Address	Symbol
\BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	1	7C90E457	KiUserApcDispatcher

Process Activites

PID	Process info class	Completion	Count	Source Address	Symbol
988	Cookie	success or wait	5	7C90E457	KiUserApcDispatcher
988	Wow64Information	success or wait	3	7C90E457	KiUserApcDispatcher
988	ImageInformation	success or wait	1	7C90E457	KiUserApcDispatcher
988	SessionInformation	success or wait	1	7C90E457	KiUserApcDispatcher
988	DefaultHardErrorMode	success or wait	2	14001110	PathFileExistsA
988	QuotaLimits	success or wait	1	14001722	OpenSCManagerA
988	VmCounters	success or wait	1	14001722	OpenSCManagerA

Thread Activites

TID	PID	EIP	EAX (Usermode EIP)	Filepath	Completion	Count	Source Address	Symbol
1268	988	7C8106F9	77DF3539	C:\WINDOWS\system32\LogFiles\smss.exe	success or wait	1	140011A4	StartServiceCtrlDispatcherA

TID	PID	Path	Completion	Count	Source Address	Symbol
1268	988	C:\WINDOWS\system32\LogFiles\smss.exe	success or wait	1	140011A4	StartServiceCtrlDispatcherA

Thread Delayed

TID	Delay	Completion	Count	Source Address	Symbol
1268	-360s	unknown	1	1400191E	Sleep

Memory Activites

Memory Allocated

PID	Filepath	Base	Length	Protection	Completion	Count	Source Address	Symbol
988	C:\WINDOWS\system32\LogFiles\smss.exe	150000	13FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	150000	13FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	151000	13F7F4	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	250000	13FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	250000	13FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	260000	13F340	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	261000	13F168	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	153000	13F3EC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	470000	13F0C8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	470000	13F0CC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	472000	13EB64	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	473000	13EEA8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	480000	13E978	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	480000	13E97C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	481000	13E658	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	483000	13E70C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	4A0000	13F04C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	4A0000	13F050	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	4A1000	13ED2C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	154000	13F788	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	420000	13F91C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	420000	13F920	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	421000	13F5FC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	423000	13F6B8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	155000	13F694	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	670000	13F52C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	670000	13F528	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	156000	13F55C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	157000	13F188	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	158000	13F188	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	159000	13EFB0	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	440000	13F1B8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	440000	13F1BC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	441000	13EE98	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	443000	13EF4C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	6F0000	13FF1C	page read and write	success or wait	1	1400813A	HeapCreate
988	C:\WINDOWS\system32\LogFiles\smss.exe	6F0000	13FF20	page read and write	success or wait	1	1400813A	HeapCreate
988	C:\WINDOWS\system32\LogFiles\smss.exe	6F1000	13FC4C	page read and write	success or wait	1	7C817077	unknown
988	C:\WINDOWS\system32\LogFiles\smss.exe	700000	13FE78	page read and write	success or wait	1	140098EB	VirtualAlloc
988	C:\WINDOWS\system32\LogFiles\smss.exe	700000	13FE68	page read and write	success or wait	1	14009977	VirtualAlloc
988	C:\WINDOWS\system32\LogFiles\smss.exe	15A000	13F708	page read and write	success or wait	1	140011A4	StartServiceCtrlDispatcherA
988	C:\WINDOWS\system32\LogFiles\smss.exe	800000	13F55C	page read and write	success or wait	1	140011A4	StartServiceCtrlDispatcherA
988	C:\WINDOWS\system32\LogFiles\smss.exe	8FE000	13F558	page read and write	success or wait	1	140011A4	StartServiceCtrlDispatcherA

PID	Filepath	Base	Length	New Protection	Old Protection	Completion	Count	Source Address	Symbol
988	C:\WINDOWS\system32\LogFiles\smss.exe	7C801000	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	7C801000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	1400B000	1000	page read and write	page write copy	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	1400B000	1000	page write copy	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77F11000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77F11000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	7E411000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	7E411000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	1400B000	1000	page read and write	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	1400B000	1000	page read and write	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77DD1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77DD1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77E71000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77E71000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77FE1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77FE1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	71AB1000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	71AB1000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77C11000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77C11000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	71AA1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	71AA1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77F61000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77F61000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	5CB71000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	5CB71000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	6F881000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	6F881000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	76B41000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	76B41000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	774E1000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	774E1000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77121000	1000	page read and write	page execute read	success or wait	6	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77121000	1000	page execute read	page read and write	success or wait	6	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77BE1000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77BE1000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77C01000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	77C01000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	7C9C1000	2000	page read and write	page execute read	success or wait	8	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	7C9C1000	2000	page execute read	page read and write	success or wait	8	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	769C1000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	769C1000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	5AD71000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	5AD71000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	76391000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	76391000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	773D1000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	773D1000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	5D091000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	5D091000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
988	C:\WINDOWS\system32\LogFiles\smss.exe	8FE000	1000	page read and write and page guard	page read and write	success or wait	1	140011A4	StartServiceCtrlDispatcherA

Memory Usage Statistics

Time	Private Usage (mb)	Workingset (mb)	Page File Usage (mb)
09:39:49	1	2	1

System Activites

System info class	Completion	Count	Source Address	Symbol
BasicInformation	success or wait	18	7C90E457	KiUserApcDispatcher
RangeStartInformation	success or wait	1	7C90E457	KiUserApcDispatcher
ProcessorInformation	success or wait	6	7C90E457	KiUserApcDispatcher
PerformanceInformation	success or wait	1	14001722	OpenSCManagerA

Timing Activites

Time	Completion	Count	Source Address	Symbol
129718679891250000	success or wait	1	14001722	OpenSCManagerA

Chronological Activities

Operation	Data	Completion	Time
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CWDIllegalInDLLSearch	object name not found	533254235
System info queried	Type: BasicInformation	success or wait	533255856
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 150000 Length: 13FB14 Allocation Type: unknown Protection: page read and write	success or wait	533255986
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 150000 Length: 13FB18 Allocation Type: unknown Protection: page read and write	success or wait	533256084
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 151000 Length: 13F7F4 Allocation Type: unknown Protection: page read and write	success or wait	533256253
System info queried	Type: BasicInformation	success or wait	533256353
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 250000 Length: 13FB14 Allocation Type: unknown Protection: page read and write	success or wait	533256455
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 250000 Length: 13FB18 Allocation Type: unknown Protection: page read and write	success or wait	533257014
File opened	Path: C:\WINDOWS\system32\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	533257388
File control set	Path: C:\WINDOWS\system32 Control Code: 90028 Input Buffer: NULL	success or wait	533258584
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	533259213
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C801000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533259896
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C801000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533260299
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: Cookie	success or wait	533260616
System info queried	Type: RangeStartInformation	success or wait	533260720
System info queried	Type: BasicInformation	success or wait	533260805
Section loaded	Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	533261422
System info queried	Type: BasicInformation	success or wait	533261797
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 260000 Length: 13F340 Allocation Type: unknown Protection: page read and write	success or wait	533262235
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	533262669
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	533264052
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	533264765
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	533265254
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	533266052
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	533267009
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	533267140
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 261000 Length: 13F168 Allocation Type: unknown Protection: page read and write	success or wait	533267805
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page write copy	success or wait	533268590
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page write copy Old Protection: page read and write	success or wait	533268965
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	533270029
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	533271078
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533271917
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533272106
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533272775
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533272920
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533273047
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533273657
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533273799
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533274918
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533275048
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533275195
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7E411000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533275306
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7E411000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533275917
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	533276035
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	533276144
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	533276286
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533277716
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533278198
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533278319
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533278657
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	533278796
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533279351
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533280032
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533280174
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533280347
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533280494
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533281026
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	533281196
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533282666
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533282966
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533283100
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533283240
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77FE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533283383
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77FE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533283540
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533283659
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77E71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533284235
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77DD1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533284351
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77DD1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533284796
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	533285470
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	533285594
Section loaded	Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	533286007
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 153000 Length: 13F3EC Allocation Type: unknown Protection: page read and write	success or wait	533286274
File opened	Path: C:\WINDOWS\system32\WS2_32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533286575
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	533286974
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533288474
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533288647
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533289054
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533289200
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	533289927
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533291000
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533291212
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C11000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533291335
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C11000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533291490
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533291599
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533291775
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533292365
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AB1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533292484
Section loaded	Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	533292633
File opened	Path: C:\WINDOWS\system32\WS2HELP.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533293175
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	533293561
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AA1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533295306
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AA1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533295479
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AA1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533295606
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AA1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533295779
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AA1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533295911
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 71AA1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533296043
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	533296710
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	533296851
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	533296987
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533298670
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533299003
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533299117
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533299234
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533299378
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533299552
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533299664
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533300256
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533300375
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77F61000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533300556
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	533300661
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 1400B000 Length: 1000 New Protection: page read and write Old Protection: page read and write	success or wait	533301066
Section loaded	Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	533301276
File opened	Path: C:\WINDOWS\system32\ShimEng.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533302138
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	533307671
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5CB71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533308789
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5CB71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533308994
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5CB71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533309120
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5CB71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533309244
File opened	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	533309889
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 340000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	533310310
File opened	Path: C:\WINDOWS\AppPatch\systest.sdb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	object name not found	533311347
System info queried	Type: ProcessorInformation	success or wait	533311680
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: Wow64Information	success or wait	533312365
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: Installed	success or wait	533312552
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: true	object name not found	533312925
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: Wow64Information	success or wait	533313192
System info queried	Type: BasicInformation	success or wait	533313280
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 470000 Length: 13F0C8 Allocation Type: unknown Protection: page read and write	success or wait	533313835
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 470000 Length: 13F0CC Allocation Type: unknown Protection: page read and write	success or wait	533313949
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: true	object name not found	533314188
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 472000 Length: 13EB64 Allocation Type: unknown Protection: page read and write	success or wait	533315332
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 473000 Length: 13EEA8 Allocation Type: unknown Protection: page read and write	success or wait	533316418
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	533316617
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533317733
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	533318103
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533319268
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	533319926
File opened	Path: C:\WINDOWS\AppPatch\AcGenral.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533321373
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	533321889
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533322470
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533322634
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533323451
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533323635
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533324022
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533324680
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533324813
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533326165
Section loaded	Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	533326317
File opened	Path: C:\WINDOWS\system32\WINMM.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533326580
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	533326971
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533328182
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533328641
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533329326
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533329454
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533329868
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533330181
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533330306
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533330451
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533330587
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76B41000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533330708
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	533330848
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533332677
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533332876
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533333259
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533333552
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533333678
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533333862
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533333999
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533334127
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533334249
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533334816
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533334959
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533335144
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533335282
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 774E1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533335710
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533335825
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533336525
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	533336685
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533337666
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533337856
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533337994
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533338125
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533338249
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533338894
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533339027
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533339181
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533339311
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533339679
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533339803
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77121000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533340510
Section loaded	Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	533340663
File opened	Path: C:\WINDOWS\system32\MSACM32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533341213
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	533341735
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533342462
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533343082
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533343227
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533343364
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533343501
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533343654
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533344044
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533344709
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533344854
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77BE1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533344981
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	533345551
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533346406
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533346715
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C01000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533346863
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 77C01000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533347635
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	533347805
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	533349559
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	533349891
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	533350019
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	533350156
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	533350290
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	533350485
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	533350610
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	533351180
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	533351322
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	533351466
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	533351600
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	533351729
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	533352087
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	533352829
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write Old Protection: page execute read	success or wait	533352973
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read Old Protection: page read and write	success or wait	533353498
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533353759
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533353921
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533354036
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F881000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533354159
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	533354297
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533360451
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533360667
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533361257
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533361431
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533361564
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533362513
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533362648
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533363102
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533363375
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 769C1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533363501
Section loaded	Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	533363643
File opened	Path: C:\WINDOWS\system32\UxTheme.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533363917
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	533364301
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533365516
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533365959
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533366089
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533366787
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533366935
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533367384
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533367655
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533367782
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533367905
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5AD71000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533368044
System info queried	Type: BasicInformation	success or wait	533368429
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 480000 Length: 13E978 Allocation Type: unknown Protection: page read and write	success or wait	533368556
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 480000 Length: 13E97C Allocation Type: unknown Protection: page read and write	success or wait	533369133
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 481000 Length: 13E658 Allocation Type: unknown Protection: page read and write	success or wait	533369303
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 490000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	533369982
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 483000 Length: 13E70C Allocation Type: unknown Protection: page read and write	success or wait	533371666
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: Cookie	success or wait	533371986
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: Cookie	success or wait	533372092
Mutant created	Name: \BaseNamedObjects\SHIMLIB_LOG_MUTEX	object name exists	533372285
File opened	Path: \Device\NamedPipe\ShimViewer Access: write data or add file and append data or add subdirectory or create pipe instance and write ea and write attributes and read control and synchronize Options: no options Attributes: normal Content Overwritten: true	object name not found	533372838
System info queried	Type: BasicInformation	success or wait	533373093
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 4A0000 Length: 13F04C Allocation Type: unknown Protection: page read and write	success or wait	533373215
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 4A0000 Length: 13F050 Allocation Type: unknown Protection: page read and write	success or wait	533373790
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 4A1000 Length: 13ED2C Allocation Type: unknown Protection: page read and write	success or wait	533373929
System info queried	Type: BasicInformation	success or wait	533374181
System info queried	Type: ProcessorInformation	success or wait	533374558
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: ImageInformation	success or wait	533375598
System info queried	Type: BasicInformation	success or wait	533377069
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode	object name not found	533377582
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533377953
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	533378334
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533379919
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	533380826
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533382119
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	533382510
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533383571
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533383762
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533384158
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533384306
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533384980
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533385148
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533385563
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 76391000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533385840
System info queried	Type: BasicInformation	success or wait	533386084
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	533386495
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs	success or wait	533387827
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 154000 Length: 13F788 Allocation Type: unknown Protection: page read and write	success or wait	533389009
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	533389286
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSUserEnabled	success or wait	533389922
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack	object name not found	533391006
System info queried	Type: BasicInformation	success or wait	533391923
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 420000 Length: 13F91C Allocation Type: unknown Protection: page read and write	success or wait	533392038
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 420000 Length: 13F920 Allocation Type: unknown Protection: page read and write	success or wait	533392139
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 421000 Length: 13F5FC Allocation Type: unknown Protection: page read and write	success or wait	533392270
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 423000 Length: 13F6B8 Allocation Type: unknown Protection: page read and write	success or wait	533392703
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: Cookie	success or wait	533393016
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: Cookie	success or wait	533393557
System info queried	Type: BasicInformation	success or wait	533393689
System info queried	Type: ProcessorInformation	success or wait	533393794
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 155000 Length: 13F694 Allocation Type: unknown Protection: page read and write	success or wait	533394124
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	533399346
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 670000 Length: 13F52C Allocation Type: unknown Protection: page read and write	success or wait	533399727
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 670000 Length: 13F528 Allocation Type: unknown Protection: page read and write	success or wait	533400395
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave	success or wait	533400574
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	success or wait	533401373
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave1	success or wait	533401888
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave2	object name not found	533402247
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave3	object name not found	533402599
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave4	object name not found	533402963
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave5	object name not found	533403695
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave6	object name not found	533404045
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave7	object name not found	533404836
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave8	object name not found	533405232
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: wave9	object name not found	533405848
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	533406741
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi	success or wait	533407411
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	success or wait	533407765
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi1	success or wait	533408266
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi2	object name not found	533408623
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi3	object name not found	533408973
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi4	object name not found	533409335
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi5	object name not found	533409684
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi6	object name not found	533410034
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi7	object name not found	533410821
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi8	object name not found	533411217
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: midi9	object name not found	533411835
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	533412759
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux	success or wait	533413427
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	success or wait	533413781
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux1	success or wait	533414280
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux2	object name not found	533414635
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux3	object name not found	533414983
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux4	object name not found	533415343
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux5	object name not found	533415691
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux6	object name not found	533416038
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux7	object name not found	533416823
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux8	object name not found	533417218
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: aux9	object name not found	533418061
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaProperties\PrivateProperties\Joystick\Winmm Name: wheel	success or wait	533419112
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	533419704
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer	success or wait	533420209
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	success or wait	533420565
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer1	success or wait	533420927
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer2	object name not found	533421292
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer3	object name not found	533421652
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer4	object name not found	533422019
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer5	object name not found	533422808
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer6	object name not found	533423442
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer7	object name not found	533423795
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer8	object name not found	533424682
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: mixer9	object name not found	533425096
File opened	Path: \Device\KsecDD Access: read data or list directory and synchronize Options: synchronous io alert Overwritten: false	success or wait	533425916
System info queried	Type: BasicInformation	success or wait	533427166
System info queried	Type: ProcessorInformation	success or wait	533427269
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout	success or wait	533427476
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: RWLockResourceTimeOut	object name not found	533427784
System info queried	Type: BasicInformation	success or wait	533428503
System info queried	Type: ProcessorInformation	success or wait	533428612
System info queried	Type: BasicInformation	success or wait	533428719
System info queried	Type: ProcessorInformation	success or wait	533428834
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll	object name not found	533429282
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32	object name not found	533430177
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib	object name not found	533430305
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAll	object name not found	533430861
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAllForOle32	object name not found	533430977
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 156000 Length: 13F55C Allocation Type: unknown Protection: page read and write	success or wait	533431555
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Name: SystemFormats	success or wait	533436674
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 157000 Length: 13F188 Allocation Type: unknown Protection: page read and write	success or wait	533438919
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	buffer overflow	533439110
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.imaadpcm	success or wait	533439245
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: fdwSupport	success or wait	533439784
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFormatTags	success or wait	533440535
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: aFormatTagCache	success or wait	533441015
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: cFilterTags	success or wait	533441203
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	buffer overflow	533441751
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msadpcm	success or wait	533441889
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: fdwSupport	success or wait	533447788
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFormatTags	success or wait	533448011
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: aFormatTagCache	success or wait	533448200
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm Name: cFilterTags	success or wait	533448384
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	buffer overflow	533449277
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg711	success or wait	533449410
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: fdwSupport	success or wait	533449981
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFormatTags	success or wait	533450737
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: aFormatTagCache	success or wait	533451222
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 Name: cFilterTags	success or wait	533451410
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	buffer overflow	533451962
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msgsm610	success or wait	533452102
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: fdwSupport	success or wait	533452397
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFormatTags	success or wait	533453054
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: aFormatTagCache	success or wait	533453270
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 Name: cFilterTags	success or wait	533453722
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	buffer overflow	533454984
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.trspch	success or wait	533455255
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: fdwSupport	success or wait	533455554
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFormatTags	success or wait	533455756
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: aFormatTagCache	success or wait	533455942
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch Name: cFilterTags	success or wait	533456126
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	buffer overflow	533457052
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msg723	success or wait	533457448
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: fdwSupport	success or wait	533457752
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFormatTags	success or wait	533458510
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: aFormatTagCache	success or wait	533458994
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 Name: cFilterTags	success or wait	533459184
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	buffer overflow	533459737
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.msaudio1	success or wait	533459917
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: fdwSupport	success or wait	533464553
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFormatTags	success or wait	533464937
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: aFormatTagCache	success or wait	533465142
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 Name: cFilterTags	success or wait	533465358
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	buffer overflow	533466435
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.sl_anet	success or wait	533466572
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: fdwSupport	success or wait	533467114
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFormatTags	success or wait	533467864
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: aFormatTagCache	success or wait	533468343
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet Name: cFilterTags	success or wait	533468532
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 158000 Length: 13F188 Allocation Type: unknown Protection: page read and write	success or wait	533469011
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	buffer overflow	533469352
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.iac2	success or wait	533469483
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: fdwSupport	success or wait	533470269
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFormatTags	success or wait	533470481
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: aFormatTagCache	success or wait	533471066
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 Name: cFilterTags	success or wait	533471827
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	buffer overflow	533472763
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Name: msacm.l3acm	success or wait	533472946
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: fdwSupport	success or wait	533473766
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFormatTags	success or wait	533474657
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: aFormatTagCache	success or wait	533474856
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm Name: cFilterTags	success or wait	533475512
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM Name: NoPCMConverter	object name not found	533477889
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 159000 Length: 13EFB0 Allocation Type: unknown Protection: page read and write	success or wait	533478318
Key value queried	Path: HKEY_USERS\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 Name: Priority1	object name not found	533502132
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	533504048
File opened	Path: C:\WINDOWS\system32\SHELL32.dll Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533508096
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 6F0000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	533509169
File opened	Path: C:\WINDOWS\system32\SHELL32.dll.124.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	533510377
File opened	Path: C:\WINDOWS\system32\SHELL32.dll.124.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	533511578
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202 Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	533548617
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533551697
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 6F0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	533556226
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533559611
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	533561624
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533566393
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533566924
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533568970
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533570093
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533570536
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533571333
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533571821
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533572290
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533573170
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533573763
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533574183
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533576262
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533577261
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 773D1000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533577755
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533581407
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 440000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	533583286
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: true	success or wait	533586289
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	533601649
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533604251
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	533606448
File opened	Path: C:\WINDOWS\WindowsShell.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	533608175
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll	object name not found	533643264
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	533657123
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533664922
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533665414
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533665789
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533666987
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533667365
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533667823
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533668287
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533668645
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page read and write Old Protection: page execute read	success or wait	533669008
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 5D091000 Length: 1000 New Protection: page execute read Old Protection: page read and write	success or wait	533671444
System info queried	Type: BasicInformation	success or wait	533672382
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 440000 Length: 13F1B8 Allocation Type: unknown Protection: page read and write	success or wait	533672785
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 440000 Length: 13F1BC Allocation Type: unknown Protection: page read and write	success or wait	533675516
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 441000 Length: 13EE98 Allocation Type: unknown Protection: page read and write	success or wait	533675962
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 443000 Length: 13EF4C Allocation Type: unknown Protection: page read and write	success or wait	533676657
File opened	Path: C:\WINDOWS\system32\comctl32.dll Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	533678698
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 6F0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	533679868
File opened	Path: C:\WINDOWS\system32\comctl32.dll.124.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	533681034
File opened	Path: C:\WINDOWS\system32\comctl32.dll.124.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	533682252
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: SessionInformation	success or wait	533690672
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll	object name not found	533694674
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	533698281
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: ChkAccDebugLevel	object name not found	533699346
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions Name: ProductType	success or wait	533702883
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Personal	success or wait	533708472
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Name: Local Settings	success or wait	533709030
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopDebugLevel	object name not found	533710366
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	533713262
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: RsopLogging	object name not found	533713797
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	533728189
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: RsopLogging	object name not found	533728734
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: UserEnvDebugLevel	object name not found	533729811
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: UserEnvDebugLevel	object name not found	533730749
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: Compositing	object name not found	533734288
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: LameButtonText	object name not found	533738701
System info queried	Type: BasicInformation	success or wait	533740174
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F0000 Length: 13FF1C Allocation Type: unknown Protection: page read and write	success or wait	533740582
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F0000 Length: 13FF20 Allocation Type: unknown Protection: page read and write	success or wait	533740927
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 6F1000 Length: 13FC4C Allocation Type: unknown Protection: page read and write	success or wait	533743459
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 700000 Length: 13FE78 Allocation Type: unknown Protection: page read and write	success or wait	533743927
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 700000 Length: 13FE68 Allocation Type: unknown Protection: page read and write	success or wait	533744281
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: DefaultHardErrorMode	success or wait	533748231
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: DefaultHardErrorMode	success or wait	533748736
System info queried	Type: BasicInformation	success or wait	533750443
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Name: MaxRpcSize	object name not found	533751092
System time queried	Time: 129718679891250000	success or wait	533752346
System info queried	Type: PerformanceInformation	success or wait	533752933
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: QuotaLimits	success or wait	533753719
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: VmCounters	success or wait	533756119
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent Name:	success or wait	533802292
File opened	Path: pipe\ Access: read attributes and synchronize Options: synchronous io non alert Overwritten: false	success or wait	533805780
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 15A000 Length: 13F708 Allocation Type: unknown Protection: page read and write	success or wait	533806529
File control set	Path: \ Control Code: 110018 Input Buffer: ........&.....n.e.t.\.N.t.C.o.n.t.r.o.l.P.i.p.e.2.0.	success or wait	533807455
File opened	Path: \pipe\net\NtControlPipe20 Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	533808313
File other op	Path: \net\NtControlPipe20 New path: Disposition: PipeInformation Data : unknown	success or wait	533809251
File write	Path: \net\NtControlPipe20 Offset: unknown Length: 4 Value: dc 03 00 00	success or wait	533836037
Process information queried	Path: C:\WINDOWS\system32\LogFiles\smss.exe PID: 988 Info Class: Wow64Information	success or wait	533837965
File read	Path: \net\NtControlPipe20 Offset: unknown Length: 534	success or wait	533838313
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 800000 Length: 13F55C Allocation Type: unknown Protection: page read and write	success or wait	533843668
Memory allocated	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 8FE000 Length: 13F558 Allocation Type: unknown Protection: page read and write	success or wait	533844043
Memory attributes changed	PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe Base: 8FE000 Length: 1000 New Protection: page read and write and page guard Old Protection: page read and write	success or wait	533846836
Thread created	PID: 988 TID: 1268 EIP: 7C8106F9 EAX: 77DF3539 Imagepath: C:\WINDOWS\system32\LogFiles\smss.exe	success or wait	533847792
Thread resumed	TID: 1268 PID: 988 Path: C:\WINDOWS\system32\LogFiles\smss.exe	success or wait	533848582
Thread delayed	Time: -360 TID: 1268	unknown	533853072
File write	Path: \net\NtControlPipe20 Offset: unknown Length: 4 Value: dc 03 00 00	success or wait	533879232
File read	Path: \net\NtControlPipe20 Offset: unknown Length: 534	unknown	533882374

General Information

Classification / Threat Score

Matching Signatures

Startup

Created / dropped Files

Contacted Domains

Contacted IPs

Static File Info

Static PE Info

String Analysis

Network Behavior

Code Manipulation Behavior

System Behavior

Analysis File: long sleep 2s.exe PID: 1764 Parent PID: 1504

File Activites

Section Activites

Registry Activites

Process Activites

Thread Activites

Memory Activites

System Activites

Analysis File: cmd.exe PID: 1492 Parent PID: 1764

File Activites

Section Activites

Registry Activites

Mutex Activites

Process Activites

Memory Activites

System Activites

Analysis File: explorer.exe PID: 1696 Parent PID: 1764

File Activites

Section Activites

Registry Activites

Mutex Activites

Process Activites

Thread Activites

Memory Activites

System Activites

Timing Activites

Windows UI Activites

Process Token Activites

Analysis File: cmd.exe PID: 260 Parent PID: 1764

File Activites

Section Activites

Registry Activites

Mutex Activites

Process Activites

Thread Activites

Memory Activites

System Activites

Analysis File: smss.exe PID: 2036 Parent PID: 260

File Activites

Section Activites

Registry Activites

Mutex Activites

Process Activites

Memory Activites

System Activites

Timing Activites

Analysis File: smss.exe PID: 988 Parent PID: 664

File Activites

Section Activites

Registry Activites

Mutex Activites

Process Activites

Thread Activites

Memory Activites

System Activites

Timing Activites