Analysis Report

Monitored Processes

Behavior Information - Grouped by Category

Process #1: cb91b8695d3990b5b5eae8a714bd357e.exe

(Host: 408, Network: 0)

Information	Value
ID / OS PID	#1 / 0x7a8
OS Parent PID	0x358 (c:\windows\explorer.exe)
Initial Working Directory	C:\Users\uWZPA0LPqa\Desktop
File Name	c:\users\uwzpa0lpqa\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe
Command Line	"C:\Users\uWZPA0LPqa\Desktop\cb91b8695d3990b5b5eae8a714bd357e.exe"
Monitor	Start Time: 00:00:38, Reason: Analysis Target
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:01:29
OS Thread IDs	#1 0xA98 #2 0x5FC

Region

Name	Start VA	End VA	Type	Permissions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed File	Readable, Writable
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	Readable, Writable
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable
pagefile_0x0000000000040000	0x00040000	0x0004efff	Pagefile Backed File	Readable
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed File	Readable
private_0x00000000001a0000	0x001a0000	0x001a1fff	Private Memory	Readable, Writable
private_0x00000000001b0000	0x001b0000	0x001b0fff	Private Memory	Readable, Writable
private_0x00000000001d0000	0x001d0000	0x001dffff	Private Memory	Readable, Writable
private_0x00000000001e0000	0x001e0000	0x001effff	Private Memory	Readable, Writable
locale.nls	0x001f0000	0x0026dfff	Memory Mapped File	Readable
private_0x0000000000270000	0x00270000	0x002d3fff	Private Memory	Readable
private_0x00000000002e0000	0x002e0000	0x003dffff	Private Memory	Readable, Writable
cb91b8695d3990b5b5eae8a714bd357e.exe	0x00400000	0x00463fff	Memory Mapped File	Readable, Writable, Executable
private_0x0000000000470000	0x00470000	0x00495fff	Private Memory	Readable, Writable
private_0x0000000000520000	0x00520000	0x0052ffff	Private Memory	Readable, Writable
pagefile_0x0000000000530000	0x00530000	0x006b7fff	Pagefile Backed File	Readable
pagefile_0x00000000006c0000	0x006c0000	0x00840fff	Pagefile Backed File	Readable
pagefile_0x0000000000850000	0x00850000	0x01c4ffff	Pagefile Backed File	Readable
SortDefault.nls	0x01c50000	0x01f24fff	Memory Mapped File	Readable
winspool.drv	0x74ab0000	0x74b14fff	Memory Mapped File	Readable, Writable, Executable
profapi.dll	0x74b20000	0x74b2efff	Memory Mapped File	Readable, Writable, Executable
userenv.dll	0x74b30000	0x74b4afff	Memory Mapped File	Readable, Writable, Executable
iertutil.dll	0x74b50000	0x74d81fff	Memory Mapped File	Readable, Writable, Executable
wininet.dll	0x74d90000	0x74f65fff	Memory Mapped File	Readable, Writable, Executable
comctl32.dll	0x74f70000	0x74ff8fff	Memory Mapped File	Readable, Writable, Executable
apphelp.dll	0x75000000	0x7509ffff	Memory Mapped File	Readable, Writable, Executable
bcryptprimitives.dll	0x750a0000	0x750f3fff	Memory Mapped File	Readable, Writable, Executable
cryptbase.dll	0x75100000	0x75109fff	Memory Mapped File	Readable, Writable, Executable
sspicli.dll	0x75110000	0x7512dfff	Memory Mapped File	Readable, Writable, Executable
KernelBase.dll	0x75190000	0x75266fff	Memory Mapped File	Readable, Writable, Executable
imagehlp.dll	0x75270000	0x75283fff	Memory Mapped File	Readable, Writable, Executable
gdi32.dll	0x75320000	0x7542dfff	Memory Mapped File	Readable, Writable, Executable
advapi32.dll	0x75430000	0x754abfff	Memory Mapped File	Readable, Writable, Executable
shlwapi.dll	0x75500000	0x75544fff	Memory Mapped File	Readable, Writable, Executable
psapi.dll	0x75550000	0x75555fff	Memory Mapped File	Readable, Writable, Executable
rpcrt4.dll	0x75620000	0x756d9fff	Memory Mapped File	Readable, Writable, Executable
sechost.dll	0x75790000	0x757d0fff	Memory Mapped File	Readable, Writable, Executable
combase.dll	0x757e0000	0x7595cfff	Memory Mapped File	Readable, Writable, Executable
kernel32.dll	0x75960000	0x75a9ffff	Memory Mapped File	Readable, Writable, Executable
ole32.dll	0x75aa0000	0x75bc7fff	Memory Mapped File	Readable, Writable, Executable
shell32.dll	0x75c60000	0x76f0cfff	Memory Mapped File	Readable, Writable, Executable
msvcrt.dll	0x77240000	0x77302fff	Memory Mapped File	Readable, Writable, Executable
msctf.dll	0x77350000	0x77462fff	Memory Mapped File	Readable, Writable, Executable
user32.dll	0x776a0000	0x777f2fff	Memory Mapped File	Readable, Writable, Executable
imm32.dll	0x77800000	0x77826fff	Memory Mapped File	Readable, Writable, Executable
wow64.dll	0x77840000	0x7788afff	Memory Mapped File	Readable, Writable, Executable
wow64win.dll	0x77890000	0x778f7fff	Memory Mapped File	Readable, Writable, Executable
wow64cpu.dll	0x77900000	0x77908fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x77910000	0x77a7dfff	Memory Mapped File	Readable, Writable, Executable
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed File	Readable
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed File	Readable
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	Readable, Writable
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x000000007fff0000	0x7fff0000	0x7ff80c08ffff	Private Memory	Readable
ntdll.dll	0x7ff80c090000	0x7ff80c23bfff	Memory Mapped File	Readable, Writable, Executable
private_0x00007ff80c23c000	0x7ff80c23c000	0x7ffffffeffff	Private Memory	Readable

Created or Modified Files

Filename	File Size	Hash Values
c:\users\uwzpa0~1\appdata\local\temp\3e0d.tmp	225.50 KB (230912 bytes)	MD5: cb91b8695d3990b5b5eae8a714bd357e SHA1: 3cd6ef10dd6cbe6f158a360cf5b112cef2e18304 SHA256: eec6bfe112155ab94029f0f8f27a484edf35b5d743503e0199637084d9520ebc

Host Behavior

File (6)

Operation	Filename	Additional Information	Amount	Logfile
CREATE_TMPFILE	c:\users\uwzpa0~1\appdata\local\temp\ff1e.tmp	path = C:\Users\UWZPA0~1\AppData\Local\Temp\	1	Fn
CREATE_TMPFILE	c:\users\uwzpa0~1\appdata\local\temp\3e0d.tmp	path = C:\Users\UWZPA0~1\AppData\Local\Temp\	1	Fn
OPEN	c:	desired_access = SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT	1	Fn
OPEN	\device\harddisk0\dr0	desired_access = SYNCHRONIZE, GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT	1	Fn
MOVE	c:\users\uwzpa0~1\appdata\local\temp\3e0d.tmp	file_name = c:\users\uwzpa0lpqa\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe	1	Fn
MOVE	c:\users\uwzpa0~1\appdata\local\temp\3e0d.tmp		1	Fn

Module (134)

Operation	Module	Additional Information	Amount	Logfile
LOAD	imagehlp.dll	base_address = 0x75270000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x75550000	1	Fn
LOAD	WININET.dll	base_address = 0x74d90000	1	Fn
LOAD	SHELL32.dll	base_address = 0x75c60000	1	Fn
LOAD	ole32.dll	base_address = 0x75aa0000	1	Fn
LOAD	WINSPOOL.DRV	base_address = 0x74ab0000	1	Fn
GET_HANDLE	KERNEL32.dll		1	Fn
GET_HANDLE	ADVAPI32.dll		1	Fn
GET_HANDLE	ntdll.dll		2	Fn
GET_HANDLE	SHLWAPI.dll		1	Fn
GET_HANDLE	imagehlp.dll		1	Fn
GET_HANDLE	PSAPI.DLL		1	Fn
GET_HANDLE	RPCRT4.dll		1	Fn
GET_HANDLE	WININET.dll		1	Fn
GET_HANDLE	SHELL32.dll		1	Fn
GET_HANDLE	ole32.dll		1	Fn
GET_HANDLE	WINSPOOL.DRV		1	Fn
GET_HANDLE	c:\users\uwzpa0lpqa\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe		1	Fn
GET_HANDLE	kernel32.dll		1	Fn
GET_PROC_ADDRESS		function = StrCmpNIA, address_out = 0x7551b430	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetTempPathA, address_out = 0x75985890	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetProcAddress, address_out = 0x75977b50	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetModuleHandleA, address_out = 0x75978f60	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = CopyFileA, address_out = 0x7597fe50	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = LoadLibraryExA, address_out = 0x7597a970	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = FreeLibrary, address_out = 0x7597a790	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = DeleteFileA, address_out = 0x75988950	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetPrivateProfileIntA, address_out = 0x7597ca90	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetPrivateProfileStringA, address_out = 0x7597cb60	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = WritePrivateProfileStringA, address_out = 0x7597c590	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = CreateFileA, address_out = 0x75988920	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = WriteFile, address_out = 0x75988cf0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = CloseHandle, address_out = 0x759886f0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetTempFileNameA, address_out = 0x759a3bf0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetSystemTime, address_out = 0x75979200	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetFileAttributesA, address_out = 0x75988aa0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = DeviceIoControl, address_out = 0x75978a50	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = SystemTimeToFileTime, address_out = 0x7597a950	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetCurrentProcessId, address_out = 0x759722d0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = FreeLibraryAndExitThread, address_out = 0x75985c10	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetCurrentProcess, address_out = 0x759728e0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = CreateFileW, address_out = 0x75988930	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetFileSize, address_out = 0x75988af0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = ReadFile, address_out = 0x75988c00	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = SetFilePointer, address_out = 0x75988c90	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = SetEndOfFile, address_out = 0x75988c50	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetModuleHandleW, address_out = 0x7597a0c0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = CopyFileW, address_out = 0x75986770	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = CreateFileMappingA, address_out = 0x759770f0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = MapViewOfFile, address_out = 0x75978b50	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = UnmapViewOfFile, address_out = 0x7597a100	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = Sleep, address_out = 0x759782d0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = DeleteFileW, address_out = 0x75988960	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = ExitProcess, address_out = 0x75989850	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetCommandLineA, address_out = 0x7597b5a0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = CreateThread, address_out = 0x7597a740	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetSystemTimeAsFileTime, address_out = 0x759770c0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = VirtualProtect, address_out = 0x75978ab0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = VirtualFree, address_out = 0x75978f20	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetLastError, address_out = 0x759726e0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetVersionExA, address_out = 0x75978b10	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = MoveFileExW, address_out = 0x7597b950	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetTempFileNameW, address_out = 0x75988b80	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetTempPathW, address_out = 0x75988b90	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetModuleFileNameW, address_out = 0x7597a0e0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = GetWindowsDirectoryW, address_out = 0x7597b6c0	1	Fn
GET_PROC_ADDRESS	KERNEL32.dll	function = VirtualAlloc, address_out = 0x75978b90	1	Fn
GET_PROC_ADDRESS	ADVAPI32.dll	function = QueryServiceStatusEx, address_out = 0x7545ce30	1	Fn
GET_PROC_ADDRESS	ADVAPI32.dll	function = StartServiceA, address_out = 0x754746d0	1	Fn
GET_PROC_ADDRESS	ADVAPI32.dll	function = OpenSCManagerA, address_out = 0x75439510	1	Fn
GET_PROC_ADDRESS	ADVAPI32.dll	function = OpenServiceA, address_out = 0x75474320	1	Fn
GET_PROC_ADDRESS	ADVAPI32.dll	function = GetUserNameW, address_out = 0x75447190	1	Fn
GET_PROC_ADDRESS	ADVAPI32.dll	function = OpenProcessToken, address_out = 0x75439290	1	Fn
GET_PROC_ADDRESS	ADVAPI32.dll	function = RegCloseKey, address_out = 0x75439330	1	Fn
GET_PROC_ADDRESS	ADVAPI32.dll	function = RegSetValueExA, address_out = 0x75446fb0	1	Fn
GET_PROC_ADDRESS	ADVAPI32.dll	function = RegCreateKeyA, address_out = 0x7545c620	1	Fn
GET_PROC_ADDRESS	ADVAPI32.dll	function = CloseServiceHandle, address_out = 0x754394f0	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = RtlComputeCrc32, address_out = 0x779e7db0	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = LdrAddRefDll, address_out = 0x77973f70	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = ZwImpersonateThread, address_out = 0x7794d7e0	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = ZwOpenThread, address_out = 0x7794da70	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = RtlEqualUnicodeString, address_out = 0x7795a050	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = ZwQueryInformationToken, address_out = 0x7794cb40	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = wcsncpy, address_out = 0x779ad5b0	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = ZwOpenFile, address_out = 0x7794cc60	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = ZwClose, address_out = 0x7794ca20	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = ZwLoadDriver, address_out = 0x7794d850	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = strncat, address_out = 0x77938c30	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = ZwCreateEvent, address_out = 0x7794cdb0	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = RtlInitUnicodeString, address_out = 0x77937520	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = _snwprintf, address_out = 0x779ac100	2	Fn
GET_PROC_ADDRESS	ntdll.dll	function = atoi, address_out = 0x779abbf0	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = ZwTestAlert, address_out = 0x7794e2f0	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = RtlRandom, address_out = 0x779f2780	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = ZwRaiseHardError, address_out = 0x7794ddb0	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = RtlAdjustPrivilege, address_out = 0x779ab650	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = ZwQuerySystemInformation, address_out = 0x7794cc90	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = sscanf, address_out = 0x779acff0	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = strncpy, address_out = 0x77938d70	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = _chkstk, address_out = 0x77951140	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = memcpy, address_out = 0x779382c0	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = _snprintf, address_out = 0x779ac050	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = RtlImageNtHeader, address_out = 0x77964af0	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = ZwDeviceIoControlFile, address_out = 0x7794c9a0	1	Fn
GET_PROC_ADDRESS	ntdll.dll	function = memset, address_out = 0x77938940	1	Fn
GET_PROC_ADDRESS	SHLWAPI.dll	function = StrStrIW, address_out = 0x75508bc0	1	Fn
GET_PROC_ADDRESS	SHLWAPI.dll	function = SHDeleteKeyA, address_out = 0x7551ba40	1	Fn
GET_PROC_ADDRESS	SHLWAPI.dll	function = PathFileExistsW, address_out = 0x75508fc0	1	Fn
GET_PROC_ADDRESS	SHLWAPI.dll	function = StrStrIA, address_out = 0x7550f9c0	1	Fn
GET_PROC_ADDRESS	SHLWAPI.dll	function = PathFileExistsA, address_out = 0x7551ab40	1	Fn
GET_PROC_ADDRESS	SHLWAPI.dll	function = PathAppendA, address_out = 0x7551aa60	1	Fn
GET_PROC_ADDRESS	SHLWAPI.dll	function = PathFindFileNameW, address_out = 0x75508ba0	1	Fn
GET_PROC_ADDRESS	SHLWAPI.dll	function = SHGetValueA, address_out = 0x7550f890	1	Fn
GET_PROC_ADDRESS	SHLWAPI.dll	function = PathRemoveFileSpecA, address_out = 0x7551aee0	1	Fn
GET_PROC_ADDRESS	imagehlp.dll	function = CheckSumMappedFile, address_out = 0x75277d30	1	Fn
GET_PROC_ADDRESS	PSAPI.DLL	function = GetMappedFileNameW, address_out = 0x75551720	1	Fn
GET_PROC_ADDRESS	RPCRT4.dll	function = UuidCreateSequential, address_out = 0x7564bb50	1	Fn
GET_PROC_ADDRESS	WININET.dll	function = InternetCrackUrlA, address_out = 0x74e0fd30	1	Fn
GET_PROC_ADDRESS	WININET.dll	function = InternetConnectA, address_out = 0x74e3a3c0	1	Fn
GET_PROC_ADDRESS	WININET.dll	function = HttpOpenRequestA, address_out = 0x74e3a450	1	Fn
GET_PROC_ADDRESS	WININET.dll	function = HttpSendRequestA, address_out = 0x74e370c0	1	Fn
GET_PROC_ADDRESS	WININET.dll	function = InternetQueryOptionA, address_out = 0x74da1e40	1	Fn
GET_PROC_ADDRESS	WININET.dll	function = InternetSetOptionA, address_out = 0x74da4230	1	Fn
GET_PROC_ADDRESS	WININET.dll	function = InternetCloseHandle, address_out = 0x74db43c0	1	Fn
GET_PROC_ADDRESS	WININET.dll	function = InternetOpenA, address_out = 0x74dd34f0	1	Fn
GET_PROC_ADDRESS	SHELL32.dll	function = ShellExecuteW, address_out = 0x75d408f0	1	Fn
GET_PROC_ADDRESS	ole32.dll	function = CoCreateInstance, address_out = 0x75800590	1	Fn
GET_PROC_ADDRESS	ole32.dll	function = CoInitialize, address_out = 0x75aa9ec0	1	Fn
GET_PROC_ADDRESS	ole32.dll	function = CoUninitialize, address_out = 0x757eb890	1	Fn
GET_PROC_ADDRESS	WINSPOOL.DRV	function = DeletePrintProvidorW, address_out = 0x74ad6410	1	Fn
GET_PROC_ADDRESS	WINSPOOL.DRV	function = AddPrintProvidorW, address_out = 0x74ad4aa0	1	Fn
GET_PROC_ADDRESS	kernel32.dll	function = IsWow64Process, address_out = 0x75978f40	1	Fn

Driver (267)

Operation	Driver	Additional Information	Success	Amount	Logfile
CONTROL	c:	control_code = 0x560000		1	Fn
CONTROL	\device\harddisk0\dr0	control_code = 0x4d014		266	Fn

User (1)

Operation	User/Group/Server	Additional Information	Success	Amount	Logfile
SET_PRIVILEGE	Localhost	privilege = SeShutdownPrivilege, enable_privilege = 1		1	Fn

Process #2: System

Information	Value
ID / OS PID	#2 / 0x4
OS Parent PID	0xffffffffffffffff (Unknown)
Initial Working Directory
File Name	System
Command Line
Monitor	Start Time: 00:01:20, Reason: Kernel Analysis
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:47
OS Thread IDs	#3 0x8 #4 0x18 #5 0x14 #6 0x28 #7 0x38 #8 0x70 #9 0x74 #10 0x90 #11 0x94 #12 0x5C #13 0x30 #14 0x9C #15 0xAC #16 0xB0 #17 0x88 #18 0x84 #19 0x80 #20 0x8C #21 0xC8 #22 0x78 #23 0x7C #24 0xE0 #26 0x4C #28 0xFC #29 0x100 #30 0x104 #31 0x108 #32 0x110 #33 0xF4 #34 0x10C #35 0x58 #36 0x11C #37 0x10 #38 0x34 #39 0x124 #42 0x13C #43 0x144 #44 0x148 #57 0x20 #60 0x190 #61 0x140 #70 0xE8 #86 0x128 #89 0x1F0 #96 0x3C #118 0x48
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Monitored	Dump
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
pagefile_0x000000d9847a0000	0xd9847a0000	0xd9847c2fff	Pagefile Backed File	Readable, Writable

Process #3: smss.exe

Information	Value
ID / OS PID	#3 / 0xec
OS Parent PID	0x4 (System)
Initial Working Directory	X:\windows
File Name	c:\windows\system32\smss.exe
Command Line	\SystemRoot\System32\smss.exe
Monitor	Start Time: 00:01:27, Reason: Child Process
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:40
OS Thread IDs	#25 0xF0 #27 0xF8 #66 0x1A8
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x00000075205b0000	0x75205b0000	0x75205cffff	Private Memory	Readable, Writable
pagefile_0x00000075205d0000	0x75205d0000	0x75205defff	Pagefile Backed File	Readable
private_0x00000075205e0000	0x75205e0000	0x752065ffff	Private Memory	Readable, Writable
pagefile_0x00007ff6fef70000	0x7ff6fef70000	0x7ff6fef92fff	Pagefile Backed File	Readable
private_0x00007ff6fef9c000	0x7ff6fef9c000	0x7ff6fef9cfff	Private Memory	Readable, Writable
private_0x00007ff6fef9e000	0x7ff6fef9e000	0x7ff6fef9ffff	Private Memory	Readable, Writable
smss.exe	0x7ff6ff8f0000	0x7ff6ff914fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Process #4: smss.exe

Information	Value
ID / OS PID	#4 / 0x12c
OS Parent PID	0xec (c:\windows\system32\smss.exe)
Initial Working Directory	X:\windows
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\smss.exe
Command Line	\SystemRoot\System32\smss.exe 00000000 00000050
Monitor	Start Time: 00:01:32, Reason: Child Process
Unmonitor	End Time: 00:01:33, Reason: Terminated
Monitor Duration	00:00:01
OS Thread IDs	#40 0x130
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x000000af73b50000	0xaf73b50000	0xaf73b6ffff	Private Memory	Readable, Writable
pagefile_0x000000af73b70000	0xaf73b70000	0xaf73b7efff	Pagefile Backed File	Readable
private_0x000000af73b80000	0xaf73b80000	0xaf73bfffff	Private Memory	Readable, Writable
pagefile_0x00007ff6fef00000	0x7ff6fef00000	0x7ff6fef22fff	Pagefile Backed File	Readable
private_0x00007ff6fef2c000	0x7ff6fef2c000	0x7ff6fef2dfff	Private Memory	Readable, Writable
private_0x00007ff6fef2e000	0x7ff6fef2e000	0x7ff6fef2efff	Private Memory	Readable, Writable
smss.exe	0x7ff6ff8f0000	0x7ff6ff914fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Process #5: csrss.exe

(Host: 258, Network: 0)

Information	Value
ID / OS PID	#5 / 0x134
OS Parent PID	0x12c (\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\smss.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe
Command Line	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Monitor	Start Time: 00:01:32, Reason: Child Process
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:35
OS Thread IDs	#41 0x138 #45 0x14C #46 0x150 #47 0x154 #48 0x158 #58 0x188 #63 0x1A0 #64 0x1A4 #87 0x200 #128 0x2BC

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x0000004582960000	0x4582960000	0x458297ffff	Private Memory	Readable, Writable
private_0x0000004582960000	0x4582960000	0x4582966fff	Private Memory	Readable, Writable
csrss.exe.mui	0x4582970000	0x4582970fff	Memory Mapped File	Readable
pagefile_0x0000004582980000	0x4582980000	0x458298efff	Pagefile Backed File	Readable
private_0x0000004582990000	0x4582990000	0x45829cffff	Private Memory	Readable, Writable
pagefile_0x0000004582990000	0x4582990000	0x458299ffff	Pagefile Backed File	Readable, Writable
MARLETT.TTF	0x45829a0000	0x45829a6fff	Memory Mapped File	Readable
pagefile_0x00000045829b0000	0x45829b0000	0x45829c7fff	Pagefile Backed File	Readable
locale.nls	0x45829d0000	0x4582a4dfff	Memory Mapped File	Readable
winsrv.DLL.mui	0x4582a50000	0x4582a51fff	Memory Mapped File	Readable
private_0x0000004582a60000	0x4582a60000	0x4582a60fff	Private Memory	Readable, Writable
VGASYS.FON	0x4582a70000	0x4582a71fff	Memory Mapped File	Readable
private_0x0000004582a80000	0x4582a80000	0x4582abffff	Private Memory	Readable, Writable
private_0x0000004582ac0000	0x4582ac0000	0x4582ac0fff	Private Memory	Readable, Writable
private_0x0000004582ad0000	0x4582ad0000	0x4582ad0fff	Private Memory	Readable, Writable
private_0x0000004582ae0000	0x4582ae0000	0x4582ae0fff	Private Memory	Readable, Writable
private_0x0000004582af0000	0x4582af0000	0x4582beffff	Private Memory	Readable, Writable
pagefile_0x0000004582bf0000	0x4582bf0000	0x4582d70fff	Pagefile Backed File	Readable
private_0x0000004582d80000	0x4582d80000	0x4582dbffff	Private Memory	Readable, Writable
private_0x0000004582dc0000	0x4582dc0000	0x4582dfffff	Private Memory	Readable, Writable
private_0x0000004582e00000	0x4582e00000	0x4582e3ffff	Private Memory	Readable, Writable
pagefile_0x0000004582e40000	0x4582e40000	0x4582fc7fff	Pagefile Backed File	Readable
private_0x0000004582fd0000	0x4582fd0000	0x458300ffff	Private Memory	Readable, Writable
private_0x0000004583010000	0x4583010000	0x458304ffff	Private Memory	Readable, Writable
private_0x0000004583050000	0x4583050000	0x458308ffff	Private Memory	Readable, Writable
TAHOMABD.TTF	0x4583090000	0x4583139fff	Memory Mapped File	Readable
TAHOMA.TTF	0x4583140000	0x45831f6fff	Memory Mapped File	Readable
pagefile_0x0000004583200000	0x4583200000	0x458322ffff	Pagefile Backed File	Readable
pagefile_0x0000004583230000	0x4583230000	0x458462ffff	Pagefile Backed File	Readable
pagefile_0x0000004584630000	0x4584630000	0x458463ffff	Pagefile Backed File	Readable, Writable
pagefile_0x0000004584640000	0x4584640000	0x458464ffff	Pagefile Backed File	Readable, Writable
private_0x0000004584650000	0x4584650000	0x458468ffff	Private Memory	Readable, Writable
pagefile_0x0000004584690000	0x4584690000	0x458469ffff	Pagefile Backed File	Readable, Writable
pagefile_0x00000045846a0000	0x45846a0000	0x45846affff	Pagefile Backed File	Readable, Writable
private_0x00007ff61939c000	0x7ff61939c000	0x7ff61939dfff	Private Memory	Readable, Writable
private_0x00007ff61939e000	0x7ff61939e000	0x7ff61939ffff	Private Memory	Readable, Writable
pagefile_0x00007ff6193a0000	0x7ff6193a0000	0x7ff61949ffff	Pagefile Backed File	Readable, Writable
pagefile_0x00007ff6194a0000	0x7ff6194a0000	0x7ff6194c2fff	Pagefile Backed File	Readable
private_0x00007ff6194c3000	0x7ff6194c3000	0x7ff6194c4fff	Private Memory	Readable, Writable
private_0x00007ff6194c5000	0x7ff6194c5000	0x7ff6194c6fff	Private Memory	Readable, Writable
private_0x00007ff6194c7000	0x7ff6194c7000	0x7ff6194c8fff	Private Memory	Readable, Writable
private_0x00007ff6194c9000	0x7ff6194c9000	0x7ff6194cafff	Private Memory	Readable, Writable
private_0x00007ff6194cb000	0x7ff6194cb000	0x7ff6194ccfff	Private Memory	Readable, Writable
private_0x00007ff6194cd000	0x7ff6194cd000	0x7ff6194cefff	Private Memory	Readable, Writable
private_0x00007ff6194cd000	0x7ff6194cd000	0x7ff6194cefff	Private Memory	Readable, Writable
private_0x00007ff6194cf000	0x7ff6194cf000	0x7ff6194cffff	Private Memory	Readable, Writable
csrss.exe	0x7ff61a100000	0x7ff61a106fff	Memory Mapped File	Readable, Writable, Executable
bcryptPrimitives.dll	0x7ffb71580000	0x7ffb715e2fff	Memory Mapped File	Readable, Writable, Executable
CRYPTBASE.dll	0x7ffb715f0000	0x7ffb715fafff	Memory Mapped File	Readable, Writable, Executable
sxs.dll	0x7ffb71600000	0x7ffb71698fff	Memory Mapped File	Readable, Writable, Executable
sxssrv.DLL	0x7ffb716d0000	0x7ffb716dcfff	Memory Mapped File	Readable, Writable, Executable
winsrv.DLL	0x7ffb716e0000	0x7ffb71713fff	Memory Mapped File	Readable, Writable, Executable
basesrv.DLL	0x7ffb71720000	0x7ffb71732fff	Memory Mapped File	Readable, Writable, Executable
CSRSRV.dll	0x7ffb71740000	0x7ffb71755fff	Memory Mapped File	Readable, Writable, Executable
kernelbase.dll	0x7ffb71760000	0x7ffb71874fff	Memory Mapped File	Readable, Writable, Executable
gdi32.dll	0x7ffb71ad0000	0x7ffb71c20fff	Memory Mapped File	Readable, Writable, Executable
kernel32.dll	0x7ffb73480000	0x7ffb735bdfff	Memory Mapped File	Readable, Writable, Executable
rpcrt4.dll	0x7ffb73a30000	0x7ffb73b70fff	Memory Mapped File	Readable, Writable, Executable
user32.dll	0x7ffb73e90000	0x7ffb74006fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Host Behavior

File (57)

Operation	Filename	Additional Information	Amount	Logfile
CREATE			11	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.9600.16384_none_69e3a25fa94e130a.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
READ			18	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.9600.16384_none_69e3a25fa94e130a.manifest	size = 4095	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.9600.16384_none_69e3a25fa94e130a.manifest	size = 8180	1	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest	size = 2	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest	size = 4095	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest	size = 8180	1	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest	size = 2	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest	size = 4095	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest	size = 8180	1	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest	size = 2	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest	size = 4095	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest	size = 8180	1	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest	size = 2	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest	size = 4095	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest	size = 8180	1	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest	size = 2	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest	size = 4095	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest	size = 8180	1	Fn

Process (17)

Operation	Process Name	Additional Information	Success	Amount	Logfile
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134		7	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134		10	Fn

Module (26)

Operation	Module	Additional Information	Amount	Logfile
GET_HANDLE	csrsrv.dll		1	Fn
CREATE_MAPPING	Nameless FileMapping		5	Fn
CREATE_MAPPING	Nameless FileMapping	maximum_size = 298550618448, protection = PAGE_READWRITE	1	Fn
CREATE_MAPPING	Nameless FileMapping	maximum_size = 298550618992, protection = PAGE_READWRITE	1	Fn
CREATE_MAPPING	Nameless FileMapping	maximum_size = 298548457472, protection = PAGE_READWRITE	2	Fn
CREATE_MAPPING	Nameless FileMapping	maximum_size = 298548458592, protection = PAGE_READWRITE	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, address = 0x4584630000	3	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x4584630000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x4584630000	2	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, address = 0x4584690000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x4584690000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, address = 0x45846b0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x45846b0000	1	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	5	Fn

Registry (131)

Operation	Key	Additional Information	Amount	Logfile
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Terminal Server		1	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize		1	Fn
OPEN_KEY			66	Fn
OPEN_KEY			48	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Terminal Server	value_name = TSAppCompat	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Terminal Server	value_name = TSUserEnabled	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	value_name = DisableMetaFiles	1	Fn
READ_VALUE			6	Fn
READ_VALUE		value_name = 298550616872	1	Fn
READ_VALUE		value_name = 298550613992	5	Fn

Driver (2)

Operation	Driver	Additional Information	Success	Amount	Logfile
CONTROL				1	Fn
CONTROL		control_code = 0x390008		1	Fn

System (24)

Operation	Information	Amount	Logfile
GET_INFO	type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION	1	Fn
GET_INFO	type = SYSTEM_BASIC_INFORMATION	13	Fn
GET_INFO	type = SYSTEM_PROCESSOR_INFORMATION	10	Fn

Mutex (1)

Operation	Name	Additional Information	Success	Amount	Logfile
CREATE		initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE		1	Fn

Process #6: smss.exe

Information	Value
ID / OS PID	#6 / 0x15c
OS Parent PID	0xec (c:\windows\system32\smss.exe)
Initial Working Directory	X:\windows
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\smss.exe
Command Line	\SystemRoot\System32\smss.exe 00000001 00000050
Monitor	Start Time: 00:01:33, Reason: Child Process
Unmonitor	End Time: 00:01:34, Reason: Terminated
Monitor Duration	00:00:01
OS Thread IDs	#49 0x160
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x000000ae85eb0000	0xae85eb0000	0xae85ecffff	Private Memory	Readable, Writable
pagefile_0x000000ae85ed0000	0xae85ed0000	0xae85edefff	Pagefile Backed File	Readable
private_0x000000ae85ee0000	0xae85ee0000	0xae85f5ffff	Private Memory	Readable, Writable
pagefile_0x00007ff6ff790000	0x7ff6ff790000	0x7ff6ff7b2fff	Pagefile Backed File	Readable
private_0x00007ff6ff7bd000	0x7ff6ff7bd000	0x7ff6ff7bdfff	Private Memory	Readable, Writable
private_0x00007ff6ff7be000	0x7ff6ff7be000	0x7ff6ff7bffff	Private Memory	Readable, Writable
smss.exe	0x7ff6ff8f0000	0x7ff6ff914fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Process #7: wininit.exe

(Host: 447, Network: 0)

Information	Value
ID / OS PID	#7 / 0x164
OS Parent PID	0x12c (\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\smss.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wininit.exe
Command Line	wininit.exe
Monitor	Start Time: 00:01:33, Reason: Child Process
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:34
OS Thread IDs	#50 0x168 #59 0x18C #62 0x19C #65 0x1BC

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x0000005ebd140000	0x5ebd140000	0x5ebd15ffff	Private Memory	Readable, Writable
pagefile_0x0000005ebd140000	0x5ebd140000	0x5ebd14ffff	Pagefile Backed File	Readable, Writable
private_0x0000005ebd150000	0x5ebd150000	0x5ebd156fff	Private Memory	Readable, Writable
pagefile_0x0000005ebd160000	0x5ebd160000	0x5ebd16efff	Pagefile Backed File	Readable
private_0x0000005ebd170000	0x5ebd170000	0x5ebd1effff	Private Memory	Readable, Writable
private_0x0000005ebd1f0000	0x5ebd1f0000	0x5ebd1f6fff	Private Memory	Readable, Writable
wininit.exe.mui	0x5ebd200000	0x5ebd201fff	Memory Mapped File	Readable
USER32.dll.mui	0x5ebd200000	0x5ebd204fff	Memory Mapped File	Readable
private_0x0000005ebd210000	0x5ebd210000	0x5ebd210fff	Private Memory	Readable, Writable
private_0x0000005ebd220000	0x5ebd220000	0x5ebd220fff	Private Memory	Readable, Writable
USER32.dll.mui	0x5ebd240000	0x5ebd244fff	Memory Mapped File	Readable
private_0x0000005ebd260000	0x5ebd260000	0x5ebd35ffff	Private Memory	Readable, Writable
locale.nls	0x5ebd360000	0x5ebd3ddfff	Memory Mapped File	Readable
private_0x0000005ebd3e0000	0x5ebd3e0000	0x5ebd45ffff	Private Memory	Readable, Writable
private_0x0000005ebd460000	0x5ebd460000	0x5ebd4dffff	Private Memory	Readable, Writable
pagefile_0x0000005ebd4e0000	0x5ebd4e0000	0x5ebd50ffff	Pagefile Backed File	Readable
private_0x0000005ebd510000	0x5ebd510000	0x5ebd51ffff	Private Memory	Readable, Writable
private_0x0000005ebd560000	0x5ebd560000	0x5ebd56ffff	Private Memory	Readable, Writable
pagefile_0x0000005ebd570000	0x5ebd570000	0x5ebd6f7fff	Pagefile Backed File	Readable
pagefile_0x0000005ebd700000	0x5ebd700000	0x5ebd880fff	Pagefile Backed File	Readable
sortdefault.nls	0x5ebd890000	0x5ebdb64fff	Memory Mapped File	Readable
private_0x0000005ebdb70000	0x5ebdb70000	0x5ebdbeffff	Private Memory	Readable, Writable
pagefile_0x00007df5ffd90000	0x7df5ffd90000	0x7ff5ffd8ffff	Pagefile Backed File	-
pagefile_0x00007df5ffd90000	0x7df5ffd90000	0x7ff5ffd8ffff	Pagefile Backed File	-
pagefile_0x00007ff73ef70000	0x7ff73ef70000	0x7ff73f06ffff	Pagefile Backed File	Readable
pagefile_0x00007ff73f070000	0x7ff73f070000	0x7ff73f092fff	Pagefile Backed File	Readable
private_0x00007ff73f096000	0x7ff73f096000	0x7ff73f097fff	Private Memory	Readable, Writable
private_0x00007ff73f098000	0x7ff73f098000	0x7ff73f099fff	Private Memory	Readable, Writable
private_0x00007ff73f09a000	0x7ff73f09a000	0x7ff73f09bfff	Private Memory	Readable, Writable
private_0x00007ff73f09c000	0x7ff73f09c000	0x7ff73f09dfff	Private Memory	Readable, Writable
private_0x00007ff73f09e000	0x7ff73f09e000	0x7ff73f09efff	Private Memory	Readable, Writable
wininit.exe	0x7ff73f3b0000	0x7ff73f3d7fff	Memory Mapped File	Readable, Writable, Executable
KBDUS.DLL	0x7ffb71690000	0x7ffb71693fff	Memory Mapped File	Readable, Writable, Executable
KBDUS.DLL	0x7ffb71690000	0x7ffb71693fff	Memory Mapped File	Readable, Writable, Executable
wininitext.dll	0x7ffb716a0000	0x7ffb716aafff	Memory Mapped File	Readable, Writable, Executable
profapi.dll	0x7ffb716b0000	0x7ffb716c4fff	Memory Mapped File	Readable, Writable, Executable
kernelbase.dll	0x7ffb71760000	0x7ffb71874fff	Memory Mapped File	Readable, Writable, Executable
gdi32.dll	0x7ffb71ad0000	0x7ffb71c20fff	Memory Mapped File	Readable, Writable, Executable
WS2_32.dll	0x7ffb73360000	0x7ffb733b9fff	Memory Mapped File	Readable, Writable, Executable
sechost.dll	0x7ffb733c0000	0x7ffb73418fff	Memory Mapped File	Readable, Writable, Executable
kernel32.dll	0x7ffb73480000	0x7ffb735bdfff	Memory Mapped File	Readable, Writable, Executable
advapi32.dll	0x7ffb73690000	0x7ffb73739fff	Memory Mapped File	Readable, Writable, Executable
rpcrt4.dll	0x7ffb73a30000	0x7ffb73b70fff	Memory Mapped File	Readable, Writable, Executable
NSI.dll	0x7ffb73e80000	0x7ffb73e88fff	Memory Mapped File	Readable, Writable, Executable
user32.dll	0x7ffb73e90000	0x7ffb74006fff	Memory Mapped File	Readable, Writable, Executable
MSVCRT.dll	0x7ffb74050000	0x7ffb740f9fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Host Behavior

File (9)

Operation	Filename	Additional Information	Amount	Logfile
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\temp	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\kbdus.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE_DIR			1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeuib.ttf	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeui.ttf	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\tahoma.ttf	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\micross.ttf	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT	1	Fn

Process (108)

Operation	Process Name	Additional Information	Amount	Logfile
CREATE			2	Fn
CREATE		desired_access = MAXIMUM_ALLOWED, creation_flags = CREATE_IDLE_PRIORITY_CLASS, CREATE_NEW_PROCESS_GROUP	1	Fn
CREATE		desired_access = MAXIMUM_ALLOWED, creation_flags = CREATE_NEW_PROCESS_GROUP	1	Fn
OPEN_TOKEN			1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	3	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	86	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	5	Fn
GET_INFO			2	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	3	Fn

Memory (3)

Operation	Address	Additional Information	Amount	Logfile
ALLOC	0x5ebd1eeb78	process_name = , size = 406899846360, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE	1	Fn
WRITE	0x6b29b00000	process_name = , size = 4704	1	Fn Data
WRITE	0x7ff676b272d8	process_name = , size = 8	1	Fn Data

Thread (4)

Operation	Process Name	Additional Information	Success	Amount	Logfile
CREATE_WORKITEM				2	Fn
RESUME				2	Fn

Module (19)

Operation	Module	Additional Information	Amount	Logfile
LOAD	rpcrt4.dll	base_address = 0x0	1	Fn
LOAD	KBDUS.DLL	base_address = 0x0	2	Fn
LOAD	kernel32.dll	base_address = 0x0	1	Fn
GET_HANDLE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wininit.exe		1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeuib.ttf, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeui.ttf, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\tahoma.ttf, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\micross.ttf, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x5ebd890000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x5ebd890000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x5ebd890000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x5ebd890000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x5ebd890000	1	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, base_address = 0x5ebd890000	4	Fn

Service (9)

Operation	Service	Additional Information	Amount	Logfile
OPEN_MGR	SERVICES_ACTIVE_DATABASE	host = Localhost	3	Fn
OPEN			3	Fn
GET_INFO		type = Status	3	Fn

Registry (275)

Operation	Key	Additional Information	Amount	Logfile
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions		1	Fn
OPEN_KEY			7	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName		4	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName		4	Fn
OPEN_KEY	\Registry\Machine\System\Setup		3	Fn
OPEN_KEY			18	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\		1	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize		1	Fn
OPEN_KEY	Keyboard Layout\Preload		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409		2	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR		1	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Locale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups		1	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000010		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000011		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000012		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000070		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000071		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000072		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000104		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000200		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000201		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000202		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000203		2	Fn
OPEN_KEY	\REGISTRY\USER\S-1-5-18		4	Fn
OPEN_KEY	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload		3	Fn
OPEN_KEY	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload\Keyboard Layout\Preload		1	Fn
OPEN_KEY	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Substitutes		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids		1	Fn
OPEN_KEY	\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls		1	Fn
OPEN_KEY	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide		2	Fn
OPEN_KEY	\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option		1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 406899844400	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = ComputerName	4	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = OOBEInProgress	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = SystemSetupInProgress	1	Fn
READ_VALUE			11	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = NV Hostname	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = NV Domain	1	Fn
READ_VALUE			17	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = Respecialize	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = SetupType	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = DisableLockWorkstation	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = ProfileImagePath	2	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = Public	2	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = ProgramData	2	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = MaxRpcSize	1	Fn
READ_VALUE		value_name = IdleTimerWindow	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	value_name = DisableMetaFiles	1	Fn
READ_VALUE		value_name = LoadAppInit_DLLs	2	Fn
READ_VALUE		value_name = Respecialize	1	Fn
READ_VALUE		value_name = SetupType	1	Fn
READ_VALUE	Keyboard Layout\Preload	value_name = 1	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409	value_name = Layout File	2	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409	value_name = Attributes	2	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = Disable	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International		1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International		1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International	value_name = sCurrencyOverride	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Locale	value_name = 00000409	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups	value_name = 1	1	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000010	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000010	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000010	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000011	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000011	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000011	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000012	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000012	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000012	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000070	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000070	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000070	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000071	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000071	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000071	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000072	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000072	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000072	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000104	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000104	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000104	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000200	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000200	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000200	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000201	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000201	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000201	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000202	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000202	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000202	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000203	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000203	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000203	value_name = Target IME	2	Fn
READ_VALUE	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload	value_name = 1	1	Fn
READ_VALUE	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload	value_name = 1	1	Fn
READ_VALUE	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload	value_name = 2	2	Fn
READ_VALUE	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload\Keyboard Layout\Preload	value_name = 1	1	Fn
READ_VALUE	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Substitutes	value_name = 00000409	1	Fn
READ_VALUE		value_name = SecureBoot	1	Fn
READ_VALUE	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload	value_name = DisableShutdownNamedPipe	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 000602xx	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = ProgramFilesDir	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = CommonFilesDir	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = ProgramFilesDir (x86)	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = CommonFilesDir (x86)	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = ProgramW6432Dir	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = CommonW6432Dir	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = DontWatchSysProcs	1	Fn
READ_VALUE	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide	value_name = PreferExternalManifest	2	Fn
READ_VALUE		value_name = ShutdownEventPending	1	Fn
READ_VALUE		value_name = ShutdownStateSnapshot	1	Fn
READ_VALUE		value_name = RunasPPL	1	Fn
READ_VALUE		value_name = RunasPPLTest	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = 140717948767312	1	Fn
READ_VALUE		value_name = DisableRemoteShutdownRPCInterface	1	Fn
READ_VALUE	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide	value_name = SQMServiceList	1	Fn
READ_VALUE	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide	value_name = WinSock_Registry_Version	2	Fn
READ_VALUE		value_name = AppFullPath	2	Fn
READ_VALUE		value_name = PermittedLspCategories	1	Fn
READ_VALUE	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide	value_name = NameSpace_Callout	2	Fn
READ_VALUE		value_name = Serial_Access_Num	4	Fn
READ_VALUE		value_name = Next_Catalog_Entry_ID	1	Fn
READ_VALUE		value_name = Num_Catalog_Entries64	2	Fn
READ_VALUE		value_name = LibraryPath	2	Fn
READ_VALUE		value_name = DisplayString	4	Fn
READ_VALUE		value_name = ProviderId	1	Fn
READ_VALUE		value_name = AddressFamily	1	Fn
READ_VALUE		value_name = SupportedNameSpace	1	Fn
READ_VALUE		value_name = Enabled	1	Fn
READ_VALUE		value_name = Version	1	Fn
READ_VALUE		value_name = StoresServiceClassInfo	1	Fn
READ_VALUE		value_name = ProviderInfo	2	Fn
READ_VALUE	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide	value_name = Ws2_32NumHandleBuckets	1	Fn

Driver (1)

Operation	Driver	Additional Information	Success	Amount	Logfile
CONTROL	Control Panel\Input Method\Hot Keys	control_code = 0x110008		1	Fn

System (19)

Operation	Information	Amount	Logfile
CREATE_DESKTOP		2	Fn
SWITCH_DESKTOP		1	Fn
SLEEP		3	Fn
SLEEP	duration = 406902929056 milliseconds (406902929.056 seconds)	1	Fn
SLEEP	duration = 406902403200 milliseconds (406902403.200 seconds)	1	Fn
SLEEP		1	Fn
SLEEP	duration = 406902929136 milliseconds (406902929.136 seconds)	1	Fn
SLEEP	duration = 406902929168 milliseconds (406902929.168 seconds)	1	Fn
GET_INFO	type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION	1	Fn
GET_INFO	type = SYSTEM_BASIC_INFORMATION	5	Fn
GET_INFO		1	Fn
GET_INFO	type = SYSTEM_PROCESSOR_INFORMATION	1	Fn

Process #8: csrss.exe

(Host: 590, Network: 0)

Information	Value
ID / OS PID	#8 / 0x16c
OS Parent PID	0x15c (c:\windows\winstore\wshost.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe
Command Line	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Monitor	Start Time: 00:01:33, Reason: Child Process
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:34
OS Thread IDs	#51 0x170 #52 0x174 #53 0x178 #54 0x17C #55 0x180 #56 0x184 #81 0x1E8 #84 0x1F8 #85 0x1FC #88 0x204 #113 0x268

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x000000d9c9ed0000	0xd9c9ed0000	0xd9c9eeffff	Private Memory	Readable, Writable
private_0x000000d9c9ed0000	0xd9c9ed0000	0xd9c9ed6fff	Private Memory	Readable, Writable
csrss.exe.mui	0xd9c9ee0000	0xd9c9ee0fff	Memory Mapped File	Readable
pagefile_0x000000d9c9ef0000	0xd9c9ef0000	0xd9c9efefff	Pagefile Backed File	Readable
private_0x000000d9c9f00000	0xd9c9f00000	0xd9c9f3ffff	Private Memory	Readable, Writable
pagefile_0x000000d9c9f00000	0xd9c9f00000	0xd9c9f0ffff	Pagefile Backed File	Readable, Writable
MARLETT.TTF	0xd9c9f10000	0xd9c9f16fff	Memory Mapped File	Readable
pagefile_0x000000d9c9f20000	0xd9c9f20000	0xd9c9f37fff	Pagefile Backed File	Readable
locale.nls	0xd9c9f40000	0xd9c9fbdfff	Memory Mapped File	Readable
winsrv.DLL.mui	0xd9c9fc0000	0xd9c9fc1fff	Memory Mapped File	Readable
private_0x000000d9c9fd0000	0xd9c9fd0000	0xd9c9fd0fff	Private Memory	Readable, Writable
private_0x000000d9c9fe0000	0xd9c9fe0000	0xd9c9fe0fff	Private Memory	Readable, Writable
private_0x000000d9c9ff0000	0xd9c9ff0000	0xd9c9ff0fff	Private Memory	Readable, Writable
private_0x000000d9ca000000	0xd9ca000000	0xd9ca000fff	Private Memory	Readable, Writable
VGASYS.FON	0xd9ca010000	0xd9ca011fff	Memory Mapped File	Readable
private_0x000000d9ca020000	0xd9ca020000	0xd9ca05ffff	Private Memory	Readable, Writable
private_0x000000d9ca060000	0xd9ca060000	0xd9ca060fff	Private Memory	Readable, Writable
private_0x000000d9ca070000	0xd9ca070000	0xd9ca070fff	Private Memory	Readable, Writable
private_0x000000d9ca080000	0xd9ca080000	0xd9ca080fff	Private Memory	Readable, Writable
private_0x000000d9ca090000	0xd9ca090000	0xd9ca18ffff	Private Memory	Readable, Writable
pagefile_0x000000d9ca190000	0xd9ca190000	0xd9ca310fff	Pagefile Backed File	Readable
pagefile_0x000000d9ca320000	0xd9ca320000	0xd9ca61ffff	Pagefile Backed File	Readable, Writable
private_0x000000d9ca620000	0xd9ca620000	0xd9ca65ffff	Private Memory	Readable, Writable
private_0x000000d9ca660000	0xd9ca660000	0xd9ca69ffff	Private Memory	Readable, Writable
private_0x000000d9ca6a0000	0xd9ca6a0000	0xd9ca6dffff	Private Memory	Readable, Writable
pagefile_0x000000d9ca6e0000	0xd9ca6e0000	0xd9ca867fff	Pagefile Backed File	Readable
private_0x000000d9ca870000	0xd9ca870000	0xd9ca8affff	Private Memory	Readable, Writable
private_0x000000d9ca8b0000	0xd9ca8b0000	0xd9ca8effff	Private Memory	Readable, Writable
private_0x000000d9ca8f0000	0xd9ca8f0000	0xd9ca92ffff	Private Memory	Readable, Writable
TAHOMABD.TTF	0xd9ca930000	0xd9ca9d9fff	Memory Mapped File	Readable
TAHOMA.TTF	0xd9ca9e0000	0xd9caa96fff	Memory Mapped File	Readable
pagefile_0x000000d9caaa0000	0xd9caaa0000	0xd9caacffff	Pagefile Backed File	Readable
pagefile_0x000000d9caad0000	0xd9caad0000	0xd9cbecffff	Pagefile Backed File	Readable
private_0x000000d9cbed0000	0xd9cbed0000	0xd9cbf0ffff	Private Memory	Readable, Writable
private_0x000000d9cbf10000	0xd9cbf10000	0xd9cbf4ffff	Private Memory	Readable, Writable
pagefile_0x000000d9cbf50000	0xd9cbf50000	0xd9cbf5ffff	Pagefile Backed File	Readable, Writable
private_0x00007ff6196e8000	0x7ff6196e8000	0x7ff6196e9fff	Private Memory	Readable, Writable
private_0x00007ff6196ea000	0x7ff6196ea000	0x7ff6196ebfff	Private Memory	Readable, Writable
private_0x00007ff6196ec000	0x7ff6196ec000	0x7ff6196edfff	Private Memory	Readable, Writable
private_0x00007ff6196ee000	0x7ff6196ee000	0x7ff6196effff	Private Memory	Readable, Writable
pagefile_0x00007ff6196f0000	0x7ff6196f0000	0x7ff6197effff	Pagefile Backed File	Readable, Writable
pagefile_0x00007ff6197f0000	0x7ff6197f0000	0x7ff619812fff	Pagefile Backed File	Readable
private_0x00007ff619814000	0x7ff619814000	0x7ff619815fff	Private Memory	Readable, Writable
private_0x00007ff619816000	0x7ff619816000	0x7ff619817fff	Private Memory	Readable, Writable
private_0x00007ff619818000	0x7ff619818000	0x7ff619819fff	Private Memory	Readable, Writable
private_0x00007ff61981a000	0x7ff61981a000	0x7ff61981afff	Private Memory	Readable, Writable
private_0x00007ff61981c000	0x7ff61981c000	0x7ff61981dfff	Private Memory	Readable, Writable
private_0x00007ff61981e000	0x7ff61981e000	0x7ff61981ffff	Private Memory	Readable, Writable
private_0x00007ff61981e000	0x7ff61981e000	0x7ff61981ffff	Private Memory	Readable, Writable
csrss.exe	0x7ff61a100000	0x7ff61a106fff	Memory Mapped File	Readable, Writable, Executable
bcryptPrimitives.dll	0x7ffb71580000	0x7ffb715e2fff	Memory Mapped File	Readable, Writable, Executable
CRYPTBASE.dll	0x7ffb715f0000	0x7ffb715fafff	Memory Mapped File	Readable, Writable, Executable
sxs.dll	0x7ffb71600000	0x7ffb71698fff	Memory Mapped File	Readable, Writable, Executable
sxssrv.DLL	0x7ffb716d0000	0x7ffb716dcfff	Memory Mapped File	Readable, Writable, Executable
winsrv.DLL	0x7ffb716e0000	0x7ffb71713fff	Memory Mapped File	Readable, Writable, Executable
basesrv.DLL	0x7ffb71720000	0x7ffb71732fff	Memory Mapped File	Readable, Writable, Executable
CSRSRV.dll	0x7ffb71740000	0x7ffb71755fff	Memory Mapped File	Readable, Writable, Executable
kernelbase.dll	0x7ffb71760000	0x7ffb71874fff	Memory Mapped File	Readable, Writable, Executable
gdi32.dll	0x7ffb71ad0000	0x7ffb71c20fff	Memory Mapped File	Readable, Writable, Executable
kernel32.dll	0x7ffb73480000	0x7ffb735bdfff	Memory Mapped File	Readable, Writable, Executable
rpcrt4.dll	0x7ffb73a30000	0x7ffb73b70fff	Memory Mapped File	Readable, Writable, Executable
user32.dll	0x7ffb73e90000	0x7ffb74006fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Host Behavior

File (157)

Operation	Filename	Additional Information	Amount	Logfile
CREATE			32	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.9600.16384_none_69e3a25fa94e130a.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	10	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	10	Fn
READ			47	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.9600.16384_none_69e3a25fa94e130a.manifest	size = 4095	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.9600.16384_none_69e3a25fa94e130a.manifest	size = 8180	1	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest	size = 2	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest	size = 4095	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest	size = 8180	1	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest	size = 2	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest	size = 4095	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest	size = 8180	1	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest	size = 2	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest	size = 4095	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest	size = 8180	1	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest	size = 2	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest	size = 4095	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest	size = 8180	1	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest	size = 2	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest	size = 4095	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest	size = 8180	1	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest	size = 2	5	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest	size = 4095	5	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest	size = 8180	5	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest	size = 2	5	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest	size = 4095	5	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest	size = 8180	5	Fn

Process (28)

Operation	Process Name	Additional Information	Success	Amount	Logfile
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134		7	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134		21	Fn

Module (31)

Operation	Module	Additional Information	Amount	Logfile
GET_HANDLE	csrsrv.dll		1	Fn
CREATE_MAPPING	Nameless FileMapping		6	Fn
CREATE_MAPPING	Nameless FileMapping	maximum_size = 935406004048, protection = PAGE_READWRITE	1	Fn
CREATE_MAPPING	Nameless FileMapping	maximum_size = 935406005712, protection = PAGE_READWRITE	2	Fn
CREATE_MAPPING	Nameless FileMapping	maximum_size = 935406004592, protection = PAGE_READWRITE	1	Fn
CREATE_MAPPING	Nameless FileMapping	maximum_size = 935403842240, protection = PAGE_READWRITE	1	Fn
CREATE_MAPPING	Nameless FileMapping	maximum_size = 935403843360, protection = PAGE_READWRITE	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x16c, address = 0xd9cbf50000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xd9cbf50000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x16c, address = 0xd9cbf60000	3	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xd9cbf60000	2	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xd9cbf60000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x16c, address = 0xd9cbf80000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xd9cbf80000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x16c, address = 0xd9cbf90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xd9cbf90000	1	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x16c	6	Fn

Registry (325)

Operation	Key	Additional Information	Amount	Logfile
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Terminal Server		1	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize		1	Fn
OPEN_KEY			164	Fn
OPEN_KEY			108	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Terminal Server	value_name = TSAppCompat	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Terminal Server	value_name = TSUserEnabled	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	value_name = DisableMetaFiles	1	Fn
READ_VALUE			24	Fn
READ_VALUE		value_name = 935406002472	1	Fn
READ_VALUE		value_name = 935405999592	5	Fn
READ_VALUE		value_name = 935406001256	4	Fn
READ_VALUE		value_name = targetNamespace	4	Fn
READ_VALUE		value_name = dpiAware	4	Fn
READ_VALUE		value_name = 935406000136	2	Fn
READ_VALUE		value_name = 935403837784	2	Fn
READ_VALUE		value_name = 935403838904	2	Fn

Driver (2)

Operation	Driver	Additional Information	Success	Amount	Logfile
CONTROL				1	Fn
CONTROL		control_code = 0x390008		1	Fn

System (46)

Operation	Information	Amount	Logfile
GET_INFO	type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION	1	Fn
GET_INFO	type = SYSTEM_BASIC_INFORMATION	24	Fn
GET_INFO	type = SYSTEM_PROCESSOR_INFORMATION	21	Fn

Mutex (1)

Operation	Name	Additional Information	Success	Amount	Logfile
CREATE		initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE		1	Fn

Process #9: winlogon.exe

(Host: 604, Network: 0)

Information	Value
ID / OS PID	#9 / 0x194
OS Parent PID	0x15c (c:\windows\winstore\wshost.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe
Command Line	winlogon.exe
Monitor	Start Time: 00:01:34, Reason: Child Process
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:33
OS Thread IDs	#67 0x198 #82 0x1EC #83 0x1F4 #114 0x270 #115 0x274

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x0000009f3e8a0000	0x9f3e8a0000	0x9f3e8bffff	Private Memory	Readable, Writable
pagefile_0x0000009f3e8a0000	0x9f3e8a0000	0x9f3e8affff	Pagefile Backed File	Readable, Writable
private_0x0000009f3e8b0000	0x9f3e8b0000	0x9f3e8b6fff	Private Memory	Readable, Writable
pagefile_0x0000009f3e8c0000	0x9f3e8c0000	0x9f3e8cefff	Pagefile Backed File	Readable
private_0x0000009f3e8d0000	0x9f3e8d0000	0x9f3e94ffff	Private Memory	Readable, Writable
locale.nls	0x9f3e950000	0x9f3e9cdfff	Memory Mapped File	Readable
private_0x0000009f3e9d0000	0x9f3e9d0000	0x9f3e9d6fff	Private Memory	Readable, Writable
winlogon.exe.mui	0x9f3e9e0000	0x9f3e9e5fff	Memory Mapped File	Readable
USER32.dll.mui	0x9f3e9e0000	0x9f3e9e4fff	Memory Mapped File	Readable
private_0x0000009f3e9f0000	0x9f3e9f0000	0x9f3e9f0fff	Private Memory	Readable, Writable
private_0x0000009f3ea00000	0x9f3ea00000	0x9f3ea00fff	Private Memory	Readable, Writable
private_0x0000009f3ea10000	0x9f3ea10000	0x9f3ea16fff	Private Memory	Readable, Writable
USER32.dll.mui	0x9f3ea20000	0x9f3ea24fff	Memory Mapped File	Readable
Aero.msstyles.mui	0x9f3ea20000	0x9f3ea20fff	Memory Mapped File	Readable
private_0x0000009f3ea30000	0x9f3ea30000	0x9f3ea30fff	Private Memory	Readable, Writable
pagefile_0x0000009f3ea40000	0x9f3ea40000	0x9f3ea40fff	Pagefile Backed File	Readable, Writable
private_0x0000009f3ea50000	0x9f3ea50000	0x9f3eb4ffff	Private Memory	Readable, Writable
private_0x0000009f3eb50000	0x9f3eb50000	0x9f3ebcffff	Private Memory	Readable, Writable
private_0x0000009f3ebd0000	0x9f3ebd0000	0x9f3ec4ffff	Private Memory	Readable, Writable
private_0x0000009f3ebd0000	0x9f3ebd0000	0x9f3ec4ffff	Private Memory	Readable, Writable
pagefile_0x0000009f3ec50000	0x9f3ec50000	0x9f3ec7ffff	Pagefile Backed File	Readable
private_0x0000009f3ec80000	0x9f3ec80000	0x9f3ec8ffff	Private Memory	Readable, Writable
pagefile_0x0000009f3ec90000	0x9f3ec90000	0x9f3ee17fff	Pagefile Backed File	Readable
pagefile_0x0000009f3ee20000	0x9f3ee20000	0x9f3efa0fff	Pagefile Backed File	Readable
sortdefault.nls	0x9f3efb0000	0x9f3f284fff	Memory Mapped File	Readable
private_0x0000009f3f300000	0x9f3f300000	0x9f3f30ffff	Private Memory	Readable, Writable
Aero.msstyles	0x9f3f310000	0x9f3f418fff	Memory Mapped File	Readable
private_0x0000009f3f390000	0x9f3f390000	0x9f3f40ffff	Private Memory	Readable, Writable
private_0x0000009f3f420000	0x9f3f420000	0x9f3fe1ffff	Private Memory	Readable, Writable
private_0x0000009f3fe20000	0x9f3fe20000	0x9f3ff1ffff	Private Memory	Readable, Writable
pagefile_0x00007df5ff3e0000	0x7df5ff3e0000	0x7ff5ff3dffff	Pagefile Backed File	-
pagefile_0x00007df5ff3e0000	0x7df5ff3e0000	0x7ff5ff3dffff	Pagefile Backed File	-
pagefile_0x00007ff7f6520000	0x7ff7f6520000	0x7ff7f661ffff	Pagefile Backed File	Readable
pagefile_0x00007ff7f6620000	0x7ff7f6620000	0x7ff7f6642fff	Pagefile Backed File	Readable
private_0x00007ff7f6644000	0x7ff7f6644000	0x7ff7f6645fff	Private Memory	Readable, Writable
private_0x00007ff7f6648000	0x7ff7f6648000	0x7ff7f6649fff	Private Memory	Readable, Writable
private_0x00007ff7f664a000	0x7ff7f664a000	0x7ff7f664bfff	Private Memory	Readable, Writable
private_0x00007ff7f664c000	0x7ff7f664c000	0x7ff7f664cfff	Private Memory	Readable, Writable
private_0x00007ff7f664c000	0x7ff7f664c000	0x7ff7f664cfff	Private Memory	Readable, Writable
private_0x00007ff7f664e000	0x7ff7f664e000	0x7ff7f664ffff	Private Memory	Readable, Writable
winlogon.exe	0x7ff7f6bc0000	0x7ff7f6c52fff	Memory Mapped File	Readable, Writable, Executable
WindowsCodecs.dll	0x7ffb702d0000	0x7ffb7047dfff	Memory Mapped File	Readable, Writable, Executable
UxTheme.dll	0x7ffb70480000	0x7ffb705a8fff	Memory Mapped File	Readable, Writable, Executable
uxinit.dll	0x7ffb705e0000	0x7ffb705f6fff	Memory Mapped File	Readable, Writable, Executable
winsta.dll	0x7ffb70940000	0x7ffb70999fff	Memory Mapped File	Readable, Writable, Executable
KBDUS.DLL	0x7ffb70990000	0x7ffb70993fff	Memory Mapped File	Readable, Writable, Executable
KBDUS.DLL	0x7ffb70a20000	0x7ffb70a23fff	Memory Mapped File	Readable, Writable, Executable
winlogonext.dll	0x7ffb70a30000	0x7ffb70a48fff	Memory Mapped File	Readable, Writable, Executable
rsaenh.dll	0x7ffb70b00000	0x7ffb70b35fff	Memory Mapped File	Readable, Writable, Executable
CRYPTSP.dll	0x7ffb71040000	0x7ffb7105ffff	Memory Mapped File	Readable, Writable, Executable
bcrypt.dll	0x7ffb71260000	0x7ffb71285fff	Memory Mapped File	Readable, Writable, Executable
powrprof.dll	0x7ffb71530000	0x7ffb71575fff	Memory Mapped File	Readable, Writable, Executable
bcryptPrimitives.dll	0x7ffb71580000	0x7ffb715e2fff	Memory Mapped File	Readable, Writable, Executable
CRYPTBASE.dll	0x7ffb715f0000	0x7ffb715fafff	Memory Mapped File	Readable, Writable, Executable
profapi.dll	0x7ffb716b0000	0x7ffb716c4fff	Memory Mapped File	Readable, Writable, Executable
kernelbase.dll	0x7ffb71760000	0x7ffb71874fff	Memory Mapped File	Readable, Writable, Executable
gdi32.dll	0x7ffb71ad0000	0x7ffb71c20fff	Memory Mapped File	Readable, Writable, Executable
sechost.dll	0x7ffb733c0000	0x7ffb73418fff	Memory Mapped File	Readable, Writable, Executable
kernel32.dll	0x7ffb73480000	0x7ffb735bdfff	Memory Mapped File	Readable, Writable, Executable
advapi32.dll	0x7ffb73690000	0x7ffb73739fff	Memory Mapped File	Readable, Writable, Executable
combase.dll	0x7ffb73740000	0x7ffb73950fff	Memory Mapped File	Readable, Writable, Executable
rpcrt4.dll	0x7ffb73a30000	0x7ffb73b70fff	Memory Mapped File	Readable, Writable, Executable
MSCTF.dll	0x7ffb73b80000	0x7ffb73cd2fff	Memory Mapped File	Readable, Writable, Executable
user32.dll	0x7ffb73e90000	0x7ffb74006fff	Memory Mapped File	Readable, Writable, Executable
IMM32.dll	0x7ffb74010000	0x7ffb74045fff	Memory Mapped File	Readable, Writable, Executable
MSVCRT.dll	0x7ffb74050000	0x7ffb740f9fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Host Behavior

File (20)

Operation	Filename	Additional Information	Amount	Logfile
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\kbdus.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE			1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\vscache\aero.msstyles_1033_96.mss	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE			2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeuib.ttf	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeui.ttf	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\tahoma.ttf	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\micross.ttf	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT	1	Fn
READ			2	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles	size = 16	1	Fn Data
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles	size = 128	1	Fn Data

Process (105)

Operation	Process Name	Additional Information	Amount	Logfile
CREATE			1	Fn
CREATE		desired_access = MAXIMUM_ALLOWED, creation_flags = CREATE_NEW_PROCESS_GROUP	1	Fn
OPEN_TOKEN			4	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	4	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	5	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	85	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO			1	Fn

Memory (3)

Operation	Address	Additional Information	Amount	Logfile
ALLOC	0x9f3e94dc78	process_name = , size = 683949743576, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE	1	Fn
WRITE	0xa3b7d40000	process_name = , size = 4704	1	Fn Data
WRITE	0x7ff74d8ca2d8	process_name = , size = 8	1	Fn Data

Thread (2)

Operation	Process Name	Additional Information	Success	Amount	Logfile
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ff7f6bcf270, desired_access = THREAD_ALL_ACCESS		1	Fn
RESUME				1	Fn

Module (79)

Operation	Module	Additional Information	Amount	Logfile
LOAD	X:\windows\system32\IMM32.DLL	base_address = 0x0	1	Fn
LOAD	rpcrt4.dll	base_address = 0x0	1	Fn
LOAD	KBDUS.DLL	base_address = 0x0	2	Fn
LOAD	kernel32.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x9f3f310001	1	Fn
LOAD		base_address = 0x7ffb70b00000	1	Fn
LOAD	X:\windows\system32\rsaenh.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb71580000	1	Fn
LOAD	X:\windows\system32\bcryptprimitives.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x0	1	Fn
LOAD	oobe\WinLGDep.dll	base_address = 0xc0000135	1	Fn
GET_HANDLE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe		2	Fn
GET_HANDLE	X:\windows\system32\IMM32.DLL		1	Fn
GET_HANDLE	X:\windows\system32\IMM32.DLL		2	Fn
GET_HANDLE	IMM32.DLL		1	Fn
GET_HANDLE	user32.dll		1	Fn
GET_HANDLE	rpcrt4.dll		1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeuib.ttf, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeui.ttf, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\tahoma.ttf, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\micross.ttf, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles, maximum_size = 0, protection = PAGE_READONLY	2	Fn
CREATE_MAPPING	Nameless FileMapping		1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe, maximum_size = 0, protection = PAGE_READONLY	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3efb0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3efb0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3efb0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3efb0000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe	os_pid = 0x194, address = 0x9f3ea10000	2	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, address = 0x9f3ea10000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3efb0000	1	Fn
MAP	Software\Microsoft\Windows\CurrentVersion\ThemeManager	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3ea10000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3f310000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe	os_pid = 0x194, address = 0x9f3f420000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3f420000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3f410000	1	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, base_address = 0x9f3efb0000	4	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe	os_pid = 0x194	3	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, base_address = 0x9f3f310000	1	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, base_address = 0x9f3f410000	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb73e94c30	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b01570	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b01080	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b06090	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b1e1d0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b02ce0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b0af70	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03880	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03a30	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03260	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b06be0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b04ea0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b027d0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b02b00	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b1d8d0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b024f0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b06830	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03c50	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b01030	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b05bb0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b0f290	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b0f750	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03f50	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b02630	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b0d330	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b1d6e0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb715848b0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7159b3d0	1	Fn

Service (4)

Operation	Service	Additional Information	Success	Amount	Logfile
OPEN_MGR	SERVICES_ACTIVE_DATABASE	host = Localhost		2	Fn
OPEN				2	Fn

Registry (370)

Operation	Key	Additional Information	Amount	Logfile
CREATE_KEY	\REGISTRY\MACHINE\SOFTWARE\CLASSES		1	Fn
CREATE_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName		1	Fn
CREATE_KEY			2	Fn
CREATE_KEY	Software\Microsoft\Windows\CurrentVersion\ThemeManager		2	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\		1	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize		1	Fn
OPEN_KEY			38	Fn
OPEN_KEY			4	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName		1	Fn
OPEN_KEY	\Registry\Machine\System\Setup		5	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName		1	Fn
OPEN_KEY	Keyboard Layout\Preload		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409		2	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR		1	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Locale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups		1	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000010		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000011		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000012		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000070		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000071		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000072		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000104		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000200		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000201		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000202		2	Fn
OPEN_KEY	Control Panel\Input Method\Hot Keys\00000203		2	Fn
OPEN_KEY	\REGISTRY\USER\S-1-5-18		4	Fn
OPEN_KEY	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload		3	Fn
OPEN_KEY	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload\Keyboard Layout\Preload		1	Fn
OPEN_KEY	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Substitutes		1	Fn
OPEN_KEY	HKEY_CURRENT_USER		10	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids		1	Fn
OPEN_KEY	\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls		1	Fn
OPEN_KEY	\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option		1	Fn
OPEN_KEY	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide		1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 683949743520	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	value_name = DisableMetaFiles	1	Fn
READ_VALUE		value_name = LoadAppInit_DLLs	1	Fn
READ_VALUE			11	Fn
READ_VALUE		value_name = TracingControlLevel	1	Fn
READ_VALUE		value_name = SimulateDebugSession	1	Fn
READ_VALUE			44	Fn
READ_VALUE		value_name = Respecialize	1	Fn
READ_VALUE		value_name = SetupType	1	Fn
READ_VALUE		value_name = NoDebugThread	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = ComputerName	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = OOBEInProgress	2	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = SystemSetupInProgress	2	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = ProfileImagePath	2	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = Public	2	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = ProgramData	2	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = ProgramFilesDir	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = CommonFilesDir	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = ProgramFilesDir (x86)	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = CommonFilesDir (x86)	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = ProgramW6432Dir	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = CommonW6432Dir	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = AllowBlockingAppsAtShutdown	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = MaxRpcSize	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = ComputerName	1	Fn
READ_VALUE		value_name = IdleTimerWindow	1	Fn
READ_VALUE	Keyboard Layout\Preload	value_name = 1	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409	value_name = Layout File	2	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409	value_name = Attributes	2	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = Disable	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International		1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International		1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International	value_name = sCurrencyOverride	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Locale	value_name = 00000409	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups	value_name = 1	1	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000010	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000010	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000010	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000011	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000011	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000011	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000012	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000012	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000012	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000070	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000070	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000070	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000071	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000071	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000071	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000072	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000072	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000072	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000104	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000104	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000104	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000200	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000200	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000200	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000201	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000201	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000201	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000202	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000202	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000202	value_name = Target IME	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000203	value_name = Virtual Key	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000203	value_name = Key Modifiers	2	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys\00000203	value_name = Target IME	2	Fn
READ_VALUE	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload	value_name = 1	1	Fn
READ_VALUE	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload	value_name = 1	1	Fn
READ_VALUE	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload	value_name = 2	2	Fn
READ_VALUE	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload\Keyboard Layout\Preload	value_name = 1	1	Fn
READ_VALUE	\REGISTRY\USER\S-1-5-18\Keyboard Layout\Substitutes	value_name = 00000409	1	Fn
READ_VALUE	Control Panel\Input Method\Hot Keys	value_name = SecureBoot	1	Fn
READ_VALUE		value_name = LMVersion	2	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = LMVersion	1	Fn
READ_VALUE		value_name = LMOverRide	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 000602xx	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en	1	Fn
READ_VALUE		value_name = LoadedBefore	1	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = LMVersion	3	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = LoadedBefore	2	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = DllName	1	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = ColorName	1	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = SizeName	1	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = LastUserLangID	1	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = LastLoadedDPI	1	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = LastLoadedPPI	1	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = PageAllocatorUseSystemHeap	1	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = PageAllocatorSystemHeapIsPrivate	1	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = AggressiveMTATesting	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles	value_name = Name	4	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles	value_name = Type	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles	value_name = Image Path	4	Fn
READ_VALUE		value_name = MachineGuid	4	Fn
READ_VALUE		value_name = ProgramFilesDir	1	Fn
READ_VALUE		value_name = CommonFilesDir	1	Fn
READ_VALUE		value_name = ProgramFilesDir (x86)	1	Fn
READ_VALUE		value_name = CommonFilesDir (x86)	1	Fn
READ_VALUE		value_name = ProgramW6432Dir	1	Fn
READ_VALUE		value_name = CommonW6432Dir	1	Fn
READ_VALUE		value_name = Userinit	4	Fn
READ_VALUE		value_name = userinit	1	Fn
READ_VALUE		value_name = System	1	Fn
READ_VALUE		value_name = Cmdline	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = 140717948767312	1	Fn
READ_VALUE	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide	value_name = PreferExternalManifest	1	Fn
WRITE_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = ComputerName, data = MINWINPC	1	Fn
WRITE_VALUE			10	Fn
WRITE_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = LMVersion, data = 105	2	Fn
WRITE_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = DllName, data = %SystemRoot%\resources\themes\Aero\Aero.msstyles	1	Fn
WRITE_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = ThemeActive, data = 1	1	Fn
WRITE_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = LoadedBefore, data = 0	2	Fn
WRITE_VALUE		value_name = LoadedBefore, data = 1	1	Fn
WRITE_VALUE		value_name = Userinit, data =	1	Fn
WRITE_VALUE		value_name = Userinit, data = X:\windows\system32\userinit.exe,	1	Fn
WRITE_VALUE		value_name = SetupType, data = 0	1	Fn
DELETE_VALUE			6	Fn
DELETE_VALUE		value_name = InstallTheme	1	Fn
DELETE_VALUE		value_name = SetVisualStyle	1	Fn
DELETE_VALUE		value_name = InstallVisualStyle	1	Fn
DELETE_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = ColorName	1	Fn
DELETE_VALUE	Software\Microsoft\Windows\CurrentVersion\ThemeManager	value_name = SizeName	1	Fn
DELETE_VALUE		value_name = AutoAdminLogon	1	Fn

Driver (2)

Operation	Driver	Additional Information	Success	Amount	Logfile
CONTROL				1	Fn
CONTROL		control_code = 0x390008		1	Fn

Keyboard (2)

Operation	Virtual Key Code	Additional Information	Success	Amount	Logfile
READ		result_out = 0		2	Fn

System (17)

Operation	Information	Amount	Logfile
CREATE_DESKTOP		2	Fn
SWITCH_DESKTOP		2	Fn
GET_INFO	type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION	1	Fn
GET_INFO	type = SYSTEM_BASIC_INFORMATION	8	Fn
GET_INFO		1	Fn
GET_INFO	type = SYSTEM_PROCESSOR_INFORMATION	3	Fn

Process #10: services.exe

(Host: 10677, Network: 0)

Information	Value
ID / OS PID	#10 / 0x1ac
OS Parent PID	0x164 (c:\windows\system32\csrss.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe
Command Line	X:\windows\system32\services.exe -setup
Monitor	Start Time: 00:01:35, Reason: Child Process
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:32
OS Thread IDs	#68 0x1B0 #90 0x208 #91 0x20C #97 0x224 #111 0x260 #134 0x2D4

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x00000094cfe90000	0x94cfe90000	0x94cfeaffff	Private Memory	Readable, Writable
pagefile_0x00000094cfe90000	0x94cfe90000	0x94cfe9ffff	Pagefile Backed File	Readable, Writable
private_0x00000094cfea0000	0x94cfea0000	0x94cfea6fff	Private Memory	Readable, Writable
pagefile_0x00000094cfeb0000	0x94cfeb0000	0x94cfebefff	Pagefile Backed File	Readable
private_0x00000094cfec0000	0x94cfec0000	0x94cff3ffff	Private Memory	Readable, Writable
pagefile_0x00000094cff40000	0x94cff40000	0x94cff43fff	Pagefile Backed File	Readable
pagefile_0x00000094cff50000	0x94cff50000	0x94cff50fff	Pagefile Backed File	Readable
locale.nls	0x94cff60000	0x94cffddfff	Memory Mapped File	Readable
private_0x00000094cffe0000	0x94cffe0000	0x94cffe6fff	Private Memory	Readable, Writable
pagefile_0x00000094cfff0000	0x94cfff0000	0x94cfff2fff	Pagefile Backed File	Readable, Writable
services.exe.mui	0x94d0000000	0x94d0004fff	Memory Mapped File	Readable
private_0x00000094d0040000	0x94d0040000	0x94d004ffff	Private Memory	Readable, Writable
private_0x00000094d00c0000	0x94d00c0000	0x94d01bffff	Private Memory	Readable, Writable
sortdefault.nls	0x94d01c0000	0x94d0494fff	Memory Mapped File	Readable
private_0x00000094d04a0000	0x94d04a0000	0x94d059ffff	Private Memory	Readable, Writable
private_0x00000094d05a0000	0x94d05a0000	0x94d079ffff	Private Memory	Readable, Writable
private_0x00000094d07a0000	0x94d07a0000	0x94d081ffff	Private Memory	Readable, Writable
private_0x00000094d0820000	0x94d0820000	0x94d089ffff	Private Memory	Readable, Writable
private_0x00000094d08a0000	0x94d08a0000	0x94d091ffff	Private Memory	Readable, Writable
private_0x00000094d0920000	0x94d0920000	0x94d099ffff	Private Memory	Readable, Writable
pagefile_0x00007df5fff40000	0x7df5fff40000	0x7ff5fff3ffff	Pagefile Backed File	-
pagefile_0x00007df5fff40000	0x7df5fff40000	0x7ff5fff3ffff	Pagefile Backed File	-
pagefile_0x00007df5fff40000	0x7df5fff40000	0x7ff5fff3ffff	Pagefile Backed File	-
pagefile_0x00007ff672770000	0x7ff672770000	0x7ff67286ffff	Pagefile Backed File	Readable
pagefile_0x00007ff672870000	0x7ff672870000	0x7ff672892fff	Pagefile Backed File	Readable
private_0x00007ff672893000	0x7ff672893000	0x7ff672893fff	Private Memory	Readable, Writable
private_0x00007ff672896000	0x7ff672896000	0x7ff672897fff	Private Memory	Readable, Writable
private_0x00007ff672898000	0x7ff672898000	0x7ff672899fff	Private Memory	Readable, Writable
private_0x00007ff67289a000	0x7ff67289a000	0x7ff67289bfff	Private Memory	Readable, Writable
private_0x00007ff67289c000	0x7ff67289c000	0x7ff67289dfff	Private Memory	Readable, Writable
private_0x00007ff67289e000	0x7ff67289e000	0x7ff67289ffff	Private Memory	Readable, Writable
services.exe	0x7ff673060000	0x7ff6730c5fff	Memory Mapped File	Readable, Writable, Executable
AUTHZ.dll	0x7ffb70860000	0x7ffb708a7fff	Memory Mapped File	Readable, Writable, Executable
scesrv.dll	0x7ffb708b0000	0x7ffb70939fff	Memory Mapped File	Readable, Writable, Executable
spinf.dll	0x7ffb709a0000	0x7ffb709bdfff	Memory Mapped File	Readable, Writable, Executable
srvcli.dll	0x7ffb709c0000	0x7ffb709e5fff	Memory Mapped File	Readable, Writable, Executable
EventAggregation.dll	0x7ffb709f0000	0x7ffb709fafff	Memory Mapped File	Readable, Writable, Executable
DABAPI.dll	0x7ffb70a00000	0x7ffb70a07fff	Memory Mapped File	Readable, Writable, Executable
scext.dll	0x7ffb70a10000	0x7ffb70a20fff	Memory Mapped File	Readable, Writable, Executable
SspiCli.dll	0x7ffb71500000	0x7ffb7152dfff	Memory Mapped File	Readable, Writable, Executable
bcryptPrimitives.dll	0x7ffb71580000	0x7ffb715e2fff	Memory Mapped File	Readable, Writable, Executable
CRYPTBASE.dll	0x7ffb715f0000	0x7ffb715fafff	Memory Mapped File	Readable, Writable, Executable
profapi.dll	0x7ffb716b0000	0x7ffb716c4fff	Memory Mapped File	Readable, Writable, Executable
kernelbase.dll	0x7ffb71760000	0x7ffb71874fff	Memory Mapped File	Readable, Writable, Executable
sechost.dll	0x7ffb733c0000	0x7ffb73418fff	Memory Mapped File	Readable, Writable, Executable
kernel32.dll	0x7ffb73480000	0x7ffb735bdfff	Memory Mapped File	Readable, Writable, Executable
rpcrt4.dll	0x7ffb73a30000	0x7ffb73b70fff	Memory Mapped File	Readable, Writable, Executable
MSVCRT.dll	0x7ffb74050000	0x7ffb740f9fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Amount	Logfile
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x188	address = 0x4584630000, size = 16384	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x188	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x188	address = 0x4584630000, size = 4096	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x188	No corresponding api call detected. Probably injected code via shellcode.	1

Created or Modified Files

Filename	File Size	Hash Values
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbxhci.pnf	11.26 KB (11528 bytes)	MD5: 72a7d52c829219fe574e86638fb6a23b SHA1: e59da7ae2aab26f70663f39adf91efcb191aad2c SHA256: ffff12546c87da3388192d28602e3fdaa9a1aaf30d43335b17e5af27867b97ce
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.pnf	9.04 KB (9256 bytes)	MD5: cae8133113b0fa8eb45181f9c5d6dbdb SHA1: ec18aa17bdc203b0d550c8fd8c6300b3df857b6f SHA256: 76ab1f207f5c4c1bbac23e93fac1526804230fb8b3b2bb5c2d67396d8088111d
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat	256.00 KB (262144 bytes)	MD5: 2aa9bd6793f83cef98d5d7fd60ab405b SHA1: 21c2f6d19d1b0bacbc3f77e3d65e268de288a4e4 SHA256: 5c082b5c231e8b2543ae6add7a80da48de09b3a17f67e79bdd465be59b3a3d84
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat	256.00 KB (262144 bytes)	MD5: 2aa9bd6793f83cef98d5d7fd60ab405b SHA1: 21c2f6d19d1b0bacbc3f77e3d65e268de288a4e4 SHA256: 5c082b5c231e8b2543ae6add7a80da48de09b3a17f67e79bdd465be59b3a3d84
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf	90.35 KB (92520 bytes)	MD5: 348c682409045af377e6a1dca770dc90 SHA1: 2bae29b156217f52678974af1c94aca774a28736 SHA256: 7f4f7089b57310b37eab34376b7dfc2950630a7f1b4aeec32fe397b543142d2c
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.pnf	8.43 KB (8628 bytes)	MD5: 913f6bc3d9c97be46972c278ba84e164 SHA1: 7a40bf25292697394f6a5e3fe0e27e1b31da778c SHA256: 3bcfc47aa85bda59cebebb0f950d97a3f3c6fd5fb144c4a90e4514416d69a9cb
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.pnf	13.08 KB (13396 bytes)	MD5: ea8c9d9fd77d6fa9d3fe8cadf4b15d99 SHA1: a3318b388daf7c943d3d3f0dab70187fa450568e SHA256: 060a3c11e01858498e7867135d78acb5126cad3167590a5dbe8d08e063e47bf0
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	512.00 KB (524288 bytes)	MD5: 61bb82ecefdac3b60b11441cc6c780b0 SHA1: da763f11762558805d9b32096c8e47bd03132b5e SHA256: ca0e01a9ed63401c0d0458a315adbc586e19d7638272aafb5ecadd4817efc5c7
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	512.00 KB (524288 bytes)	MD5: 61bb82ecefdac3b60b11441cc6c780b0 SHA1: da763f11762558805d9b32096c8e47bd03132b5e SHA256: ca0e01a9ed63401c0d0458a315adbc586e19d7638272aafb5ecadd4817efc5c7
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.pnf	10.95 KB (11216 bytes)	MD5: 62816a91b4b87f7dc7f57f2503502325 SHA1: bd3fdee1b75f0674723f66cee4f0b2ea0bd33ce4 SHA256: cc07c110eaf6a978c3a67642c58f5230d1188cab4766578e68e604dc1ea9f275
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.pnf	25.11 KB (25708 bytes)	MD5: 60222a0f4c6c8de63f3d768f74aa73e4 SHA1: 2061d813df910a2fbd525928eaf0eead093ee607 SHA256: 1e04432c12cfcf7ac033fb0ebf1267e23a48686942b8b10ea29fc3391c8b3fac
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.pnf	17.07 KB (17480 bytes)	MD5: b8cf94487fa53de1e07885eb5a03b13c SHA1: a29d0433472bea0bd0245674bfad3d0d6d5a42e0 SHA256: cec39cf75e876d284ce5eb58df6e5eb9844c7b841b550606fe9e7959ffcf7662
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf	15.05 KB (15408 bytes)	MD5: b91108bbe0218f1c933f540dcfcd4559 SHA1: bfa39b3a402fd707f07ecb2ce223fc35ed86bc97 SHA256: dad053eab78fd20eb15e06525b54349c9bdf0a0988d023132faaf3cdfa64a16f
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usb.pnf	71.04 KB (72748 bytes)	MD5: 0ea6f3c600dd9b540faf720d418be41d SHA1: d639d62e21e966c50d4fb5b434d68c0fcd950e90 SHA256: 31ac1218f82d67a4ff37423ed037776fd9fef2d5ff5b12040696fc2d812f61a8
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\system tools\command prompt.lnk	1.12 KB (1142 bytes)	MD5: 9c82e435db86860edb5ced5f369bdfb3 SHA1: a63c6007e8679aac89632ff7ac88b29df4a11b9e SHA256: 23db6dd5bb4644850d5afe83f1126d582238162ab480479fb12a6b9998a82511
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\system tools\command prompt.lnk	1.12 KB (1142 bytes)	MD5: 9c82e435db86860edb5ced5f369bdfb3 SHA1: a63c6007e8679aac89632ff7ac88b29df4a11b9e SHA256: 23db6dd5bb4644850d5afe83f1126d582238162ab480479fb12a6b9998a82511
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.pnf	7.59 KB (7768 bytes)	MD5: 47bc949bb6ff56c1cd36c2c0350bc4c6 SHA1: 4610333269123f7eeb62a9995ea8511c2cd3bfa6 SHA256: 4156895c97ab1ebd9f9ca34944eace2f79909ba88929c42e29ee61ca4aa358e9
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tm.blf	64.00 KB (65536 bytes)	MD5: f05bb5e3d62100de94995032e40318cd SHA1: 316e1aa45ca7d1026ce8243c34ee9adb32939923 SHA256: 29ca52555753d55ac9d1940ad746ad540d6beaac8209fddadfb7d74f37ec3e90
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tm.blf	64.00 KB (65536 bytes)	MD5: f05bb5e3d62100de94995032e40318cd SHA1: 316e1aa45ca7d1026ce8243c34ee9adb32939923 SHA256: 29ca52555753d55ac9d1940ad746ad540d6beaac8209fddadfb7d74f37ec3e90
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tm.blf	64.00 KB (65536 bytes)	MD5: 287d4d682e1c88640cbeebe11fac2f85 SHA1: d5a3b04c46d5ff20170d8c63ca6996b575100475 SHA256: 22db3ce0e70a6b5975906794e5c2c3459d7f7353890638e4c25598d02fe5b824
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tm.blf	64.00 KB (65536 bytes)	MD5: 287d4d682e1c88640cbeebe11fac2f85 SHA1: d5a3b04c46d5ff20170d8c63ca6996b575100475 SHA256: 22db3ce0e70a6b5975906794e5c2c3459d7f7353890638e4c25598d02fe5b824
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf	59.45 KB (60880 bytes)	MD5: a2a4e415e53c25caa790c4178227df85 SHA1: d7a41ad4470f3f6794428ed87e2361f013c479e9 SHA256: a87689bf630dfe0a52fdbedc428242cf97c8c0c620a7cd8361670dc8417def9b
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.pnf	11.79 KB (12068 bytes)	MD5: 105c62370e5c9f9126893cb464701bb9 SHA1: 53126901723d0bd87095a00c3b8212ef3908d1d9 SHA256: 4d20985fc88f173cdba2e141a2041ca535cd19469200ffa52cceaa03fe5678aa
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf	6.66 KB (6820 bytes)	MD5: 4a6bf9c2a829cf4d1b96a66e42e88632 SHA1: cb1fe3699f00a3b27280432283006797177ed9be SHA256: 369d0b0a8076207617c5fb414e434f98281b41a597d8bda7ae1781b2c7e7ebe8
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.pnf	10.80 KB (11056 bytes)	MD5: aff57dbe66f472508a675099d19ea93f SHA1: b941f03eeb507efee9bd9d076a5ad7b1995cd203 SHA256: 09a00b446c358f759e70ed188f0cc0755405cf2449cb09f7d2983e58c63bb155
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.pnf	10.67 KB (10928 bytes)	MD5: 9f32d460d749e4622855bb0a37d4383a SHA1: c9289529f91964d50b01d1d8cd55eebbbd0d6bb3 SHA256: e419cb3d2e6cdf80af892e376cb7621f59fcfe556b8b083b2d7d78984f265b27
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf	42.48 KB (43500 bytes)	MD5: 944671ca7c6b2f500b8d22be8bb3d3b4 SHA1: c4682261d5ccee536d15761b9e1a9e0d73af2d7c SHA256: 6c77e42da8c288ffe671b5bbd89e86ab559d48e3d6d9d0e3696cc7c7e77d6484
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf	6.85 KB (7012 bytes)	MD5: 395fac9d715c0fcdb4bd67f5f35b8139 SHA1: ea1935ec1ef0cc542b431b224d588f57af303c3f SHA256: 088f67825e30087fb14c060945c700cd444c6c2d03c35e7da253a48f0c9dd99c
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hiddigi.pnf	8.23 KB (8424 bytes)	MD5: d13ec5c97793dd65f4f736c218c96978 SHA1: 14089394e9628bb62e5561f343a5fae7f8d76711 SHA256: dbe5d2cadb841aee93e69ef91674e64445e72ededdc5e8026ce03a6814a7b625
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\wmiacpi.pnf	8.42 KB (8620 bytes)	MD5: 77604f04a353eb260633e7bbe855f674 SHA1: 540d62060faade559c4a4d52880855e5ce7f1992 SHA256: e70208995a288adda18e57b38c17c77d707e7486b172056cc53f75d27ab9ff8d
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf	7.26 KB (7436 bytes)	MD5: a5b48c42f2e98e2607edf30231cb6023 SHA1: 3fba6e9464fdc544351d9ffb694767d945be7a60 SHA256: eb2ad0f6616dd07e96f7665cf2b86c88063f749efc81ae182bdf86e5c224c43c
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat.log1	40.00 KB (40960 bytes)	MD5: 639b969e8dd1c282e9825028177b18ff SHA1: b550008e1b974ee1d7a7d2ba7b1ed5554a2b7275 SHA256: 032103171a4ce9388e2791d63055101b2034c7440be8a5e1849049ba906dbaf5
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat.log1	40.00 KB (40960 bytes)	MD5: 639b969e8dd1c282e9825028177b18ff SHA1: b550008e1b974ee1d7a7d2ba7b1ed5554a2b7275 SHA256: 032103171a4ce9388e2791d63055101b2034c7440be8a5e1849049ba906dbaf5
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.pnf	8.01 KB (8204 bytes)	MD5: 8cb26037632d2b7ff36c9ac526ebff16 SHA1: c1f3b2c9d7ecf4f6fef1481f85fb29d50a67341a SHA256: 056e165a7a876d15a6a5bc5538e6f418185ca1a7e017414f8ebef90ae7c31cb3
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.pnf	8.52 KB (8720 bytes)	MD5: 8ba2ca105e90b447660af73f12d6fda5 SHA1: 56e7d2985a9c71e3c9bbeb3b46583fb3a870a1ec SHA256: 30373ae81ecc7e3425036718fbb9aaa5b5184fcdf8e10f9e0c98a21057384bc4
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf	119.92 KB (122800 bytes)	MD5: 6c6312b24a1d82a99745754ad75a7407 SHA1: a264405060499c7a6093e02371aef6cf5809811c SHA256: 32afc799fbc8f4351cedc36783bd1c107e084037de1babec75928d541be3376b
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.pnf	7.39 KB (7572 bytes)	MD5: e8fb4e90af26ce8b6f6ab0feadeb89eb SHA1: 1d012a60cd34f2519d9c1b59d04d90be527c7d62 SHA256: 3f0c39717c726f19a063b131ca629d35d7aa7a97f0b17e3fc91e4242ef75b031
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	512.00 KB (524288 bytes)	MD5: 59071590099d21dd439896592338bf95 SHA1: 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c SHA256: 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	512.00 KB (524288 bytes)	MD5: 59071590099d21dd439896592338bf95 SHA1: 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c SHA256: 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	512.00 KB (524288 bytes)	MD5: 59071590099d21dd439896592338bf95 SHA1: 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c SHA256: 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	512.00 KB (524288 bytes)	MD5: 59071590099d21dd439896592338bf95 SHA1: 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c SHA256: 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini	0.08 KB (79 bytes)	MD5: 52b31354ef1082f6a5a2490dc80aabcd SHA1: 571db4c0054bed9444336667556d81edbf3a9af8 SHA256: ede4a40a65f7e13e841d682880af3f1ca9263b4a25ba3f838aac7432092715a8
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini	0.08 KB (79 bytes)	MD5: 52b31354ef1082f6a5a2490dc80aabcd SHA1: 571db4c0054bed9444336667556d81edbf3a9af8 SHA256: ede4a40a65f7e13e841d682880af3f1ca9263b4a25ba3f838aac7432092715a8
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.pnf	7.17 KB (7344 bytes)	MD5: 1500cba16750cb4d2fa78cb6e00d1008 SHA1: dd65f8795cc656196169b2a43e77a5f4c387c1d0 SHA256: 0e5e82ddc46e5a338a9e9cb575030db90d08e521ba2e58cf362389a6ed8d0587
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.pnf	8.15 KB (8348 bytes)	MD5: 3432928245eac49ed9a6036c1c71bb5c SHA1: 281065c2954be6e68b8d53e389ebb729adaed868 SHA256: bf633c814b1f3ffc8ea2fbe0974a16d98825ab9d2c50889c7f4ff4e00c8e229f
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\vdrvroot.pnf	7.38 KB (7556 bytes)	MD5: ca21e9ffd1c74354929e5c27f05a0c18 SHA1: 056ae20a7f3513137c1bc4c9c8901f1ea97dc5b2 SHA256: 99e4316f2ef81afbf4a7d61ee485d19c230edd50af63177fd113181b28a8c013
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\accessories\notepad.lnk	1.13 KB (1158 bytes)	MD5: ee27db3652032a3498c54a12407b0cb5 SHA1: c4d29c8a67c81c1ada0323ac7c857b113cf5271b SHA256: 5e7a26e2d64f644e159a6bd5bceb5736c5c71fefe3d648425338b22dc840cbc2
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\accessories\notepad.lnk	1.13 KB (1158 bytes)	MD5: ee27db3652032a3498c54a12407b0cb5 SHA1: c4d29c8a67c81c1ada0323ac7c857b113cf5271b SHA256: 5e7a26e2d64f644e159a6bd5bceb5736c5c71fefe3d648425338b22dc840cbc2
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\system tools\desktop.ini	0.08 KB (86 bytes)	MD5: 68fa444f95dda594dac226f7f13d7e95 SHA1: bc136a7b4bcb9b59c0f51b23c4df7e183cbd02f4 SHA256: 68b6dec0ef20bc8c955650b420432458d808c24dcc4c5126b33618bbf30152a6
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\system tools\desktop.ini	0.08 KB (86 bytes)	MD5: 68fa444f95dda594dac226f7f13d7e95 SHA1: bc136a7b4bcb9b59c0f51b23c4df7e183cbd02f4 SHA256: 68b6dec0ef20bc8c955650b420432458d808c24dcc4c5126b33618bbf30152a6
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf	26.42 KB (27052 bytes)	MD5: 6ab6fdc53b047c790294ae9ba40c8692 SHA1: 41c97e16204dacc9994244c9a82632099975ce71 SHA256: 6ac37fa9a68a1bbc40178bba0f783ed30b243f03f0673cf7cf31674f169f59c3
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.pnf	9.31 KB (9532 bytes)	MD5: 07ab5f7222e3f030ab9bec198bbc3f9f SHA1: 13fd6c63a60c32ad7d4e6626b71e3197178494ce SHA256: 7d611c389cd4941bc6f31dec27a2bead46ed5271dc2e1d6e3f72ace0d616bc20
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf	9.44 KB (9668 bytes)	MD5: 174b470c234bed33613e1a0c499e62d9 SHA1: 952c0d6b42dfdfa76bf3db186cc6cf7fcaed0c17 SHA256: 8a25902fdd4ef7a743eb6af1aca4a1aaee4d2befe4e5651ea4f72400b6149230
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\volmgr.pnf	8.20 KB (8396 bytes)	MD5: 2570146c184248ae2a7bf41327c74fc7 SHA1: 8333c9a15ad7b8a79237b924df9005812b0b27ec SHA256: b53b5e4323877a2a243df43b3f3b5eeb02748ee80e0d9f010a0e9585f35e1271
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.pnf	9.68 KB (9908 bytes)	MD5: 58e98db83fbfeb7301792321db60ebe5 SHA1: c4ef56ad20d1f9392c50e77ede58e13157cbaad9 SHA256: a3f29b82117dfd1893da2c52ee90f1a9d1ae6228bcc3e98b06e3e5a33568fb9f
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.pnf	9.41 KB (9636 bytes)	MD5: 72d5f7706d946face710b3384a3bd5fe SHA1: 2ad1d13ad664bb106c4dde8a14533a337f1dcb69 SHA256: 0bf020671615d7909e5ca709c4e3a14bcf8db949a354629736380bfd5e5b9477
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.pnf	142.47 KB (145892 bytes)	MD5: ceea6a3a28e766277dcc2c754c3da7a9 SHA1: 02ffa9f41834ffe4f9f369c20ff194b7e784c392 SHA256: 10e62a39d7413a87eddc1805832f4336aa2eb5879d22370913995f00d797b861
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	512.00 KB (524288 bytes)	MD5: 78bb580446808b4e17992b29c68d308d SHA1: cf8877eba13b2790149871abec5411acb89d0a56 SHA256: 5d0af58700c3ee7d81d98e13b19010c31933b2cdcedf4465ad53e89d98017597
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	512.00 KB (524288 bytes)	MD5: 78bb580446808b4e17992b29c68d308d SHA1: cf8877eba13b2790149871abec5411acb89d0a56 SHA256: 5d0af58700c3ee7d81d98e13b19010c31933b2cdcedf4465ad53e89d98017597
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.pnf	9.67 KB (9904 bytes)	MD5: 810010be4ec7fdf9cd46350e4b278355 SHA1: 9dca7edecd59ec388b0e3b9dbd2bc1def1113c37 SHA256: cbd177ca1695dda5bbfa8082fae78491ced69a9001cf6939be2468c9ee03480e
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf	12.30 KB (12596 bytes)	MD5: a085f574aa7085b8cf7d1d13fc24f14d SHA1: b5ebb92c5d30912ed9f7383a8235c4c79c346d9e SHA256: 535b410d5d758acbea71f9780449757a6fd2ed1be045912a1f63d8113e711057
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbhub3.pnf	17.40 KB (17816 bytes)	MD5: fa88958f77c7b06b94b903b0c167c826 SHA1: 74dbdcbdd769e9c6ab528045e1d6f2b8ecd2680e SHA256: 4d8771840b44e8c79074508d539ceee708e34e71ae66bafa05138565ad458419
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.pnf	7.59 KB (7768 bytes)	MD5: ec0e144c257d1818500e7860a5eb6e53 SHA1: 1ad8c2bdf7df6eb7a84261d2c02760ca15cc36fe SHA256: 00ea279d6c049fc4a5a4876fdea0ac4b7cd21f08e3117ffaa40ca614308fac72
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.pnf	11.91 KB (12200 bytes)	MD5: 0c1c17ad4c67889a3cd3f0d9ba124a63 SHA1: 6e4884d2b91266a68891646cc03f3bf2d67eba00 SHA256: 3fb0c9bd9f291dab031551f8dfefc33c09e626ffa6b06a3789fcd86832013152
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbstor.pnf	56.27 KB (57620 bytes)	MD5: fa256ba8288fdd9d4fd8162ca35e1204 SHA1: df575db7846bf2f26caffb9c7c875f47897aef9e SHA256: 356c923cf7b4f53881c981754712302cba73fcd7889f0ffce77a02b190015b16
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\volume.pnf	6.19 KB (6336 bytes)	MD5: 0661cf512d8bc38ca3ddb2edffa4a3af SHA1: 9e871f12040f831051bd83112aa571db63575ba8 SHA256: 2f5c1b56f232e564a8aedc000a07c168c806ddd241e8c2428ca11080fe916c4c
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.pnf	14.66 KB (15008 bytes)	MD5: b3ddd68f33b4fc84e4e6e00c4c4977e3 SHA1: 12393985de8a52706bed6ad17f2d276a12bcde4f SHA256: a4564d3defb32c11f9d621821de8a1734f9ce79f22c4e2583a0c59db5a2714a8
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf	36.00 KB (36860 bytes)	MD5: 4649eaec14108d770fcde9a63d470a03 SHA1: d486645998ac9896cd311f0a24e7cb9e04bcf36c SHA256: c4003a02d27d896b0efa8134d32a58038e6fd2354f2521ca9f06beffdc95ae1d
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbport.pnf	136.06 KB (139324 bytes)	MD5: 4c5f2d79ccadbcc6dc5ec96b8a9785e1 SHA1: a6692d6622b1e37017201de04229ead3ef27e403 SHA256: 969db08d55563962e5226e57d0ae9188b013c8ab8bfe2f5661c83507ca23ad9d
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\vstxraid.pnf	10.34 KB (10592 bytes)	MD5: 7304944d73f7bab4df1ea31e198dc2c6 SHA1: 5175936c0b57e82939a6d740470a65badb8944eb SHA256: 5383cab81ccdf2a0e5c010bfb95f1f73fee5aa206f28b547656f4cd2ab278f86
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf	9.90 KB (10140 bytes)	MD5: b88aafdf5775449a5b6b77e3f56c737b SHA1: feec758c3539200971e8429d803cf6af5d9070d7 SHA256: 9c017cdcdb3974f749f2c8b07a175823b06cf57e8e3f78d6b021e237a4fc535f
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf	67.99 KB (69624 bytes)	MD5: dfd0ed3867d3a43ebcd24849386913d1 SHA1: 66b965c6d3be21c9edc769cbee8b330cd6206289 SHA256: 7b4b6012c373fc102c2b3943de0b4e13bdad3481d61b8213a57efb8925fa4366
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf	18.35 KB (18792 bytes)	MD5: adc6b6528b885ff957911839db69cbe2 SHA1: bdb7044b54158b005129b9b10486079c4e060955 SHA256: b8f065a0894707522da3b497e90c7e3bf57501afcf16c1e1c96e26a4b1cce06e
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf	894.85 KB (916324 bytes)	MD5: 61dc874f6580aae1b40dd05679045d62 SHA1: c3672715f73e246f087b57208783da4036df96ca SHA256: c72d05f60617277399eac46647904a80da6b3b9c7151767809e2f88c2b699335
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.pnf	7.45 KB (7632 bytes)	MD5: 41a00f76e25ec68f62f260919889f87b SHA1: eb6dffff887bda06ff7545a4521898773ba03590 SHA256: 5c8b8a82091220df55fff7836baeb9a11ea2eb18e8e76438324e03b1bc929b52
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.pnf	15.80 KB (16180 bytes)	MD5: 71803429cd83bf1324dbdf64d09cfc64 SHA1: 8b2c2fc6c0ca8dd27dddb4f5efe5dfb16c9539cd SHA256: 08902ee95a4fc39d1ba16c798b43f0e63ab8e82b3b1425e758c3cac61d725b02
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.pnf	6.00 KB (6148 bytes)	MD5: f296bb6a6d5c830d0e3a9e3f7b26a4b9 SHA1: 760704b53ef2642cbfae94693ae02dc4f9786396 SHA256: 9bccfeb66d7b2428138b43aa3a72543f51a54ba304af0688ba5e1ae666098a02
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.pnf	7.89 KB (8084 bytes)	MD5: 5e62f93fcc24f65c987a687dc9c32f9f SHA1: d0bae0b2bade8584b1f47f0746381a735aaf1db9 SHA256: 899d4ae378e16e445cd2911fdc27e4de554675d6362e291397f701fe1072e355
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umpass.pnf	6.11 KB (6252 bytes)	MD5: 6724aff7377facac08c967bbc98d5b6a SHA1: e87187f06fe172334709c73f5b176d58edec6092 SHA256: 99c63cd3dd78bd79255978303989ecabaa2267f365d5fbcc2413978c0950fe1f
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.pnf	11.47 KB (11744 bytes)	MD5: 24407f7a809b08200bc3856b6ead38f2 SHA1: b7c973701240542f039a04b9d23c7b47f5e0e0f0 SHA256: 6a1bbfe839df2553b8a5c907a51bbf8c1875695604600642f903f9bbbd842f29
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.pnf	7.34 KB (7520 bytes)	MD5: 4a40c5a21aaa9570778e2100f05905a4 SHA1: 7ba6ff6944dd2f74c198186aaf0e0878392ed03a SHA256: bc3e973d1bf0dafefd9e3bfb71c363dd9b674b80efeeb04cba0ea688fbb0a1ef
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.pnf	16.29 KB (16680 bytes)	MD5: 1250eea5907f483d94f504b50e92b78c SHA1: e7de6c9341f50037d763ff0b5368fdb9bfb3c5dd SHA256: 3958a558ecaffb60ccadaad7cab012c262c4754bb5965451f00c62b5afec0154
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.pnf	119.88 KB (122760 bytes)	MD5: 5e1a3bd4845a9ccbe630838693db7587 SHA1: 4dc87fc04ea071f7bece13d22acb6c22c3f050a2 SHA256: ff1794ea19970060dd75f59401d7ab738276f5f7d43504b19107e247a68eff65
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.pnf	7.19 KB (7360 bytes)	MD5: df62091305a3e5c5d244203a18a89dca SHA1: 506ab944fb7e751cf9cfff7239dd487b63738a03 SHA256: 16f77bbb478f02db1c973df558a2b4fe6232adeb4a408d9035da99734998cd9c
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.pnf	8.84 KB (9048 bytes)	MD5: d399e897be0e66932326f9740aa8807d SHA1: 84e7e8cd02ad22b3c9cd32811770197a3afeeae9 SHA256: 6e6b0daf89cc03960a8f8f6f02c2f2dda57ee12e4008ccb5be1d70cfc9c073ba

Host Behavior

File (6743)

Operation	Filename	Additional Information	Amount	Logfile
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\logfiles\scm\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	84	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	83	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\security\logs\scecomp.log	desired_access = FILE_READ_ATTRIBUTES, DELETE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\security\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat.log1	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat.log2	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tm.blf	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tm.blf	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\local\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\microsoft	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\local\microsoft\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\local\microsoft\windows\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\gameexplorer	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\local\microsoft\windows\gameexplorer\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\local\microsoft\windows\history\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\inetcache	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\local\microsoft\windows\inetcache\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\inetcookies	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\local\microsoft\windows\inetcookies\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\temp	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\local\temp\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\network shortcuts	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\network shortcuts\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\recent	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\recent\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\sendto	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\sendto\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\start menu\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\start menu\programs\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\accessories	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\accessories\notepad.lnk	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\system tools	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\start menu\programs\system tools\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\system tools\command prompt.lnk	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\system tools\desktop.ini	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\templates\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\desktop	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\desktop\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\documents	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\documents\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\downloads	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\downloads\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\favorites	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\favorites\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\links	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\links\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\music	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\music\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\pictures	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\pictures\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\saved games	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\saved games\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\videos	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\videos\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	4	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	4	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat.log1	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat.log2	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tm.blf	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tm.blf	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\microsoft	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\microsoft\windows	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\gameexplorer	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\inetcache	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\inetcookies	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\temp	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\network shortcuts	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\recent	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\sendto	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\accessories	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\accessories\notepad.lnk	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\system tools	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\system tools\command prompt.lnk	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\system tools\desktop.ini	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\desktop	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\documents	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\downloads	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\favorites	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\links	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\music	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\pictures	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\saved games	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\videos	desired_access = FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
CREATE_DIR			3	Fn
CREATE_DIR			62	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\logfiles	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\logfiles\scm\	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE			61	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE			254	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\1394.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\acpi.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\acpipagr.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\acpitime.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\afd.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\machine.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\cpu.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	4	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\arcsas.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\mshdc.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\netbvbda.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\bcmfn2.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\bfe.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\bxfcoe.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\bxois.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\cdrom.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\cht4vx64.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\clfs.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\cmbatt.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\cryptsvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\combase.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\defragsvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\umpnpmgr.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wkssvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	6	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\dhcpcore.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\disk.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\dnsapi.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\eapsvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\netevbda.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\efssvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\ehstorclass.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\ehstortcgdrv.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\errdev.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wevtsvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\fdc.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\fileinfo.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\filetrace.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\flpydisk.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\fltmgr.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\fsdepends.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\fvevol.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\agp.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\gpapi.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\hdaudbus.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\hidbatt.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\hidi2c.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\hidserv.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\input.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\msmouse.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\ialpssi_gpio.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\ialpssi_i2c.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\iastorav.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\iastorv.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\mlx4_bus.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\ikeext.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\iscsi.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\keyboard.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\keyiso.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\srvsvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	3	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lmhsvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsm.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	4	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	3	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\mountmgr.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\firewallapi.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\mshidkmdf.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\iscsidsc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\mssmbios.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\mtconfig.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\mup.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\ndis.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\ndisvirtualbus.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\netbt.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\netlogon.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\netman.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\nlasvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\nsisvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\nsiproxy.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	3	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\msports.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\partmgr.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\pdc.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\polstore.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\umpo.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\profsvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\ql2300.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\ql40xx2i.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\qlfcoei.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\rasauto.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\rasmans.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\rpcepmap.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\sacsvr.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\samsrv.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\sbp2.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\sdstor.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\smphost.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\spaceport.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\sstpsvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\stornvme.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svsvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\swenum.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\swprv.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\systemeventsbrokerserver.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\tcpip.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\tpm.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\servicing\trustedinstaller.exe	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\uaspstor.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\uefi.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\umbus.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umpass.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umpass.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\umpass.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umpass.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usb.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usb.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\usb.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usb.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbport.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbport.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\usbport.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbport.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbport.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	3	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbhub3.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbhub3.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\usbhub3.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbhub3.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbstor.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbstor.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\usbstor.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbstor.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbxhci.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbxhci.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\usbxhci.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbxhci.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\vdrvroot.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\vdrvroot.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\vdrvroot.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\vdrvroot.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\vds.exe	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\verifierext.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\vmbusres.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\volmgr.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\volmgr.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\volmgr.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\volmgr.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\volmgrx.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\volume.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\volume.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\volume.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\volume.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\vssvc.exe	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\vstxraid.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\vstxraid.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\vstxraid.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\vstxraid.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\w32time.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hiddigi.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hiddigi.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\hiddigi.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hiddigi.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wbengine.exe	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\wdf01000.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winhttp.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wbem\wmisvc.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\wmiacpi.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\wmiacpi.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\wmiacpi.inf_loc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\wmiacpi.pnf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wbem\wmiapsrv.exe	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\ws2ifsl.sys	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\security\logs\scecomp.log	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\security\logs\scecomp.log	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\ntuser.dat	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\ntuser.dat.log1	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat.log1	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\ntuser.dat.log2	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat.log2	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tm.blf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tm.blf	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tm.blf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tm.blf	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\microsoft	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\gameexplorer	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\inetcache	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\inetcookies	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\local\temp	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\network shortcuts	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\recent	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\sendto	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\accessories	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\notepad.lnk	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\accessories\notepad.lnk	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\system tools	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\start menu\programs\system tools\command prompt.lnk	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\system tools\command prompt.lnk	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\start menu\programs\system tools\desktop.ini	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\start menu\programs\system tools\desktop.ini	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\desktop	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\documents	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\downloads	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\favorites	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\links	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\music	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\pictures	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\saved games	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice\videos	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat.log1	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat.log2	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tm.blf	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{2df2d1e8-0b32-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tm.blf	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000001.regtrans-ms	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\ntuser.dat{42b82178-0b2e-11e3-93f4-90b11c2eb9f2}.tmcontainer00000000000000000002.regtrans-ms	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\microsoft	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\microsoft\windows	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\gameexplorer	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\inetcache	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\inetcookies	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\local\temp	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\network shortcuts	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\recent	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\sendto	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\accessories	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\accessories\notepad.lnk	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\system tools	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\system tools\command prompt.lnk	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\start menu\programs\system tools\desktop.ini	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_DELETE_CHILD, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\desktop	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\documents	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\downloads	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\favorites	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\links	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\music	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\pictures	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\saved games	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice\videos	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
WRITE			2134	Fn
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf	size = 1	12	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf	size = 14192	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf	size = 246	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf	size = 400	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf	size = 1188	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf	size = 1312	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf	size = 1	20	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf	size = 12	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf	size = 7056	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf	size = 304	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf	size = 744	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf	size = 812	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf	size = 1	24	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf	size = 4972	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf	size = 208	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf	size = 396	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf	size = 420	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf	size = 1	20	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf	size = 5448	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf	size = 208	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf	size = 444	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf	size = 468	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf	size = 1	24	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf	size = 741276	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf	size = 2176	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf	size = 53292	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf	size = 59588	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf	size = 1	14	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf	size = 17988	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf	size = 256	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf	size = 848	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf	size = 2304	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf	size = 2756	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf	size = 1	10	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf	size = 43384	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf	size = 256	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf	size = 368	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf	size = 5052	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf	size = 5840	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf	size = 1	14	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf	size = 48332	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf	size = 244	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf	size = 1312	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf	size = 5736	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf	size = 6928	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf	size = 1	24	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf	size = 8044	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf	size = 544	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf	size = 1068	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf	size = 1268	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf	size = 1	20	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf	size = 5004	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf	size = 208	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf	size = 432	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf	size = 484	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.pnf	size = 1	10	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.pnf	size = 8264	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.pnf	size = 260	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.pnf	size = 304	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.pnf	size = 840	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.pnf	size = 968	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.pnf	size = 1	14	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.pnf	size = 12292	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.pnf	size = 260	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.pnf	size = 304	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.pnf	size = 1344	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.pnf	size = 1568	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.pnf	size = 1	14	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.pnf	size = 9164	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.pnf	size = 248	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.pnf	size = 496	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.pnf	size = 936	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.pnf	size = 1204	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.pnf	size = 1	20	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.pnf	size = 15776	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.pnf	size = 592	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.pnf	size = 2388	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.pnf	size = 3276	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.pnf	size = 1	18	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.pnf	size = 6720	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.pnf	size = 252	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.pnf	size = 304	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.pnf	size = 684	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.pnf	size = 764	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.pnf	size = 1	6	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.pnf	size = 11832	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.pnf	size = 256	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.pnf	size = 544	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.pnf	size = 1128	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.pnf	size = 1392	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.pnf	size = 1	16	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.pnf	size = 68172	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.pnf	size = 7296	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.pnf	size = 14016	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.pnf	size = 16440	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.pnf	size = 1	16	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.pnf	size = 5660	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.pnf	size = 286	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.pnf	size = 224	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.pnf	size = 444	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.pnf	size = 504	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.pnf	size = 1	16	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.pnf	size = 6096	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.pnf	size = 208	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.pnf	size = 624	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.pnf	size = 652	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.pnf	size = 1	18	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.pnf	size = 4528	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.pnf	size = 244	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.pnf	size = 208	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.pnf	size = 324	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.pnf	size = 348	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf	size = 1	20	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf	size = 6460	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf	size = 258	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf	size = 320	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf	size = 744	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf	size = 868	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf	size = 1	12	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf	size = 10448	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf	size = 336	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf	size = 1224	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf	size = 1504	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.pnf	size = 1	16	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.pnf	size = 6628	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.pnf	size = 278	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.pnf	size = 288	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.pnf	size = 588	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.pnf	size = 664	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.pnf	size = 1	10	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.pnf	size = 5400	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.pnf	size = 252	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.pnf	size = 208	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.pnf	size = 432	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.pnf	size = 456	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.pnf	size = 1	12	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.pnf	size = 6580	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.pnf	size = 254	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.pnf	size = 288	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.pnf	size = 552	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.pnf	size = 616	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.pnf	size = 1	16	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.pnf	size = 110836	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.pnf	size = 254	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.pnf	size = 1552	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.pnf	size = 9816	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.pnf	size = 11644	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf	size = 1	14	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf	size = 66548	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf	size = 248	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf	size = 1520	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf	size = 7020	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf	size = 8520	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.pnf	size = 1	20	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.pnf	size = 6008	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.pnf	size = 266	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.pnf	size = 256	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.pnf	size = 420	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.pnf	size = 492	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.pnf	size = 1	16	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.pnf	size = 6496	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.pnf	size = 266	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.pnf	size = 256	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.pnf	size = 468	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.pnf	size = 544	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.pnf	size = 1	18	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.pnf	size = 8832	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.pnf	size = 276	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.pnf	size = 304	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.pnf	size = 756	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.pnf	size = 876	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.pnf	size = 1	22	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.pnf	size = 12	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.pnf	size = 9896	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.pnf	size = 252	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.pnf	size = 432	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.pnf	size = 1524	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.pnf	size = 1956	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf	size = 1	24	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf	size = 31284	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf	size = 400	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf	size = 3324	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf	size = 4044	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.pnf	size = 1	10	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.pnf	size = 7312	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.pnf	size = 260	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.pnf	size = 288	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.pnf	size = 864	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.pnf	size = 1096	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf	size = 1	8	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf	size = 88768	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf	size = 254	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf	size = 2064	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf	size = 9192	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf	size = 11192	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.pnf	size = 1	16	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.pnf	size = 5676	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.pnf	size = 208	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.pnf	size = 480	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.pnf	size = 504	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.pnf	size = 1	20	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.pnf	size = 5620	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.pnf	size = 282	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.pnf	size = 272	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.pnf	size = 396	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.pnf	size = 456	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf	size = 1	10	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf	size = 21872	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf	size = 248	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf	size = 1360	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf	size = 3648	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf	size = 4796	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.pnf	size = 1	12	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.pnf	size = 8332	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.pnf	size = 254	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.pnf	size = 432	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.pnf	size = 912	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.pnf	size = 1064	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.pnf	size = 1	16	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.pnf	size = 7104	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.pnf	size = 254	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.pnf	size = 320	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.pnf	size = 636	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.pnf	size = 724	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.pnf	size = 1	12	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.pnf	size = 7740	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.pnf	size = 254	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.pnf	size = 384	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.pnf	size = 792	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.pnf	size = 952	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.pnf	size = 1	16	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.pnf	size = 5672	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.pnf	size = 274	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.pnf	size = 240	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.pnf	size = 384	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.pnf	size = 428	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.pnf	size = 1	16	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.pnf	size = 6592	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.pnf	size = 290	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.pnf	size = 320	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.pnf	size = 528	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.pnf	size = 828	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.pnf	size = 1	10	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.pnf	size = 5408	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.pnf	size = 260	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.pnf	size = 272	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.pnf	size = 384	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.pnf	size = 448	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.pnf	size = 1	6	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.pnf	size = 7552	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.pnf	size = 288	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.pnf	size = 304	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.pnf	size = 792	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.pnf	size = 928	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.pnf	size = 1	16	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.pnf	size = 5460	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.pnf	size = 288	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.pnf	size = 432	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.pnf	size = 472	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.pnf	size = 1	6	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.pnf	size = 9704	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.pnf	size = 296	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.pnf	size = 720	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.pnf	size = 1200	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.pnf	size = 1464	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.pnf	size = 24	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.pnf	size = 1	18	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.pnf	size = 6000	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.pnf	size = 260	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.pnf	size = 304	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.pnf	size = 444	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.pnf	size = 524	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.pnf	size = 1	16	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.pnf	size = 12	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.pnf	size = 5992	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.pnf	size = 250	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.pnf	size = 240	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.pnf	size = 540	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.pnf	size = 584	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.pnf	size = 22	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.pnf	size = 1	16	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.pnf	size = 12	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.pnf	size = 7204	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.pnf	size = 278	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.pnf	size = 352	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.pnf	size = 564	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.pnf	size = 680	2	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umpass.pnf	size = 96	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umpass.pnf	size = 22	1	Fn Data
For performance reasons, the remaining 159 entries are omitted. Click to download all 1159 entries as text file (0.85 MB).

Process (381)

Operation	Process Name	Additional Information	Amount	Logfile
CREATE			3	Fn
CREATE		desired_access = MAXIMUM_ALLOWED	3	Fn
OPEN_TOKEN			4	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	357	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO			6	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO			1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide		2	Fn

Memory (9)

Operation	Address	Additional Information	Amount	Logfile
ALLOC	0x94cff3ebf8	process_name = , size = 639144029528, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE	1	Fn
ALLOC	0x94cff3ec38	process_name = , size = 639144029592, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE	2	Fn
WRITE	0xaee6a50000	process_name = , size = 4704	1	Fn Data
WRITE	0x7ff7c98a62d8	process_name = , size = 8	1	Fn Data
WRITE	0xf0520d0000	process_name = , size = 4704	1	Fn Data
WRITE	0x7ff7ca3032d8	process_name = , size = 8	1	Fn Data
WRITE	0x2060980000	process_name = , size = 4704	1	Fn Data
WRITE	0x7ff7c99e92d8	process_name = , size = 8	1	Fn Data

Thread (3)

Operation	Process Name	Additional Information	Success	Amount	Logfile
RESUME				3	Fn

Module (993)

Operation	Module	Additional Information	Amount	Logfile
LOAD		base_address = 0x7ffb70a10000	1	Fn
LOAD	X:\windows\system32\scext.dll		1	Fn
LOAD	kernel32.dll	base_address = 0x0	1	Fn
LOAD	rpcrt4.dll	base_address = 0x0	1	Fn
LOAD	sspicli.dll	base_address = 0x0	2	Fn
LOAD		base_address = 0x7ffb71500000	1	Fn
GET_HANDLE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe		13	Fn
GET_HANDLE	rpcrt4.dll		2	Fn
GET_HANDLE	kernelbase.dll		1	Fn
GET_HANDLE	ntdll.dll		2	Fn
CREATE_MAPPING	Nameless FileMapping		145	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\1394.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\acpi.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\acpipagr.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\acpitime.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\afd.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\machine.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\cpu.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, maximum_size = 639144024192, protection = PAGE_READONLY	4	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\arcsas.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\mshdc.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\netbvbda.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\bcmfn2.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\bfe.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxfcoe.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\bxfcoe.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bxois.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\bxois.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cdrom.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\cdrom.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cht4vx64.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\cht4vx64.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\clfs.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cmbatt.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\cmbatt.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\cryptsvc.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\combase.dll, maximum_size = 0, protection = PAGE_READONLY	2	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\defragsvc.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\umpnpmgr.dll, maximum_size = 0, protection = PAGE_READONLY	2	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wkssvc.dll, maximum_size = 0, protection = PAGE_READONLY	6	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\dhcpcore.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\disk.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\disk.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\dnsapi.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\eapsvc.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netevbda.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\netevbda.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\efssvc.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\ehstorclass.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ehstortcgdrv.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\ehstortcgdrv.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errdev.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\errdev.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wevtsvc.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fdc.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\fdc.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\fileinfo.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\filetrace.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\flpydisk.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\fltmgr.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\fsdepends.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\fvevol.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\agp.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\gpapi.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hdaudbus.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\hdaudbus.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidbatt.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\hidbatt.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hidi2c.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\hidi2c.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\hidserv.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\input.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\input.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\msmouse.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_gpio.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\ialpssi_gpio.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ialpssi_i2c.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\ialpssi_i2c.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorav.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\iastorav.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iastorv.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\iastorv.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\mlx4_bus.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\ikeext.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\iscsi.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\iscsi.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\keyboard.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\keyboard.pnf, maximum_size = 639144024192, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\keyiso.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\srvsvc.dll, maximum_size = 0, protection = PAGE_READONLY	3	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lmhsvc.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsm.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mlx4_bus.pnf, maximum_size = 639144024192, protection = PAGE_READONLY	4	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msmouse.pnf, maximum_size = 639144024192, protection = PAGE_READONLY	3	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\mountmgr.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\firewallapi.dll, maximum_size = 0, protection = PAGE_READONLY	2	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\mshidkmdf.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\iscsidsc.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mssmbios.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\mssmbios.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mtconfig.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\mtconfig.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\mup.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\ndis.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\ndisvirtualbus.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\netbt.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\netlogon.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\netman.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\nlasvc.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\nsisvc.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\nsiproxy.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, maximum_size = 639144024192, protection = PAGE_READONLY	3	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\msports.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\partmgr.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\pdc.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\polstore.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\umpo.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\profsvc.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql2300.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\ql2300.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ql40xx2i.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\ql40xx2i.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\qlfcoei.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\qlfcoei.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\rasauto.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\rasmans.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\rpcepmap.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\sacsvr.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\samsrv.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sbp2.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\sbp2.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sdstor.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\sdstor.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\msports.pnf, maximum_size = 639144024192, protection = PAGE_READONLY	2	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\flpydisk.pnf, maximum_size = 639144024192, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\smphost.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\spaceport.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\spaceport.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\sstpsvc.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, maximum_size = 639144024192, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\stornvme.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\stornvme.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svsvc.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\swenum.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\swenum.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\swprv.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\systemeventsbrokerserver.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\tcpip.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\tpm.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\tpm.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\servicing\trustedinstaller.exe, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\agp.pnf, maximum_size = 639144024192, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uaspstor.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\uaspstor.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\uefi.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\uefi.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umbus.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\umbus.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\umpass.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\umpass.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usb.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\usb.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbport.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\usbport.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbport.pnf, maximum_size = 639144024192, protection = PAGE_READONLY	3	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbhub3.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\usbhub3.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbstor.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\usbstor.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\usbxhci.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\usbxhci.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\vdrvroot.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\vdrvroot.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\vds.exe, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\verifierext.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\vmbusres.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\volmgr.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\volmgr.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\volmgrx.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\volume.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\volume.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\vssvc.exe, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\vstxraid.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\vstxraid.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\w32time.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\hiddigi.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\hiddigi.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wbengine.exe, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\wdf01000.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winhttp.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wbem\wmisvc.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\wmiacpi.inf, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\wmiacpi.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wbem\wmiapsrv.exe, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\ws2ifsl.sys, maximum_size = 0, protection = PAGE_READONLY	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe	os_pid = 0x1ac, address = 0x94cfff0000	141	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	13	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	66	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d01c0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	19	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe	os_pid = 0x1ac, address = 0x94d04a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d04a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	3	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	5	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	2	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	2	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	3	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	6	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d0050000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	6	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	2	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	3	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d0050000	3	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	5	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	3	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	2	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	2	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d0050000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe	os_pid = 0x1ac, address = 0x94d07a0000	3	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	3	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	4	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d0050000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	2	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	2	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	3	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d0050000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d07a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000	1	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe	os_pid = 0x1ac	145	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, base_address = 0xfe90000	22	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, base_address = 0x94d07a0000	18	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, base_address = 0x94cfff0000	31	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, base_address = 0x94d0050000	7	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70a14450	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb73af9360	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb73a7f1a0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7177b660	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7415d1b0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7416bc00	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb74174670	1	Fn

Service (6)

Operation	Service	Additional Information	Amount	Logfile
OPEN_MGR	SERVICES_ACTIVE_DATABASE	host = Localhost	1	Fn
OPEN			1	Fn
GET_INFO		type = Status	4	Fn

Registry (1380)

Operation	Key	Additional Information	Amount	Logfile
CREATE_KEY	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E		1	Fn
CREATE_KEY	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1		1	Fn
CREATE_KEY	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\Software\Classes\Local Settings\MuiCache\1\52C64B7E		1	Fn
CREATE_KEY			4	Fn
CREATE_KEY	Software\Microsoft\SystemCertificates		2	Fn
CREATE_KEY	Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20		1	Fn
CREATE_KEY	Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19		1	Fn
OPEN_KEY			26	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName		10	Fn
OPEN_KEY	\Registry\Machine\System\Setup		5	Fn
OPEN_KEY			435	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids		1	Fn
OPEN_KEY	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings		79	Fn
OPEN_KEY	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E		1	Fn
OPEN_KEY	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache		1	Fn
OPEN_KEY	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\Software\Classes\Local Settings\MuiCache\1\52C64B7E		1	Fn
OPEN_KEY	Control Panel\International		1	Fn
OPEN_KEY	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E		78	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Locale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups		1	Fn
OPEN_KEY	\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls		1	Fn
OPEN_KEY	\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option		1	Fn
OPEN_KEY	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide		3	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR		1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = ComputerName	10	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = OOBEInProgress	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = SystemSetupInProgress	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 639144026960	1	Fn
READ_VALUE			15	Fn
READ_VALUE		value_name = RpcCacheTimeout	1	Fn
READ_VALUE		value_name = EnableTakeOwnershipEvent	1	Fn
READ_VALUE		value_name = RpcOverTcpKeepAliveTimes	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 000602xx	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en	1	Fn
READ_VALUE			165	Fn
READ_VALUE		value_name = DisplayName	79	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings	value_name = StringCacheGeneration	79	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\drivers\afd.sys,-1000	1	Fn
READ_VALUE	Control Panel\International		1	Fn
READ_VALUE	Control Panel\International		1	Fn
READ_VALUE	Control Panel\International	value_name = sCurrencyOverride	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\bfe.dll,-1001	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\clfs.sys,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\cryptsvc.dll,-1001	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @combase.dll,-5012	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\defragsvc.dll,-101	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\umpnpmgr.dll,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wkssvc.dll,-1008	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\dhcpcore.dll,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\dnsapi.dll,-101	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\eapsvc.dll,-1	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\efssvc.dll,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\EhStorClass.sys,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\wevtsvc.dll,-200	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\fileinfo.sys,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\filetrace.sys,-10001	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\fltmgr.sys,-10001	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\fsdepends.sys,-10001	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\fvevol.sys,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @gpapi.dll,-112	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\hidserv.dll,-101	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\ikeext.dll,-501	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @keyiso.dll,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\srvsvc.dll,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wkssvc.dll,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\lmhsvc.dll,-101	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%windir%\system32\lsm.dll,-1001	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\mountmgr.sys,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\FirewallAPI.dll,-23092	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\FirewallAPI.dll,-23090	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wkssvc.dll,-1002	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wkssvc.dll,-1004	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wkssvc.dll,-1006	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\mshidkmdf.sys,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\iscsidsc.dll,-5000	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\drivers\mup.sys,-101	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\ndis.sys,-200	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\drivers\NdisVirtualBus.sys,-200	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\netbt.sys,-2	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\netlogon.dll,-102	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\netman.dll,-109	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\nlasvc.dll,-1	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\nsisvc.dll,-200	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\nsiproxy.sys,-2	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\partmgr.sys,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\pdc.sys,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\umpnpmgr.dll,-200	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\polstore.dll,-5010	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\umpo.dll,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\profsvc.dll,-300	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%Systemroot%\system32\rasauto.dll,-200	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%Systemroot%\system32\rasmans.dll,-200	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wkssvc.dll,-1000	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%windir%\system32\RpcEpMap.dll,-1001	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @combase.dll,-5010	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\sacsvr.dll,-500	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\samsrv.dll,-1	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\smphost.dll,-102	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\srvsvc.dll,-102	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\srvsvc.dll,-104	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\sstpsvc.dll,-200	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\svsvc.dll,-101	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\swprv.dll,-103	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%windir%\system32\SystemEventsBrokerServer.dll,-1001	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\tcpip.sys,-10001	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\servicing\TrustedInstaller.exe,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\vds.exe,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\VerifierExt.sys,-1000	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\vmbusres.dll,-1000	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\volmgrx.sys,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\vssvc.exe,-102	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\w32time.dll,-200	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wbengine.exe,-104	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\Wdf01000.sys,-1000	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\winhttp.dll,-100	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%Systemroot%\system32\wbem\wmisvc.dll,-205	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%Systemroot%\system32\wbem\wmiapsrv.exe,-110	1	Fn
READ_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\System32\drivers\ws2ifsl.sys,-1000	1	Fn
READ_VALUE		value_name = MaxRpcSize	1	Fn
READ_VALUE		value_name = IdleTimerWindow	1	Fn
READ_VALUE		value_name = ServicesPipeTimeout	1	Fn
READ_VALUE		value_name = HandlerTimeout	1	Fn
READ_VALUE		value_name = DisableRemoteScmEndpoints	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Locale	value_name = 00000409	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups	value_name = 1	1	Fn
READ_VALUE		value_name = PolicyDebugLevel	1	Fn
READ_VALUE		value_name = PolicyLogSize	1	Fn
READ_VALUE		value_name = 10	1	Fn
READ_VALUE		value_name = SecurityProviders	1	Fn
READ_VALUE		value_name = CopyFileBufferedSynchronousIo	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\security\	value_name = FatNtfsConvertedDrives	1	Fn
READ_VALUE		value_name = ProgramData	2	Fn
READ_VALUE		value_name = Public	2	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = Default	6	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = ProgramFilesDir	6	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = CommonFilesDir	6	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = ProgramFilesDir (x86)	6	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = CommonFilesDir (x86)	6	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = ProgramW6432Dir	6	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = CommonW6432Dir	6	Fn
READ_VALUE		value_name = ProfileImagePath	6	Fn
READ_VALUE		value_name = AppData	2	Fn
READ_VALUE		value_name = Local AppData	2	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = 140717948767312	1	Fn
READ_VALUE	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide	value_name = PreferExternalManifest	3	Fn
READ_VALUE		value_name = SQMServiceList	1	Fn
READ_VALUE		value_name = ServiceStartTimeout	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = Disable	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\networkservice	value_name = Default	2	Fn
READ_VALUE	Software\Microsoft\SystemCertificates	value_name = ProgramData	4	Fn
READ_VALUE	Software\Microsoft\SystemCertificates	value_name = Public	4	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\	value_name = ProfileImagePath	2	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\	value_name = AppData	2	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\	value_name = ProfileImagePath	4	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\	value_name = Local AppData	2	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\	value_name = ProfileImagePath	4	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = ShimEnable	2	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\start menu\programs\	value_name = SystemUpdateOnBoot	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\serviceprofiles\localservice	value_name = Default	2	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\	value_name = AppData	2	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\	value_name = Local AppData	2	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\users\default\appdata\roaming\microsoft\windows\templates\	value_name = ProfileImagePath	2	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = LanguageList, data = en-US	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\drivers\afd.sys,-1000, data = Ancillary Function Driver for Winsock	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = LanguageList, data = en-US	78	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\bfe.dll,-1001, data = Base Filtering Engine	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\clfs.sys,-100, data = Common Log (CLFS)	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\cryptsvc.dll,-1001, data = Cryptographic Services	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @combase.dll,-5012, data = DCOM Server Process Launcher	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\defragsvc.dll,-101, data = Optimize drives	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\umpnpmgr.dll,-100, data = Device Install Service	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wkssvc.dll,-1008, data = DFS Namespace Client Driver	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\dhcpcore.dll,-100, data = DHCP Client	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\dnsapi.dll,-101, data = DNS Client	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\eapsvc.dll,-1, data = Extensible Authentication Protocol	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\efssvc.dll,-100, data = Encrypting File System (EFS)	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\EhStorClass.sys,-100, data = Enhanced Storage Filter Driver	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\wevtsvc.dll,-200, data = Windows Event Log	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\fileinfo.sys,-100, data = File Information FS MiniFilter	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\filetrace.sys,-10001, data = FileTrace	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\fltmgr.sys,-10001, data = FltMgr	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\fsdepends.sys,-10001, data = File System Dependency Minifilter	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\fvevol.sys,-100, data = BitLocker Drive Encryption Filter Driver	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @gpapi.dll,-112, data = Group Policy Client	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\hidserv.dll,-101, data = Human Interface Device Service	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\ikeext.dll,-501, data = IKE and AuthIP IPsec Keying Modules	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @keyiso.dll,-100, data = CNG Key Isolation	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\srvsvc.dll,-100, data = Server	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wkssvc.dll,-100, data = Workstation	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\lmhsvc.dll,-101, data = TCP/IP NetBIOS Helper	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%windir%\system32\lsm.dll,-1001, data = Local Session Manager	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\mountmgr.sys,-100, data = Mount Point Manager	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\FirewallAPI.dll,-23092, data = Windows Firewall Authorization Driver	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\FirewallAPI.dll,-23090, data = Windows Firewall	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wkssvc.dll,-1002, data = SMB MiniRedirector Wrapper and Engine	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wkssvc.dll,-1004, data = SMB 1.x MiniRedirector	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wkssvc.dll,-1006, data = SMB 2.0 MiniRedirector	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\mshidkmdf.sys,-100, data = Pass-through HID to KMDF Filter Driver	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\iscsidsc.dll,-5000, data = Microsoft iSCSI Initiator Service	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\drivers\mup.sys,-101, data = MUP	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\ndis.sys,-200, data = NDIS System Driver	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\drivers\NdisVirtualBus.sys,-200, data = Microsoft Virtual Network Adapter Enumerator	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\netbt.sys,-2, data = NETBT	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\netlogon.dll,-102, data = Netlogon	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\netman.dll,-109, data = Network Connections	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\nlasvc.dll,-1, data = Network Location Awareness	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\nsisvc.dll,-200, data = Network Store Interface Service	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\nsiproxy.sys,-2, data = NSI Proxy Service Driver	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\partmgr.sys,-100, data = Partition Manager	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\pdc.sys,-100, data = PDC	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\umpnpmgr.dll,-200, data = Plug and Play	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\polstore.dll,-5010, data = IPsec Policy Agent	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\umpo.dll,-100, data = Power	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\profsvc.dll,-300, data = User Profile Service	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%Systemroot%\system32\rasauto.dll,-200, data = Remote Access Auto Connection Manager	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%Systemroot%\system32\rasmans.dll,-200, data = Remote Access Connection Manager	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wkssvc.dll,-1000, data = Redirected Buffering Sub System	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%windir%\system32\RpcEpMap.dll,-1001, data = RPC Endpoint Mapper	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @combase.dll,-5010, data = Remote Procedure Call (RPC)	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\sacsvr.dll,-500, data = Special Administration Console Helper	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\samsrv.dll,-1, data = Security Accounts Manager	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\smphost.dll,-102, data = Microsoft Storage Spaces SMP	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\srvsvc.dll,-102, data = Server SMB 1.xxx Driver	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\srvsvc.dll,-104, data = Server SMB 2.xxx Driver	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\sstpsvc.dll,-200, data = Secure Socket Tunneling Protocol Service	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\svsvc.dll,-101, data = Spot Verifier	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\System32\swprv.dll,-103, data = Microsoft Software Shadow Copy Provider	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%windir%\system32\SystemEventsBrokerServer.dll,-1001, data = System Events Broker	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\tcpip.sys,-10001, data = TCP/IP Protocol Driver	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\servicing\TrustedInstaller.exe,-100, data = Windows Modules Installer	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\vds.exe,-100, data = Virtual Disk	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\vmbusres.dll,-1000, data = Virtual Machine Bus	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\volmgrx.sys,-100, data = Dynamic Volume Manager	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\vssvc.exe,-102, data = Volume Shadow Copy	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\w32time.dll,-200, data = Windows Time	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\system32\wbengine.exe,-104, data = Block Level Backup Engine Service	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\drivers\Wdf01000.sys,-1000, data = Kernel Mode Driver Frameworks service	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%SystemRoot%\system32\winhttp.dll,-100, data = WinHTTP Web Proxy Auto-Discovery Service	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%Systemroot%\system32\wbem\wmisvc.dll,-205, data = Windows Management Instrumentation	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%Systemroot%\system32\wbem\wmiapsrv.exe,-110, data = WMI Performance Adapter	1	Fn
WRITE_VALUE	\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E	value_name = @%systemroot%\System32\drivers\ws2ifsl.sys,-1000, data = Winsock IFS Driver	1	Fn
WRITE_VALUE			6	Fn
WRITE_VALUE	Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20	value_name = ProfileImagePath, data = X:\windows\ServiceProfiles\NetworkService	1	Fn
WRITE_VALUE	Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20	value_name = Flags, data = 0	1	Fn
WRITE_VALUE	Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20	value_name = State, data = 0	1	Fn
WRITE_VALUE	Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19	value_name = ProfileImagePath, data = X:\windows\ServiceProfiles\LocalService	1	Fn
WRITE_VALUE	Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19	value_name = Flags, data = 0	1	Fn
WRITE_VALUE	Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19	value_name = State, data = 0	1	Fn

Driver (4)

Operation	Additional Information	Amount	Logfile
CONTROL		1	Fn
CONTROL	control_code = 0x390008	1	Fn
CONTROL	control_code = 0x110008	2	Fn

User (3)

Operation	User/Group/Server	Additional Information	Success	Amount	Logfile
SET_PRIVILEGE	Localhost			3	Fn

System (735)

Operation	Information	Amount	Logfile
SLEEP		363	Fn
SLEEP	duration = 1 milliseconds (0.001 seconds)	359	Fn
SLEEP	duration = 639153338176 milliseconds (639153338.176 seconds)	2	Fn
SLEEP	duration = 639153338176 milliseconds (639153338.176 seconds)	2	Fn
SLEEP		1	Fn
SLEEP	duration = 1 milliseconds (0.001 seconds)	1	Fn
GET_INFO	type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION	1	Fn
GET_INFO	type = SYSTEM_BASIC_INFORMATION	4	Fn
GET_INFO	type = SYSTEM_PROCESSOR_INFORMATION	1	Fn
GET_INFO		1	Fn

Mutex (420)

Operation	Additional Information	Amount	Logfile
CREATE		84	Fn
CREATE	initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	84	Fn
RELEASE		252	Fn

Process #11: lsass.exe

(Host: 1720, Network: 0)

Information	Value
ID / OS PID	#11 / 0x1b4
OS Parent PID	0x164 (c:\windows\system32\csrss.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe
Command Line	X:\windows\system32\lsass.exe -setup
Monitor	Start Time: 00:01:36, Reason: Child Process
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:31
OS Thread IDs	#69 0x1B8 #71 0x1C0 #72 0x1C4 #73 0x1C8 #74 0x1CC #75 0x1D0 #76 0x1D4 #77 0x1D8 #78 0x1DC #79 0x1E0 #80 0x1E4

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x0000006b29a30000	0x6b29a30000	0x6b29a4ffff	Private Memory	Readable, Writable
pagefile_0x0000006b29a30000	0x6b29a30000	0x6b29a3ffff	Pagefile Backed File	Readable, Writable
pagefile_0x0000006b29a40000	0x6b29a40000	0x6b29a40fff	Pagefile Backed File	Readable, Writable
pagefile_0x0000006b29a50000	0x6b29a50000	0x6b29a5efff	Pagefile Backed File	Readable
private_0x0000006b29a60000	0x6b29a60000	0x6b29adffff	Private Memory	Readable, Writable
pagefile_0x0000006b29ae0000	0x6b29ae0000	0x6b29ae3fff	Pagefile Backed File	Readable
pagefile_0x0000006b29af0000	0x6b29af0000	0x6b29af0fff	Pagefile Backed File	Readable
private_0x0000006b29b00000	0x6b29b00000	0x6b29b01fff	Private Memory	Readable, Writable
private_0x0000006b29b10000	0x6b29b10000	0x6b29c0ffff	Private Memory	Readable, Writable
locale.nls	0x6b29c10000	0x6b29c8dfff	Memory Mapped File	Readable
private_0x0000006b29c90000	0x6b29c90000	0x6b29d0ffff	Private Memory	Readable, Writable
private_0x0000006b29d10000	0x6b29d10000	0x6b29d16fff	Private Memory	Readable, Writable
private_0x0000006b29d20000	0x6b29d20000	0x6b29d2ffff	Private Memory	Readable, Writable
private_0x0000006b29d30000	0x6b29d30000	0x6b29d36fff	Private Memory	Readable, Writable
private_0x0000006b29d40000	0x6b29d40000	0x6b29dbffff	Private Memory	Readable, Writable
pagefile_0x0000006b29dc0000	0x6b29dc0000	0x6b29dcffff	Pagefile Backed File	Readable, Writable
pagefile_0x0000006b29dd0000	0x6b29dd0000	0x6b29ddffff	Pagefile Backed File	Readable, Writable
private_0x0000006b29de0000	0x6b29de0000	0x6b29e5ffff	Private Memory	Readable, Writable
private_0x0000006b29e60000	0x6b29e60000	0x6b29edffff	Private Memory	Readable, Writable
lsasrv.dll.mui	0x6b29ee0000	0x6b29eeafff	Memory Mapped File	Readable
pagefile_0x0000006b29ef0000	0x6b29ef0000	0x6b29efffff	Pagefile Backed File	Readable, Writable
sortdefault.nls	0x6b29f00000	0x6b2a1d4fff	Memory Mapped File	Readable
c_28591.nls	0x6b2a1e0000	0x6b2a1f0fff	Memory Mapped File	Readable
private_0x0000006b2a200000	0x6b2a200000	0x6b2a200fff	Private Memory	Readable, Writable
private_0x0000006b2a210000	0x6b2a210000	0x6b2a28ffff	Private Memory	Readable, Writable
private_0x0000006b2a290000	0x6b2a290000	0x6b2a290fff	Private Memory	Readable, Writable
private_0x0000006b2a2a0000	0x6b2a2a0000	0x6b2a2a0fff	Private Memory	Readable, Writable
private_0x0000006b2a2b0000	0x6b2a2b0000	0x6b2a2b0fff	Private Memory	Readable, Writable
private_0x0000006b2a2c0000	0x6b2a2c0000	0x6b2a2c0fff	Private Memory	Readable, Writable
private_0x0000006b2a2d0000	0x6b2a2d0000	0x6b2a2d0fff	Private Memory	Readable, Writable
private_0x0000006b2a2e0000	0x6b2a2e0000	0x6b2a35ffff	Private Memory	Readable, Writable
private_0x0000006b2a360000	0x6b2a360000	0x6b2a3dffff	Private Memory	Readable, Writable
private_0x0000006b2a3e0000	0x6b2a3e0000	0x6b2a3e0fff	Private Memory	Readable, Writable
private_0x0000006b2a3e0000	0x6b2a3e0000	0x6b2a45ffff	Private Memory	Readable, Writable
samsrv.dll.mui	0x6b2a460000	0x6b2a471fff	Memory Mapped File	Readable
private_0x0000006b2a480000	0x6b2a480000	0x6b2a4fffff	Private Memory	Readable, Writable
pagefile_0x00007df5ff8c0000	0x7df5ff8c0000	0x7ff5ff8bffff	Pagefile Backed File	-
private_0x00007ff6769f8000	0x7ff6769f8000	0x7ff6769f9fff	Private Memory	Readable, Writable
private_0x00007ff6769fa000	0x7ff6769fa000	0x7ff6769fbfff	Private Memory	Readable, Writable
private_0x00007ff6769fc000	0x7ff6769fc000	0x7ff6769fdfff	Private Memory	Readable, Writable
private_0x00007ff6769fe000	0x7ff6769fe000	0x7ff6769fffff	Private Memory	Readable, Writable
pagefile_0x00007ff676a00000	0x7ff676a00000	0x7ff676afffff	Pagefile Backed File	Readable
pagefile_0x00007ff676b00000	0x7ff676b00000	0x7ff676b22fff	Pagefile Backed File	Readable
private_0x00007ff676b23000	0x7ff676b23000	0x7ff676b24fff	Private Memory	Readable, Writable
private_0x00007ff676b25000	0x7ff676b25000	0x7ff676b26fff	Private Memory	Readable, Writable
private_0x00007ff676b27000	0x7ff676b27000	0x7ff676b27fff	Private Memory	Readable, Writable
private_0x00007ff676b28000	0x7ff676b28000	0x7ff676b29fff	Private Memory	Readable, Writable
private_0x00007ff676b2a000	0x7ff676b2a000	0x7ff676b2bfff	Private Memory	Readable, Writable
private_0x00007ff676b2c000	0x7ff676b2c000	0x7ff676b2dfff	Private Memory	Readable, Writable
private_0x00007ff676b2e000	0x7ff676b2e000	0x7ff676b2ffff	Private Memory	Readable, Writable
lsass.exe	0x7ff6775e0000	0x7ff6775edfff	Memory Mapped File	Readable, Writable, Executable
winsta.dll	0x7ffb70940000	0x7ffb70999fff	Memory Mapped File	Readable, Writable, Executable
dsrole.dll	0x7ffb70a40000	0x7ffb70a49fff	Memory Mapped File	Readable, Writable, Executable
scecli.DLL	0x7ffb70a50000	0x7ffb70a97fff	Memory Mapped File	Readable, Writable, Executable
dpapisrv.dll	0x7ffb70aa0000	0x7ffb70ad2fff	Memory Mapped File	Readable, Writable, Executable
efslsaext.dll	0x7ffb70ae0000	0x7ffb70af2fff	Memory Mapped File	Readable, Writable, Executable
rsaenh.dll	0x7ffb70b00000	0x7ffb70b35fff	Memory Mapped File	Readable, Writable, Executable
wdigest.DLL	0x7ffb70b40000	0x7ffb70b7bfff	Memory Mapped File	Readable, Writable, Executable
CRYPT32.dll	0x7ffb70b80000	0x7ffb70d5efff	Memory Mapped File	Readable, Writable, Executable
schannel.DLL	0x7ffb70d60000	0x7ffb70dccfff	Memory Mapped File	Readable, Writable, Executable
USERENV.dll	0x7ffb70dd0000	0x7ffb70df0fff	Memory Mapped File	Readable, Writable, Executable
logoncli.dll	0x7ffb70e00000	0x7ffb70e3efff	Memory Mapped File	Readable, Writable, Executable
DNSAPI.dll	0x7ffb70e40000	0x7ffb70ee3fff	Memory Mapped File	Readable, Writable, Executable
netlogon.DLL	0x7ffb70ef0000	0x7ffb70fc0fff	Memory Mapped File	Readable, Writable, Executable
msv1_0.DLL	0x7ffb70fd0000	0x7ffb7103bfff	Memory Mapped File	Readable, Writable, Executable
CRYPTSP.dll	0x7ffb71040000	0x7ffb7105ffff	Memory Mapped File	Readable, Writable, Executable
cryptdll.dll	0x7ffb71060000	0x7ffb71079fff	Memory Mapped File	Readable, Writable, Executable
kerberos.DLL	0x7ffb71080000	0x7ffb71172fff	Memory Mapped File	Readable, Writable, Executable
netjoin.dll	0x7ffb71180000	0x7ffb711d0fff	Memory Mapped File	Readable, Writable, Executable
msprivs.DLL	0x7ffb711e0000	0x7ffb711e1fff	Memory Mapped File	Readable, Writable, Executable
NTASN1.dll	0x7ffb711f0000	0x7ffb71226fff	Memory Mapped File	Readable, Writable, Executable
ncrypt.dll	0x7ffb71230000	0x7ffb71254fff	Memory Mapped File	Readable, Writable, Executable
bcrypt.dll	0x7ffb71260000	0x7ffb71285fff	Memory Mapped File	Readable, Writable, Executable
samsrv.dll	0x7ffb71290000	0x7ffb7135ffff	Memory Mapped File	Readable, Writable, Executable
MSASN1.dll	0x7ffb71360000	0x7ffb71370fff	Memory Mapped File	Readable, Writable, Executable
lsasrv.dll	0x7ffb71380000	0x7ffb714e2fff	Memory Mapped File	Readable, Writable, Executable
SspiSrv.dll	0x7ffb714f0000	0x7ffb714fafff	Memory Mapped File	Readable, Writable, Executable
SspiCli.dll	0x7ffb71500000	0x7ffb7152dfff	Memory Mapped File	Readable, Writable, Executable
powrprof.dll	0x7ffb71530000	0x7ffb71575fff	Memory Mapped File	Readable, Writable, Executable
bcryptPrimitives.dll	0x7ffb71580000	0x7ffb715e2fff	Memory Mapped File	Readable, Writable, Executable
CRYPTBASE.dll	0x7ffb715f0000	0x7ffb715fafff	Memory Mapped File	Readable, Writable, Executable
profapi.dll	0x7ffb716b0000	0x7ffb716c4fff	Memory Mapped File	Readable, Writable, Executable
kernelbase.dll	0x7ffb71760000	0x7ffb71874fff	Memory Mapped File	Readable, Writable, Executable
CFGMGR32.dll	0x7ffb71880000	0x7ffb718cefff	Memory Mapped File	Readable, Writable, Executable
WS2_32.dll	0x7ffb73360000	0x7ffb733b9fff	Memory Mapped File	Readable, Writable, Executable
sechost.dll	0x7ffb733c0000	0x7ffb73418fff	Memory Mapped File	Readable, Writable, Executable
kernel32.dll	0x7ffb73480000	0x7ffb735bdfff	Memory Mapped File	Readable, Writable, Executable
advapi32.dll	0x7ffb73690000	0x7ffb73739fff	Memory Mapped File	Readable, Writable, Executable
rpcrt4.dll	0x7ffb73a30000	0x7ffb73b70fff	Memory Mapped File	Readable, Writable, Executable
NSI.dll	0x7ffb73e80000	0x7ffb73e88fff	Memory Mapped File	Readable, Writable, Executable
MSVCRT.dll	0x7ffb74050000	0x7ffb740f9fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Success	Amount	Logfile
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wininit.exe	0x168	address = 0x6b29b00000, size = 4704		1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wininit.exe	0x168	address = 0x7ff676b272d8, size = 8		1	Fn Data

Created or Modified Files

Filename	File Size	Hash Values
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\microsoft\protect\s-1-5-18\user\968b739e-d207-46ed-a53d-aed260dbc1d6	0.46 KB (468 bytes)	MD5: d04b3035912004a5cb295bcb9530453e SHA1: 7303d29121a871487d9aa10620829061b29d7a3b SHA256: 8a93024371ca325399b2e2d3793194779dd4e10aecc2d7dfbc4f8cd21748381b
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\microsoft\protect\s-1-5-18\user\preferred	0.02 KB (24 bytes)	MD5: 0f0b3948f429deda2ed5b504c705b9e7 SHA1: 29def00392c60f70f7102aeab134f79241ff01a0 SHA256: 0b1a1c7eb3734a03ee8f58bed7ef11b6fc98909f7c5c480a05ab3d879a617a8d

Host Behavior

File (40)

Operation	Filename	Additional Information	Amount	Logfile
CREATE	\device\deviceapi\cmapi	desired_access = GENERIC_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE			3	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\debug\passwd.log	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\microsoft\protect\s-1-5-18\user\preferred	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_ATTRIBUTE_SYSTEM, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\namedpipe\lsarpc	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE			2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\microsoft\protect\s-1-5-18\user\968b739e-d207-46ed-a53d-aed260dbc1d6	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_ATTRIBUTE_SYSTEM, create_disposition = FILE_OPEN_IF, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\microsoft\protect\s-1-5-18\user\preferred	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_ATTRIBUTE_SYSTEM, create_disposition = FILE_OPEN_IF, ea_buffer = 0, ea_length = 0	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini	desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE	8	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini	size = 92	8	Fn Data
READ	\device\namedpipe\lsarpc	size = 1024	1	Fn Data
READ		size = 1024	2	Fn Data
READ		size = 1024	1	Fn
WRITE	\device\namedpipe\lsarpc	size = 160, offset = 0	1	Fn Data
WRITE		size = 116, offset = 0	1	Fn Data
WRITE		size = 92, offset = 0	1	Fn Data
WRITE			2	Fn
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\microsoft\protect\s-1-5-18\user\968b739e-d207-46ed-a53d-aed260dbc1d6	size = 468	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\microsoft\protect\s-1-5-18\user\preferred	size = 24	1	Fn Data

Process (35)

Operation	Process Name	Additional Information	Amount	Logfile
OPEN_TOKEN			18	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	12	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn

Thread (9)

Operation	Process Name	Additional Information	Amount	Logfile
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ff6775e1250, desired_access = THREAD_ALL_ACCESS	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb713f2020, desired_access = THREAD_ALL_ACCESS	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb713f2d90, desired_access = THREAD_ALL_ACCESS	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb713fa570, desired_access = THREAD_ALL_ACCESS	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb712c7c30, desired_access = THREAD_ALL_ACCESS	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb712ce590, desired_access = THREAD_ALL_ACCESS	1	Fn
CREATE_WORKITEM			3	Fn

Module (206)

Operation	Module	Additional Information	Amount	Logfile
LOAD		base_address = 0x7ffb71380000	2	Fn
LOAD	lsasrv.dll	base_address = 0x0	1	Fn
LOAD	rpcrt4.dll	base_address = 0x0	1	Fn
LOAD	LSASRV.DLL	base_address = 0x0	1	Fn
LOAD		base_address = 0x0	2	Fn
LOAD	negoexts	base_address = 0xc0000135	1	Fn
LOAD		base_address = 0x7ffb71080000	2	Fn
LOAD	kerberos	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70fd0000	3	Fn
LOAD	msv1_0	base_address = 0x0	2	Fn
LOAD		base_address = 0x7ffb70ef0000	1	Fn
LOAD	netlogon		1	Fn
LOAD	msv1_0.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70d60000	1	Fn
LOAD	schannel	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70b40000	1	Fn
LOAD	wdigest	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70b00000	2	Fn
LOAD	X:\windows\system32\rsaenh.dll	base_address = 0x0	2	Fn
LOAD	kernel32.dll	base_address = 0x0	1	Fn
LOAD	""	base_address = 0xc0000135	1	Fn
LOAD		base_address = 0x7ffb71580000	1	Fn
LOAD	X:\windows\system32\bcryptprimitives.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70ae0000	1	Fn
LOAD	efslsaext.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70aa0000	1	Fn
LOAD	dpapisrv.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb71500000	1	Fn
LOAD	sspicli.dll	base_address = 0x0	2	Fn
LOAD		base_address = 0x7ffb70a50000	1	Fn
LOAD	scecli	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb71290000	9	Fn
LOAD	SAMSRV.DLL	base_address = 0x0	9	Fn
LOAD		base_address = 0x7ffb70a40000	1	Fn
LOAD	dsrole.dll	base_address = 0x0	1	Fn
LOAD	netlogon.dll	base_address = 0x0	1	Fn
LOAD	X:\windows\system32\kerberos.DLL	base_address = 0x0	1	Fn
GET_HANDLE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe		20	Fn
GET_HANDLE	lsasrv.dll		3	Fn
GET_HANDLE	kerberos.dll		2	Fn
GET_HANDLE	msv1_0.dll		3	Fn
GET_HANDLE	schannel.dll		2	Fn
GET_HANDLE	wdigest.dll		2	Fn
GET_HANDLE	dpapisrv.dll		1	Fn
GET_HANDLE	ntdll.dll		3	Fn
GET_HANDLE	LSASRV.DLL		1	Fn
GET_HANDLE	SAMSRV.DLL		2	Fn
GET_HANDLE	samsrv.dll		1	Fn
CREATE_MAPPING	Nameless FileMapping		2	Fn
CREATE_MAPPING	Debug.Memory.v2.1b4	module_name = lsasrv.dll, maximum_size = 460260768064, protection = PAGE_READWRITE	1	Fn
CREATE_MAPPING	Debug.Trace.Memory.1b4	module_name = kerberos, maximum_size = 460260765872, protection = PAGE_READWRITE	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	os_pid = 0x1b4, address = 0x6b29dc0000	1	Fn
MAP	Debug.Memory.v2.1b4	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6b29dc0000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	os_pid = 0x1b4, address = 0x6b29ef0000	1	Fn
MAP	Debug.Trace.Memory.1b4	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6b29ef0000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	os_pid = 0x1b4, address = 0x6b29f00000	4	Fn
MAP	Catalog_Entries64\00000001	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6b29f00000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, address = 0x6b29f00000	3	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6b29f00000	1	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	os_pid = 0x1b4	4	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb713f4880	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb713f6a00	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb710c5d28	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70ff78a0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70fe1120	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70d838c0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b45480	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b01570	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b01080	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b06090	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b1e1d0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b02ce0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b0af70	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03880	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03a30	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03260	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b06be0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b04ea0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b027d0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b02b00	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b1d8d0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b024f0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b06830	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03c50	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b01030	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b05bb0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b0f290	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b0f750	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03f50	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b02630	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b0d330	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b1d6e0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70ff56c0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70fe8a90	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70fdb500	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70fdb9f0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70fed400	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70fd10b0	1	Fn
GET_PROC_ADDRESS		address_out = 0x0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb71595b30	3	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb71584530	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70ae4980	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70aad6c0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70aadb40	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb741801b0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb715848b0	4	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb741b0fa0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70a41550	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70a41530	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb710a8cc0	1	Fn

Service (6)

Operation	Service	Additional Information	Amount	Logfile
OPEN_MGR	SERVICES_ACTIVE_DATABASE	host = Localhost	1	Fn
OPEN			1	Fn
GET_INFO		type = Config	1	Fn
GET_INFO		type = Config	1	Fn
GET_INFO		type = Status	2	Fn

Registry (1372)

Operation	Key	Additional Information	Amount	Logfile
CREATE_KEY			15	Fn
CREATE_KEY	JD		1	Fn
CREATE_KEY	Skew1		1	Fn
CREATE_KEY	GBG		1	Fn
CREATE_KEY	Data		1	Fn
CREATE_KEY	System\CurrentControlSet\Control\Lsa\Audit		2	Fn
CREATE_KEY	Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit		2	Fn
CREATE_KEY	System\CurrentControlSet\Control\Lsa\Kerberos\Domains		1	Fn
CREATE_KEY	00000001		1	Fn
CREATE_KEY	Catalog_Entries64		1	Fn
CREATE_KEY	Catalog_Entries64\00000001		1	Fn
CREATE_KEY	Catalog_Entries64\Catalog_Entries64		1	Fn
CREATE_KEY	Catalog_Entries64\Catalog_Entries64\000000000001		1	Fn
CREATE_KEY	System\CurrentControlSet\Control\SecurityProviders\WDigest		1	Fn
CREATE_KEY	Software\Microsoft\Cryptography		1	Fn
CREATE_KEY	System\CurrentControlSet\Control\Lsa\SspiCache		1	Fn
CREATE_KEY	SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb		1	Fn
CREATE_KEY	SOFTWARE		1	Fn
CREATE_KEY	SOFTWARE\Microsoft		1	Fn
CREATE_KEY	SOFTWARE\Microsoft\Cryptography		1	Fn
CREATE_KEY	SOFTWARE\Microsoft\Cryptography\Protect		1	Fn
CREATE_KEY	SOFTWARE\Microsoft\Cryptography\Protect\Providers		1	Fn
CREATE_KEY	SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb		1	Fn
CREATE_KEY	System\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System		1	Fn
CREATE_KEY	System\CurrentControlSet\Control\Lsa\Audit\AuditPolicy		1	Fn
OPEN_KEY			83	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions		1	Fn
OPEN_KEY			49	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName		11	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName		11	Fn
OPEN_KEY	\Registry\Machine\System\Setup		2	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters		5	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName		2	Fn
READ_VALUE			70	Fn
READ_VALUE		value_name = Extensions	2	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 460260763712	1	Fn
READ_VALUE			451	Fn
READ_VALUE		value_name = GeneralThreadLifespan	1	Fn
READ_VALUE		value_name = DedicatedThreadLifespan	1	Fn
READ_VALUE		value_name = HighPriority	1	Fn
READ_VALUE		value_name = CritSecSpinCount	1	Fn
READ_VALUE		value_name = MaxRpcSize	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = ComputerName	11	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = OOBEInProgress	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = SystemSetupInProgress	1	Fn
READ_VALUE		value_name = IdleTimerWindow	1	Fn
READ_VALUE		value_name = DisableRestrictedAdminOutboundCreds	7	Fn
READ_VALUE		value_name = DisableRestrictedAdmin	7	Fn
READ_VALUE		value_name = TokenLeakDetectDelaySecs	7	Fn
READ_VALUE		value_name = IdCacheEntryLifeSpan	7	Fn
READ_VALUE		value_name = SamWaitNoTimeout	7	Fn
READ_VALUE		value_name = SuppressExtendedProtection	7	Fn
READ_VALUE		value_name = LogToFile	7	Fn
READ_VALUE		value_name = SendOptionalMechlistMIC	7	Fn
READ_VALUE		value_name = AcceptUnsafeUnprotectedNegotiation	7	Fn
READ_VALUE		value_name = CrashOnAuditFail	7	Fn
READ_VALUE		value_name = NegEventMask	7	Fn
READ_VALUE		value_name = SPMInfoLevel	7	Fn
READ_VALUE		value_name = DisableCredMan	7	Fn
READ_VALUE		value_name = DisableDomainCreds	7	Fn
READ_VALUE		value_name = HourlyLogLevel	7	Fn
READ_VALUE		value_name = AuthenticateAnonymousOnlineIDs	7	Fn
READ_VALUE		value_name = TurnOffAnonymousBlock	7	Fn
READ_VALUE		value_name = EveryoneIncludesAnonymous	7	Fn
READ_VALUE		value_name = DisableAutomaticRestartSignOn	3	Fn
READ_VALUE		value_name = DisableConnectedNTLMPassword	3	Fn
READ_VALUE		value_name = NoConnectedUser	3	Fn
READ_VALUE		value_name = ApplyPolicyToAnonymousLogon	3	Fn
READ_VALUE		value_name = EnableLocalLogonSid	3	Fn
READ_VALUE		value_name = EnableLinkedConnections	3	Fn
READ_VALUE		value_name = FilterAdministratorToken	3	Fn
READ_VALUE		value_name = DisplayLastLogonInfo	3	Fn
READ_VALUE		value_name = FilterNetworkAuthenticationTokens	3	Fn
READ_VALUE		value_name = LocalAccountTokenFilterPolicy	3	Fn
READ_VALUE		value_name = DisableRestrictionTraversal	3	Fn
READ_VALUE		value_name = ScForceOption	3	Fn
READ_VALUE		value_name = EnableVirtualization	3	Fn
READ_VALUE		value_name = EnableDebugCheck	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = Preferred	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = Security Packages	6	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = Authentication Packages	2	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = Disable	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = lspdbginfolevel	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = LsaDbExtPt	1	Fn
READ_VALUE		value_name = lspdbginfolevel	7	Fn
READ_VALUE	System\CurrentControlSet\Control\Lsa\Audit	value_name = SpecialGroups	2	Fn
READ_VALUE		value_name = KerbDebugLevel	2	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters	value_name = Hostname	5	Fn
READ_VALUE		value_name = KerbControlLevel	4	Fn
READ_VALUE		value_name = SupportedEncryptionTypes	4	Fn
READ_VALUE		value_name = MaxTokenSize	4	Fn
READ_VALUE		value_name = DHDomainParameters	4	Fn
READ_VALUE		value_name = WinSock_Registry_Version	2	Fn
READ_VALUE		value_name = AppFullPath	2	Fn
READ_VALUE		value_name = PermittedLspCategories	1	Fn
READ_VALUE		value_name = NameSpace_Callout	2	Fn
READ_VALUE		value_name = Serial_Access_Num	6	Fn
READ_VALUE		value_name = Next_Catalog_Entry_ID	3	Fn
READ_VALUE		value_name = Num_Catalog_Entries64	1	Fn
READ_VALUE		value_name = Num_Catalog_Entries	1	Fn
READ_VALUE	Catalog_Entries64	value_name = Serial_Access_Num	4	Fn
READ_VALUE	Catalog_Entries64	value_name = Num_Catalog_Entries64	1	Fn
READ_VALUE	Catalog_Entries64	value_name = Num_Catalog_Entries	1	Fn
READ_VALUE		value_name = LibraryPath	2	Fn
READ_VALUE		value_name = DisplayString	4	Fn
READ_VALUE		value_name = ProviderId	1	Fn
READ_VALUE		value_name = AddressFamily	1	Fn
READ_VALUE		value_name = SupportedNameSpace	1	Fn
READ_VALUE		value_name = Enabled	1	Fn
READ_VALUE		value_name = Version	1	Fn
READ_VALUE		value_name = StoresServiceClassInfo	1	Fn
READ_VALUE		value_name = ProviderInfo	1	Fn
READ_VALUE		value_name = Ws2_32NumHandleBuckets	1	Fn
READ_VALUE		value_name = Num_Catalog_Entries64	2	Fn
READ_VALUE	Catalog_Entries64\Catalog_Entries64\000000000001	value_name = NtLmInfoLevel	2	Fn
READ_VALUE		value_name = LmCompatibilityLevel	3	Fn
READ_VALUE		value_name = UseMachineId	3	Fn
READ_VALUE		value_name = ForceGuest	6	Fn
READ_VALUE		value_name = DisallowMsvChapv2	3	Fn
READ_VALUE		value_name = LimitBlankPasswordUse	6	Fn
READ_VALUE		value_name = DisableLoopbackCheck	3	Fn
READ_VALUE		value_name = DebugBreakIfDebugged	3	Fn
READ_VALUE		value_name = OldPasswordAllowedPeriod	3	Fn
READ_VALUE		value_name = AllowLegacySrvCall	3	Fn
READ_VALUE		value_name = SendNt2ResponseOnly	3	Fn
READ_VALUE		value_name = NtlmMinClientSec	3	Fn
READ_VALUE		value_name = NtlmMinServerSec	3	Fn
READ_VALUE		value_name = BackConnectionHostNames	3	Fn
READ_VALUE		value_name = RestrictSendingNTLMTraffic	3	Fn
READ_VALUE		value_name = RestrictReceivingNTLMTraffic	3	Fn
READ_VALUE		value_name = AuditReceivingNTLMTraffic	3	Fn
READ_VALUE		value_name = ClientAllowedNTLMServers	3	Fn
READ_VALUE		value_name = NTLMInfoEvent	3	Fn
READ_VALUE		value_name = allownullsessionfallback	3	Fn
READ_VALUE		value_name = AllowS4UForDomainUsers	3	Fn
READ_VALUE		value_name = MappedDomain	1	Fn
READ_VALUE		value_name = PreferredDomain	1	Fn
READ_VALUE		value_name = IPAddressRefreshInterval	1	Fn
READ_VALUE		value_name = SystemSetupInProgress	1	Fn
READ_VALUE		value_name = LogLevel	2	Fn
READ_VALUE		value_name = Debuglevel	2	Fn
READ_VALUE	System\CurrentControlSet\Control\SecurityProviders\WDigest	value_name = Negotiate	3	Fn
READ_VALUE	System\CurrentControlSet\Control\SecurityProviders\WDigest	value_name = UTF8HTTP	3	Fn
READ_VALUE	System\CurrentControlSet\Control\SecurityProviders\WDigest	value_name = UTF8SASL	3	Fn
READ_VALUE	System\CurrentControlSet\Control\SecurityProviders\WDigest	value_name = ServerCompat	3	Fn
READ_VALUE	System\CurrentControlSet\Control\SecurityProviders\WDigest	value_name = ClientCompat	3	Fn
READ_VALUE	System\CurrentControlSet\Control\SecurityProviders\WDigest	value_name = DigestEncryptionAlgorithms	1	Fn
READ_VALUE	System\CurrentControlSet\Control\SecurityProviders\WDigest	value_name = UseLogonCredential	3	Fn
READ_VALUE	System\CurrentControlSet\Control\SecurityProviders\WDigest	value_name = DisableNameRealmValidation	3	Fn
READ_VALUE	System\CurrentControlSet\Control\SecurityProviders\WDigest	value_name = Debuglevel	3	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = Name	8	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = Type	2	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName	value_name = Image Path	8	Fn
READ_VALUE		value_name = MachineGuid	1	Fn
READ_VALUE	Software\Microsoft\Cryptography	value_name = MachineGuid	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 000602xx	1	Fn
READ_VALUE	Nameless FileMapping	value_name = MachineGuid	4	Fn
READ_VALUE	System\CurrentControlSet\Control\SecurityProviders\WDigest	value_name = DigestEncryptionAlgorithms	4	Fn
READ_VALUE		value_name = MaxCredentialsSize	1	Fn
READ_VALUE		value_name = TargetInfoCacheSize	1	Fn
READ_VALUE		value_name = LsaLookupCacheRefreshTime	4	Fn
READ_VALUE		value_name = LsaLookupCacheExpireTime	4	Fn
READ_VALUE		value_name = LsaLookupCacheMaxSize	4	Fn
READ_VALUE		value_name = Extension	4	Fn
READ_VALUE		value_name = SecurityProviders	2	Fn
READ_VALUE	SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb	value_name = MasterKeyIterationCount	2	Fn
READ_VALUE	SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb	value_name = MasterKeyLegacyCompliance	2	Fn
READ_VALUE	SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb	value_name = MasterKeyLegacyNt4Domain	2	Fn
READ_VALUE	SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb	value_name = DistributeBackupKey	2	Fn
READ_VALUE	SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb	value_name = ProtectionPolicy	2	Fn
READ_VALUE	SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb	value_name = Recovery Version	2	Fn
READ_VALUE	SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb	value_name = Encr Alg	2	Fn
READ_VALUE	SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb	value_name = Encr Alg Key Size	2	Fn
READ_VALUE	SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb	value_name = MAC Alg	2	Fn
READ_VALUE	SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb	value_name = MAC Alg Key Size	2	Fn
READ_VALUE		value_name = MiniSetupInProgress	1	Fn
READ_VALUE	System\CurrentControlSet\Control\Lsa\Audit\AuditPolicy	value_name = AuditPolicySD	1	Fn
READ_VALUE		value_name = LookupLogLevel	3	Fn
READ_VALUE		value_name = LsaLookupReturnSidTypeDeleted	3	Fn
READ_VALUE		value_name = LsaLookupRestrictIsolatedNameLevel	3	Fn
READ_VALUE		value_name = LsarpcServerAllowRemotedSecretOperations	3	Fn
READ_VALUE		value_name = LsaAllowReturningUnencryptedSecrets	3	Fn
READ_VALUE		value_name = NoLmHash	3	Fn
READ_VALUE		value_name = SamReplicatePasswordsUrgently	3	Fn
READ_VALUE		value_name = SamAccountLockoutTestMode	3	Fn
READ_VALUE		value_name = SamDisableListenOnTCP	3	Fn
READ_VALUE		value_name = IgnoreGCFailures	3	Fn
READ_VALUE		value_name = SamNoGcLogonEnforceKerberosIpCheck	3	Fn
READ_VALUE		value_name = SamNoGcLogonEnforceNTLMCheck	3	Fn
READ_VALUE		value_name = SamDisableSingleObjectRepl	3	Fn
READ_VALUE		value_name = SamDisableRSOOnPDCForward	3	Fn
READ_VALUE		value_name = SamDisableResetBadPwdCountForward	3	Fn
READ_VALUE		value_name = SamConnectedAccountsExist	3	Fn
READ_VALUE		value_name = SamDisableOutboundRSO	3	Fn
READ_VALUE		value_name = RestrictAnonymous	3	Fn
READ_VALUE		value_name = RestrictAnonymousSam	3	Fn
READ_VALUE		value_name = ExtendedSidEmulationMode	3	Fn
READ_VALUE		value_name = SamLogSize	3	Fn
READ_VALUE		value_name = SamLogLevel	3	Fn
READ_VALUE		value_name = SamRestrictOwfPasswordChange	3	Fn
READ_VALUE		value_name = MaxSamConnections	3	Fn
READ_VALUE		value_name = dsrmAdminLogonBehavior	3	Fn
READ_VALUE		value_name = SamMaxQueueLengthForPDCForward	3	Fn
READ_VALUE		value_name = EnableClaimsTransformationEcho	3	Fn
READ_VALUE		value_name = EnumerationCachePurgeInterval	3	Fn
READ_VALUE		value_name = EnumerationCacheEntryLifetime	3	Fn
READ_VALUE		value_name = DirectoryServiceExtPt	61	Fn
READ_VALUE		value_name = PolicyFilterOff	1	Fn
READ_VALUE		value_name = 9	1	Fn
READ_VALUE		value_name = 68	1	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit	value_name = ProcessCreationIncludeCmdLine_Enabled	1	Fn
READ_VALUE		value_name = SQMServiceList	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = ComputerName	2	Fn
WRITE_VALUE			11	Fn
WRITE_VALUE		value_name = LsaPid, data = 436	1	Fn
WRITE_VALUE	JD	value_name = Lookup	1	Fn Data
WRITE_VALUE	Skew1	value_name = SkewMatrix	1	Fn Data
WRITE_VALUE	GBG	value_name = GrafBlumGroup	1	Fn Data
WRITE_VALUE	Data	value_name = Pattern	1	Fn Data
WRITE_VALUE		value_name = SecureBoot, data = 1	1	Fn
WRITE_VALUE		value_name = Num_Catalog_Entries64, data = 0	1	Fn
WRITE_VALUE		value_name = Next_Catalog_Entry_ID, data = 1001	1	Fn
WRITE_VALUE		value_name = Serial_Access_Num, data = 2	1	Fn
WRITE_VALUE	Catalog_Entries64\Catalog_Entries64\000000000001	value_name = LibraryPath, data = X:\Windows\system32\mswsock.dll	1	Fn
WRITE_VALUE	Catalog_Entries64\Catalog_Entries64\000000000001	value_name = DisplayString, data = Tcpip	1	Fn
WRITE_VALUE	Catalog_Entries64\Catalog_Entries64\000000000001	value_name = ProviderId	1	Fn Data
WRITE_VALUE	Catalog_Entries64\Catalog_Entries64\000000000001	value_name = SupportedNameSpace, data = 12	1	Fn
WRITE_VALUE	Catalog_Entries64\Catalog_Entries64\000000000001	value_name = Enabled, data = 1	1	Fn
WRITE_VALUE	Catalog_Entries64\Catalog_Entries64\000000000001	value_name = Version, data = 0	1	Fn
WRITE_VALUE	Catalog_Entries64\Catalog_Entries64\000000000001	value_name = StoresServiceClassInfo, data = 1	1	Fn
WRITE_VALUE	Catalog_Entries64\Catalog_Entries64\000000000001	value_name = ProviderInfo	1	Fn
WRITE_VALUE	Catalog_Entries64	value_name = Num_Catalog_Entries64, data = 1	1	Fn
WRITE_VALUE	Catalog_Entries64	value_name = Serial_Access_Num, data = 2	1	Fn
WRITE_VALUE		value_name = DigestEncryptionAlgorithms, data = 3des,rc4	1	Fn
WRITE_VALUE	Software\Microsoft\Cryptography	value_name = MachineGuid, data = 4510eeb9-2c9e-4e5e-bb64-8d8e190b646f	1	Fn
WRITE_VALUE		value_name = RNGAuxiliarySeed, data = 1477820023	1	Fn
WRITE_VALUE		value_name = ProductType, data = 1	1	Fn
WRITE_VALUE	System\CurrentControlSet\Control\Lsa\Audit\AuditPolicy	value_name = AuditPolicySD	1	Fn Data
DELETE_KEY			8	Fn
DELETE_KEY	Catalog_Entries64		1	Fn
DELETE_KEY	Catalog_Entries64\Catalog_Entries64		1	Fn

Driver (15)

Operation	Driver	Additional Information	Amount	Logfile
CONTROL			2	Fn
CONTROL		control_code = 0x390008	2	Fn
CONTROL		control_code = 0x110008	3	Fn
CONTROL		control_code = 0x110024	1	Fn
CONTROL	\device\namedpipe\lsarpc	control_code = 0x11c017	1	Fn
CONTROL		control_code = 0x11001c	5	Fn
CONTROL		control_code = 0x110004	1	Fn

System (25)

Operation	Information	Amount	Logfile
SLEEP		1	Fn
SLEEP	duration = 460268828672 milliseconds (460268828.672 seconds)	1	Fn
GET_INFO	type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION	1	Fn
GET_INFO	type = SYSTEM_BASIC_INFORMATION	12	Fn
GET_INFO	type = SYSTEM_PROCESSOR_INFORMATION	9	Fn
GET_INFO		1	Fn

Ini (8)

Operation	Filename	Additional Information	Success	Amount	Logfile
READ	Win.ini			8	Fn

Debug (4)

Operation	Type	Additional Information	Success	Amount	Logfile
CHECK_FOR_PRESENCE	DEBUGGER	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4		4	Fn

Process #12: svchost.exe

(Host: 27926, Network: 0)

Information	Value
ID / OS PID	#12 / 0x210
OS Parent PID	0x1ac (c:\windows\system32\csrss.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe
Command Line	X:\windows\system32\svchost.exe -k DcomLaunch
Monitor	Start Time: 00:01:47, Reason: Child Process
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:20
OS Thread IDs	#92 0x214 #93 0x218 #94 0x21C #95 0x220 #98 0x228 #99 0x22C #100 0x230 #101 0x234 #106 0x24C #109 0x258 #110 0x25C #117 0x280 #119 0x284 #120 0x288

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x000000aee6980000	0xaee6980000	0xaee699ffff	Private Memory	Readable, Writable
pagefile_0x000000aee6980000	0xaee6980000	0xaee698ffff	Pagefile Backed File	Readable, Writable
private_0x000000aee6990000	0xaee6990000	0xaee6996fff	Private Memory	Readable, Writable
pagefile_0x000000aee69a0000	0xaee69a0000	0xaee69aefff	Pagefile Backed File	Readable
private_0x000000aee69b0000	0xaee69b0000	0xaee6a2ffff	Private Memory	Readable, Writable
pagefile_0x000000aee6a30000	0xaee6a30000	0xaee6a33fff	Pagefile Backed File	Readable
pagefile_0x000000aee6a40000	0xaee6a40000	0xaee6a40fff	Pagefile Backed File	Readable
private_0x000000aee6a50000	0xaee6a50000	0xaee6a51fff	Private Memory	Readable, Writable
locale.nls	0xaee6a60000	0xaee6addfff	Memory Mapped File	Readable
private_0x000000aee6ae0000	0xaee6ae0000	0xaee6b5ffff	Private Memory	Readable, Writable
private_0x000000aee6b60000	0xaee6b60000	0xaee6b66fff	Private Memory	Readable, Writable
private_0x000000aee6b70000	0xaee6b70000	0xaee6c6ffff	Private Memory	Readable, Writable
private_0x000000aee6c70000	0xaee6c70000	0xaee6ceffff	Private Memory	Readable, Writable
pagefile_0x000000aee6c70000	0xaee6c70000	0xaee6c70fff	Pagefile Backed File	Readable, Writable
pagefile_0x000000aee6c80000	0xaee6c80000	0xaee6c80fff	Pagefile Backed File	Readable
pagefile_0x000000aee6c90000	0xaee6c90000	0xaee6c90fff	Pagefile Backed File	Readable, Writable
private_0x000000aee6ca0000	0xaee6ca0000	0xaee6caffff	Private Memory	Readable, Writable
private_0x000000aee6cb0000	0xaee6cb0000	0xaee6cb0fff	Private Memory	Readable, Writable
sortdefault.nls	0xaee6cf0000	0xaee6fc4fff	Memory Mapped File	Readable
private_0x000000aee6fd0000	0xaee6fd0000	0xaee704ffff	Private Memory	Readable, Writable
private_0x000000aee6fd0000	0xaee6fd0000	0xaee704ffff	Private Memory	Readable, Writable
private_0x000000aee6fd0000	0xaee6fd0000	0xaee704ffff	Private Memory	Readable, Writable
private_0x000000aee7090000	0xaee7090000	0xaee709ffff	Private Memory	Readable, Writable
private_0x000000aee70a0000	0xaee70a0000	0xaee711ffff	Private Memory	Readable, Writable
private_0x000000aee7120000	0xaee7120000	0xaee719ffff	Private Memory	Readable, Writable
private_0x000000aee71a0000	0xaee71a0000	0xaee721ffff	Private Memory	Readable, Writable
private_0x000000aee7220000	0xaee7220000	0xaee729ffff	Private Memory	Readable, Writable
private_0x000000aee72a0000	0xaee72a0000	0xaee731ffff	Private Memory	Readable, Writable
private_0x000000aee72a0000	0xaee72a0000	0xaee731ffff	Private Memory	Readable, Writable
private_0x000000aee7320000	0xaee7320000	0xaee741ffff	Private Memory	Readable, Writable
private_0x000000aee7420000	0xaee7420000	0xaee749ffff	Private Memory	Readable, Writable
private_0x000000aee75c0000	0xaee75c0000	0xaee75cffff	Private Memory	Readable, Writable
pagefile_0x00007df5ffd40000	0x7df5ffd40000	0x7ff5ffd3ffff	Pagefile Backed File	-
private_0x00007ff7c9778000	0x7ff7c9778000	0x7ff7c9779fff	Private Memory	Readable, Writable
private_0x00007ff7c977a000	0x7ff7c977a000	0x7ff7c977bfff	Private Memory	Readable, Writable
private_0x00007ff7c977a000	0x7ff7c977a000	0x7ff7c977bfff	Private Memory	Readable, Writable
private_0x00007ff7c977c000	0x7ff7c977c000	0x7ff7c977dfff	Private Memory	Readable, Writable
private_0x00007ff7c977e000	0x7ff7c977e000	0x7ff7c977ffff	Private Memory	Readable, Writable
pagefile_0x00007ff7c9780000	0x7ff7c9780000	0x7ff7c987ffff	Pagefile Backed File	Readable
pagefile_0x00007ff7c9880000	0x7ff7c9880000	0x7ff7c98a2fff	Pagefile Backed File	Readable
private_0x00007ff7c98a4000	0x7ff7c98a4000	0x7ff7c98a5fff	Private Memory	Readable, Writable
private_0x00007ff7c98a6000	0x7ff7c98a6000	0x7ff7c98a6fff	Private Memory	Readable, Writable
private_0x00007ff7c98a8000	0x7ff7c98a8000	0x7ff7c98a9fff	Private Memory	Readable, Writable
private_0x00007ff7c98a8000	0x7ff7c98a8000	0x7ff7c98a9fff	Private Memory	Readable, Writable
private_0x00007ff7c98aa000	0x7ff7c98aa000	0x7ff7c98abfff	Private Memory	Readable, Writable
private_0x00007ff7c98aa000	0x7ff7c98aa000	0x7ff7c98abfff	Private Memory	Readable, Writable
private_0x00007ff7c98aa000	0x7ff7c98aa000	0x7ff7c98abfff	Private Memory	Readable, Writable
private_0x00007ff7c98ac000	0x7ff7c98ac000	0x7ff7c98adfff	Private Memory	Readable, Writable
private_0x00007ff7c98ae000	0x7ff7c98ae000	0x7ff7c98affff	Private Memory	Readable, Writable
svchost.exe	0x7ff7ca810000	0x7ff7ca81cfff	Memory Mapped File	Readable, Writable, Executable
DAB.dll	0x7ffb70190000	0x7ffb701abfff	Memory Mapped File	Readable, Writable, Executable
SystemEventsBrokerServer.dll	0x7ffb70300000	0x7ffb7034bfff	Memory Mapped File	Readable, Writable, Executable
DEVOBJ.dll	0x7ffb705b0000	0x7ffb705d7fff	Memory Mapped File	Readable, Writable, Executable
pcwum.dll	0x7ffb70600000	0x7ffb7060dfff	Memory Mapped File	Readable, Writable, Executable
WMsgAPI.dll	0x7ffb70610000	0x7ffb70618fff	Memory Mapped File	Readable, Writable, Executable
SYSNTFY.dll	0x7ffb70620000	0x7ffb7062bfff	Memory Mapped File	Readable, Writable, Executable
lsm.dll	0x7ffb70630000	0x7ffb706f5fff	Memory Mapped File	Readable, Writable, Executable
rpcss.dll	0x7ffb70740000	0x7ffb7080bfff	Memory Mapped File	Readable, Writable, Executable
umpo.dll	0x7ffb70810000	0x7ffb70827fff	Memory Mapped File	Readable, Writable, Executable
umpnpmgr.dll	0x7ffb70830000	0x7ffb70851fff	Memory Mapped File	Readable, Writable, Executable
USERENV.dll	0x7ffb70dd0000	0x7ffb70df0fff	Memory Mapped File	Readable, Writable, Executable
SspiCli.dll	0x7ffb71500000	0x7ffb7152dfff	Memory Mapped File	Readable, Writable, Executable
powrprof.dll	0x7ffb71530000	0x7ffb71575fff	Memory Mapped File	Readable, Writable, Executable
bcryptPrimitives.dll	0x7ffb71580000	0x7ffb715e2fff	Memory Mapped File	Readable, Writable, Executable
CRYPTBASE.dll	0x7ffb715f0000	0x7ffb715fafff	Memory Mapped File	Readable, Writable, Executable
profapi.dll	0x7ffb716b0000	0x7ffb716c4fff	Memory Mapped File	Readable, Writable, Executable
kernelbase.dll	0x7ffb71760000	0x7ffb71874fff	Memory Mapped File	Readable, Writable, Executable
CFGMGR32.dll	0x7ffb71880000	0x7ffb718cefff	Memory Mapped File	Readable, Writable, Executable
sechost.dll	0x7ffb733c0000	0x7ffb73418fff	Memory Mapped File	Readable, Writable, Executable
kernel32.dll	0x7ffb73480000	0x7ffb735bdfff	Memory Mapped File	Readable, Writable, Executable
combase.dll	0x7ffb73740000	0x7ffb73950fff	Memory Mapped File	Readable, Writable, Executable
rpcrt4.dll	0x7ffb73a30000	0x7ffb73b70fff	Memory Mapped File	Readable, Writable, Executable
MSVCRT.dll	0x7ffb74050000	0x7ffb740f9fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Amount	Logfile
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe	0x1b0	address = 0xaee6a50000, size = 4704	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe	0x1b0	address = 0x7ff7c98a62d8, size = 8	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1

Host Behavior

File (3)

Operation	Filename	Additional Information	Amount	Logfile
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\deviceapi\cmapi	desired_access = GENERIC_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsm.dll	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE	1	Fn

Process (50)

Operation	Process Name	Additional Information	Amount	Logfile
OPEN			6	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe	os_pid = 0x238, desired_access = PROCESS_ALL_ACCESS	1	Fn
OPEN	c:\windows\system32\csrss.exe	os_pid = 0x164, desired_access = SYNCHRONIZE	1	Fn
OPEN	c:\windows\system32\csrss.exe	os_pid = 0x164, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, desired_access = PROCESS_QUERY_LIMITED_INFORMATION, SYNCHRONIZE	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe	os_pid = 0x194, desired_access = SYNCHRONIZE	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe	os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	4	Fn
OPEN	c:\windows\system32\wermgr.exe	os_pid = 0x16c, desired_access = PROCESS_QUERY_LIMITED_INFORMATION, SYNCHRONIZE	1	Fn
OPEN	c:\windows\system32\wermgr.exe	os_pid = 0x16c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
OPEN	c:\windows\system32\wermgr.exe	os_pid = 0x16c, desired_access = PROCESS_QUERY_LIMITED_INFORMATION	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, desired_access = PROCESS_QUERY_LIMITED_INFORMATION	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	os_pid = 0x1b4, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe	os_pid = 0x290, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe	os_pid = 0x2b0, desired_access = PROCESS_QUERY_LIMITED_INFORMATION	1	Fn
OPEN_TOKEN			1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	3	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO			10	Fn
GET_INFO			4	Fn
GET_INFO	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d		1	Fn
GET_INFO	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86		1	Fn
GET_INFO			1	Fn

Thread (6)

Operation	Process Name	Additional Information	Amount	Logfile
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb701a1e00, desired_access = THREAD_ALL_ACCESS	1	Fn

Module (57)

Operation	Module	Additional Information	Amount	Logfile
LOAD	rpcrt4.dll	base_address = 0x0	1	Fn
LOAD	kernel32.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70830000	1	Fn
LOAD	x:\windows\system32\umpnpmgr.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70810000	1	Fn
LOAD	x:\windows\system32\umpo.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70740000	1	Fn
LOAD	x:\windows\system32\rpcss.dll		1	Fn
LOAD		base_address = 0x7ffb71500000	1	Fn
LOAD	sspicli.dll	base_address = 0x0	2	Fn
LOAD		base_address = 0x7ffb70630000	1	Fn
LOAD	x:\windows\system32\lsm.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70dd0000	1	Fn
LOAD	X:\windows\System32\Userenv.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70300000	1	Fn
LOAD	x:\windows\system32\systemeventsbrokerserver.dll	base_address = 0x0	1	Fn
GET_HANDLE	rpcrt4.dll		1	Fn
GET_HANDLE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe		1	Fn
GET_HANDLE	advapi32.dll		1	Fn
GET_HANDLE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe		2	Fn
GET_HANDLE	api-ms-win-eventing-provider-l1-1-0.dll		1	Fn
GET_HANDLE	ntdll.dll		1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping		3	Fn
CREATE_MAPPING	Global\__ComCatalogCache__	module_name = sspicli.dll, maximum_size = 751200171792, protection = PAGE_READWRITE	1	Fn
CREATE_MAPPING	Global\RotHintTable	module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe, maximum_size = 751194992064, protection = PAGE_READWRITE	1	Fn
CREATE_MAPPING	Global\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9}	module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe, maximum_size = 751194992320, protection = PAGE_READWRITE	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xaee6cf0000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe	os_pid = 0x210, address = 0xaee6c70000	1	Fn
MAP	Global\__ComCatalogCache__	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xaee6c70000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe	os_pid = 0x210, address = 0xaee6c90000	1	Fn
MAP	Global\RotHintTable	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xaee6c90000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe	os_pid = 0x210, address = 0xaee6cb0000	1	Fn
MAP	Global\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9}	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xaee6cb0000	1	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe	os_pid = 0x210	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb708390b0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb708310a0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb708170f0	1	Fn
GET_PROC_ADDRESS		address_out = 0x0	3	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7078a100	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb741751c0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7413b300	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7413c360	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb74175650	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70672ee0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70dd1d60	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7030f080	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7030ed50	1	Fn

Service (20)

Operation	Service	Additional Information	Amount	Logfile
OPEN_MGR	SERVICES_ACTIVE_DATABASE	host = Localhost	7	Fn
OPEN			1	Fn
OPEN			6	Fn
GET_INFO		type = Status	1	Fn
REGISTER_HANDLER			5	Fn

Registry (27244)

Operation	Key	Additional Information	Amount	Logfile
CREATE_KEY			6	Fn
CREATE_KEY	System\CurrentControlSet\Control\Power\SecurityDescriptors		1	Fn
CREATE_KEY	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\5c9a4cd7-ba75-45d2-9898-1773b3d1e5f1		1	Fn
CREATE_KEY	Software		1	Fn
CREATE_KEY	Software\Microsoft		1	Fn
CREATE_KEY	Software\Microsoft\Windows		1	Fn
CREATE_KEY	Software\Microsoft\Windows\CurrentVersion		1	Fn
CREATE_KEY	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers		1	Fn
CREATE_KEY	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers		1	Fn
CREATE_KEY	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d		1	Fn
CREATE_KEY	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\5c9a4cd7-ba75-45d2-9898-1773b3d1e5f1		1	Fn
CREATE_KEY	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076		1	Fn
CREATE_KEY	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86		1	Fn
CREATE_KEY	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\9B008953-F195-4BF9-BDE0-4471971E58ED		1	Fn
CREATE_KEY	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions		1	Fn
OPEN_KEY			6019	Fn
OPEN_KEY			1078	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName		2	Fn
OPEN_KEY	\Registry\Machine\System\Setup		2	Fn
OPEN_KEY	Control Panel\International		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids		1	Fn
OPEN_KEY	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide		1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 751193748928	1	Fn
READ_VALUE			7513	Fn
READ_VALUE		value_name = DcomLaunch	2	Fn
READ_VALUE		value_name = MaxRpcSize	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = ComputerName	2	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = OOBEInProgress	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = SystemSetupInProgress	1	Fn
READ_VALUE		value_name = IdleTimerWindow	1	Fn
READ_VALUE	Control Panel\International		5	Fn
READ_VALUE	Control Panel\International		5	Fn
READ_VALUE	Control Panel\International	value_name = sCurrencyOverride	5	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 000602xx	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en	1	Fn
READ_VALUE		value_name = ServiceDll	5	Fn
READ_VALUE			2523	Fn
READ_VALUE		value_name = ServiceManifest	5	Fn
READ_VALUE		value_name = ServiceMain	4	Fn
READ_VALUE		value_name = ServiceDllUnloadOnStop	4	Fn
READ_VALUE		value_name = ActivePowerScheme	6	Fn
READ_VALUE		value_name = ValueMin	1568	Fn
READ_VALUE		value_name = ACSettingIndex	952	Fn
READ_VALUE		value_name = SettingValue	261	Fn
READ_VALUE		value_name = DCSettingIndex	326	Fn
READ_VALUE		value_name = ValueMin	1984	Fn
READ_VALUE		value_name = ValueMax	1984	Fn
READ_VALUE		value_name = ValueIncrement	936	Fn
READ_VALUE		value_name = ServiceMain	3	Fn
READ_VALUE		value_name = PageAllocatorUseSystemHeap	1	Fn
READ_VALUE		value_name = PageAllocatorSystemHeapIsPrivate	1	Fn
READ_VALUE		value_name = AggressiveMTATesting	1	Fn
READ_VALUE		value_name = ActivationFailureLoggingLevel	2	Fn
READ_VALUE		value_name = CallFailureLoggingLevel	2	Fn
READ_VALUE		value_name = InvalidSecurityDescriptorLoggingLevel	2	Fn
READ_VALUE		value_name = DisableActivationSecurityCheck	2	Fn
READ_VALUE		value_name = UseRunAsTokenCache	2	Fn
READ_VALUE		value_name = IssueActivationRpcAtIdentify	2	Fn
READ_VALUE		value_name = ResumeTimeout	2	Fn
READ_VALUE		value_name = DoNotAddAllApplicationPackagesToRestrictions	2	Fn
READ_VALUE		value_name = DefaultLaunchPermission	6	Fn
READ_VALUE		value_name = MachineLaunchRestriction	6	Fn
READ_VALUE		value_name = MachineLaunchRestriction	3	Fn
READ_VALUE		value_name = MachineAccessRestriction	6	Fn
READ_VALUE		value_name = MachineAccessRestriction	3	Fn
READ_VALUE		value_name = RemoteHandleCacheMaxSize	1	Fn
READ_VALUE		value_name = RemoteHandleCacheMaxLifetime	1	Fn
READ_VALUE		value_name = RemoteHandleCacheMaxIdleTimeout	1	Fn
READ_VALUE		value_name = StaleMidTimeout	1	Fn
READ_VALUE		value_name = SRPRunningObjectChecks	1	Fn
READ_VALUE		value_name = SRPActivateAsActivatorChecks	1	Fn
READ_VALUE		value_name = EnableSystemDynamicIPTracking	1	Fn
READ_VALUE		value_name = EnableEELogging	2	Fn
READ_VALUE		value_name = LogEEInfoAsNative	2	Fn
READ_VALUE		value_name = SecurityProviders	1	Fn
READ_VALUE		value_name = DCOM Security	2	Fn
READ_VALUE		value_name = EnableDCOM	2	Fn
READ_VALUE		value_name = OleModalLoopBehavior	2	Fn
READ_VALUE		value_name = DCOMSCMRemoteCallFlags	2	Fn
READ_VALUE		value_name = BreakOnUnexpectedActivationErrors	2	Fn
READ_VALUE		value_name = EnableDCOMHTTP	2	Fn
READ_VALUE		value_name = IgnoreServerExceptions	2	Fn
READ_VALUE		value_name = BreakOnSilencedServerExceptions	2	Fn
READ_VALUE		value_name = LegacyAuthenticationService	2	Fn
READ_VALUE		value_name = LegacyAuthenticationLevel	2	Fn
READ_VALUE		value_name = LegacyImpersonationLevel	2	Fn
READ_VALUE		value_name = LegacyMutualAuthentication	2	Fn
READ_VALUE		value_name = LegacySecureReferences	2	Fn
READ_VALUE		value_name = MaxActivationRetriesPerServer	2	Fn
READ_VALUE		value_name = REGDBVersion	2	Fn
READ_VALUE	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide	value_name = PreferExternalManifest	1	Fn
READ_VALUE		value_name = Debuglsm	9	Fn
READ_VALUE		value_name = Debug	81	Fn
READ_VALUE		value_name = CaptureStackTrace	81	Fn
READ_VALUE		value_name = DebuglsmFlags	9	Fn
READ_VALUE		value_name = DebugFlags	81	Fn
READ_VALUE		value_name = DebuglsmLevel	9	Fn
READ_VALUE		value_name = DebugLevel	81	Fn
READ_VALUE		value_name = DebuglsmToDebugger	9	Fn
READ_VALUE		value_name = DebugToDebugger	81	Fn
READ_VALUE		value_name = Debugtermsrv	9	Fn
READ_VALUE		value_name = DebugtermsrvFlags	9	Fn
READ_VALUE		value_name = DebugtermsrvLevel	9	Fn
READ_VALUE		value_name = DebugtermsrvToDebugger	9	Fn
READ_VALUE		value_name = Debugsdclient	9	Fn
READ_VALUE		value_name = DebugsdclientFlags	9	Fn
READ_VALUE		value_name = DebugsdclientLevel	9	Fn
READ_VALUE		value_name = DebugsdclientToDebugger	9	Fn
READ_VALUE		value_name = Debugwinsta	9	Fn
READ_VALUE		value_name = DebugwinstaFlags	9	Fn
READ_VALUE		value_name = DebugwinstaLevel	9	Fn
READ_VALUE		value_name = DebugwinstaToDebugger	9	Fn
READ_VALUE		value_name = Debugtsrpc	9	Fn
READ_VALUE		value_name = DebugtsrpcFlags	9	Fn
READ_VALUE		value_name = DebugtsrpcLevel	9	Fn
READ_VALUE		value_name = DebugtsrpcToDebugger	9	Fn
READ_VALUE		value_name = Debugsessionenv	9	Fn
READ_VALUE		value_name = DebugsessionenvFlags	9	Fn
READ_VALUE		value_name = DebugsessionenvLevel	9	Fn
READ_VALUE		value_name = DebugsessionenvToDebugger	9	Fn
READ_VALUE		value_name = Debugsessionmsg	9	Fn
READ_VALUE		value_name = DebugsessionmsgFlags	9	Fn
READ_VALUE		value_name = DebugsessionmsgLevel	9	Fn
READ_VALUE		value_name = DebugsessionmsgToDebugger	9	Fn
READ_VALUE		value_name = DebugTSVIPCli	9	Fn
READ_VALUE		value_name = DebugTSVIPCliFlags	9	Fn
READ_VALUE		value_name = DebugTSVIPCliLevel	9	Fn
READ_VALUE		value_name = DebugTSVIPCliToDebugger	9	Fn
READ_VALUE		value_name = DebugTSVIPSrv	9	Fn
READ_VALUE		value_name = DebugTSVIPSrvFlags	9	Fn
READ_VALUE		value_name = DebugTSVIPSrvLevel	9	Fn
READ_VALUE		value_name = DebugTSVIPSrvToDebugger	9	Fn
READ_VALUE		value_name = TSAppCompat	1	Fn
READ_VALUE		value_name = DebugTS	1	Fn
READ_VALUE		value_name = LSMBreakOnStart	1	Fn
READ_VALUE		value_name = ConsoleSecurity	4	Fn
READ_VALUE		value_name = ConsoleSecurity	2	Fn
READ_VALUE		value_name = LSMGlobalSetting	1	Fn
READ_VALUE		value_name = 9	1	Fn
READ_VALUE		value_name = DelayReadyEventTimeout	1	Fn
READ_VALUE		value_name = TSServerDrainMode	1	Fn
READ_VALUE		value_name = DelayConMgrTimeout	1	Fn
READ_VALUE		value_name = SystemSetupInProgress	6	Fn
READ_VALUE		value_name = NoParamValidation	1	Fn
READ_VALUE		value_name = RegisterPrivateEnabled	1	Fn
READ_VALUE		value_name = ServiceDllUnloadOnStop	1	Fn
READ_VALUE	System\CurrentControlSet\Control\Power\SecurityDescriptors	value_name = ActivePowerScheme	2	Fn
READ_VALUE	System\CurrentControlSet\Control\Power\SecurityDescriptors	value_name = Default	3	Fn
READ_VALUE	System\CurrentControlSet\Control\Power\SecurityDescriptors	value_name = Default	1	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes	value_name = ValueMin	85	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d	value_name = ACSettingIndex	34	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d	value_name = DCSettingIndex	10	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes	value_name = ACSettingIndex	62	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d	value_name = SettingValue	31	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d	value_name = ValueMin	67	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d	value_name = ValueMax	67	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d	value_name = ValueIncrement	48	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d	value_name = ValueMin	59	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes	value_name = ValueMin	269	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes	value_name = ValueMax	269	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes	value_name = ValueIncrement	144	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes	value_name = DCSettingIndex	4	Fn
READ_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes	value_name = SettingValue	12	Fn
WRITE_VALUE			4	Fn
WRITE_VALUE		value_name = InstanceID, data = 4b2993a7-bd9a-4070-9e94-6969c10	1	Fn
WRITE_VALUE		value_name = GlassSessionId, data = 1	1	Fn
WRITE_VALUE		value_name = WinStationsDisabled, data = 0	1	Fn
WRITE_VALUE	Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes	value_name = ActivePowerScheme, data = 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c	1	Fn
DELETE_TREE			1	Fn

Driver (128)

Operation	Driver	Additional Information	Amount	Logfile
CONTROL			1	Fn
CONTROL		control_code = 0x390008	1	Fn
CONTROL		control_code = 0x110008	1	Fn
CONTROL	\device\deviceapi\cmapi	control_code = 0x470803	1	Fn
CONTROL	\device\deviceapi\cmapi	control_code = 0x470813	42	Fn
CONTROL	\device\deviceapi\cmapi	control_code = 0x47081b	82	Fn

System (282)

Operation	Information	Amount	Logfile
SLEEP		132	Fn
SLEEP	duration = 1 milliseconds (0.001 seconds)	132	Fn
SLEEP		2	Fn
SLEEP	duration = 1 milliseconds (0.001 seconds)	2	Fn
GET_INFO	type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION	1	Fn
GET_INFO	type = SYSTEM_BASIC_INFORMATION	7	Fn
GET_INFO		1	Fn
GET_INFO	type = SYSTEM_PROCESSOR_INFORMATION	4	Fn
GET_INFO	type = SYSTEM_TIME_OF_DAY_INFORMATION	1	Fn

Mutex (136)

Operation	Name	Additional Information	Amount	Logfile
CREATE			5	Fn
CREATE		initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	4	Fn
CREATE	Global\{A3BD3259-3E4F-428a-84C8-F0463A9D3EB5}	initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
RELEASE			126	Fn

Process #13: svchost.exe

(Host: 310, Network: 0)

Information	Value
ID / OS PID	#13 / 0x238
OS Parent PID	0x1ac (c:\windows\system32\csrss.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe
Command Line	X:\windows\system32\svchost.exe -k RPCSS
Monitor	Start Time: 00:01:52, Reason: Child Process
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:15
OS Thread IDs	#102 0x23C #103 0x240 #104 0x244 #105 0x248 #107 0x250 #108 0x254 #112 0x264 #129 0x2C0

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x000000f052000000	0xf052000000	0xf05201ffff	Private Memory	Readable, Writable
pagefile_0x000000f052000000	0xf052000000	0xf05200ffff	Pagefile Backed File	Readable, Writable
private_0x000000f052010000	0xf052010000	0xf052016fff	Private Memory	Readable, Writable
pagefile_0x000000f052020000	0xf052020000	0xf05202efff	Pagefile Backed File	Readable
private_0x000000f052030000	0xf052030000	0xf0520affff	Private Memory	Readable, Writable
pagefile_0x000000f0520b0000	0xf0520b0000	0xf0520b3fff	Pagefile Backed File	Readable
pagefile_0x000000f0520c0000	0xf0520c0000	0xf0520c0fff	Pagefile Backed File	Readable
private_0x000000f0520d0000	0xf0520d0000	0xf0520d1fff	Private Memory	Readable, Writable
locale.nls	0xf0520e0000	0xf05215dfff	Memory Mapped File	Readable
private_0x000000f052160000	0xf052160000	0xf05225ffff	Private Memory	Readable, Writable
private_0x000000f052260000	0xf052260000	0xf0522dffff	Private Memory	Readable, Writable
private_0x000000f0522e0000	0xf0522e0000	0xf05235ffff	Private Memory	Readable, Writable
private_0x000000f0522e0000	0xf0522e0000	0xf0522e6fff	Private Memory	Readable, Writable
sortdefault.nls	0xf052360000	0xf052634fff	Memory Mapped File	Readable
private_0x000000f052640000	0xf052640000	0xf0526bffff	Private Memory	Readable, Writable
private_0x000000f0526c0000	0xf0526c0000	0xf05273ffff	Private Memory	Readable, Writable
private_0x000000f0527c0000	0xf0527c0000	0xf0527cffff	Private Memory	Readable, Writable
pagefile_0x00007df5ffd30000	0x7df5ffd30000	0x7ff5ffd2ffff	Pagefile Backed File	-
pagefile_0x00007ff7ca1e0000	0x7ff7ca1e0000	0x7ff7ca2dffff	Pagefile Backed File	Readable
pagefile_0x00007ff7ca2e0000	0x7ff7ca2e0000	0x7ff7ca302fff	Pagefile Backed File	Readable
private_0x00007ff7ca303000	0x7ff7ca303000	0x7ff7ca303fff	Private Memory	Readable, Writable
private_0x00007ff7ca308000	0x7ff7ca308000	0x7ff7ca309fff	Private Memory	Readable, Writable
private_0x00007ff7ca30a000	0x7ff7ca30a000	0x7ff7ca30bfff	Private Memory	Readable, Writable
private_0x00007ff7ca30a000	0x7ff7ca30a000	0x7ff7ca30bfff	Private Memory	Readable, Writable
private_0x00007ff7ca30c000	0x7ff7ca30c000	0x7ff7ca30dfff	Private Memory	Readable, Writable
private_0x00007ff7ca30e000	0x7ff7ca30e000	0x7ff7ca30ffff	Private Memory	Readable, Writable
svchost.exe	0x7ff7ca810000	0x7ff7ca81cfff	Memory Mapped File	Readable, Writable, Executable
RpcRtRemote.dll	0x7ffb70700000	0x7ffb70712fff	Memory Mapped File	Readable, Writable, Executable
RpcEpMap.dll	0x7ffb70720000	0x7ffb70735fff	Memory Mapped File	Readable, Writable, Executable
rpcss.dll	0x7ffb70740000	0x7ffb7080bfff	Memory Mapped File	Readable, Writable, Executable
rsaenh.dll	0x7ffb70b00000	0x7ffb70b35fff	Memory Mapped File	Readable, Writable, Executable
CRYPTSP.dll	0x7ffb71040000	0x7ffb7105ffff	Memory Mapped File	Readable, Writable, Executable
bcrypt.dll	0x7ffb71260000	0x7ffb71285fff	Memory Mapped File	Readable, Writable, Executable
SspiCli.dll	0x7ffb71500000	0x7ffb7152dfff	Memory Mapped File	Readable, Writable, Executable
powrprof.dll	0x7ffb71530000	0x7ffb71575fff	Memory Mapped File	Readable, Writable, Executable
bcryptPrimitives.dll	0x7ffb71580000	0x7ffb715e2fff	Memory Mapped File	Readable, Writable, Executable
CRYPTBASE.dll	0x7ffb715f0000	0x7ffb715fafff	Memory Mapped File	Readable, Writable, Executable
kernelbase.dll	0x7ffb71760000	0x7ffb71874fff	Memory Mapped File	Readable, Writable, Executable
WS2_32.dll	0x7ffb73360000	0x7ffb733b9fff	Memory Mapped File	Readable, Writable, Executable
sechost.dll	0x7ffb733c0000	0x7ffb73418fff	Memory Mapped File	Readable, Writable, Executable
kernel32.dll	0x7ffb73480000	0x7ffb735bdfff	Memory Mapped File	Readable, Writable, Executable
combase.dll	0x7ffb73740000	0x7ffb73950fff	Memory Mapped File	Readable, Writable, Executable
rpcrt4.dll	0x7ffb73a30000	0x7ffb73b70fff	Memory Mapped File	Readable, Writable, Executable
NSI.dll	0x7ffb73e80000	0x7ffb73e88fff	Memory Mapped File	Readable, Writable, Executable
MSVCRT.dll	0x7ffb74050000	0x7ffb740f9fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Amount	Logfile
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x188	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x188	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x188	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x188	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe	0x1b0	address = 0xf0520d0000, size = 4704	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe	0x1b0	address = 0x7ff7ca3032d8, size = 8	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1cc	No corresponding api call detected. Probably injected code via shellcode.	1

Host Behavior

File (4)

Operation	Filename	Additional Information	Amount	Logfile
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE			1	Fn
CREATE	\device\ndis	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
OPEN	c:\	desired_access = SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_FREE_SPACE_QUERY	1	Fn

Process (13)

Operation	Process Name	Additional Information	Amount	Logfile
OPEN_TOKEN			3	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	2	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	2	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	5	Fn

Thread (2)

Operation	Process Name	Additional Information	Success	Amount	Logfile
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS		1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS		1	Fn

Module (51)

Operation	Module	Additional Information	Amount	Logfile
LOAD	rpcrt4.dll	base_address = 0x0	1	Fn
LOAD	kernel32.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70720000	1	Fn
LOAD	x:\windows\system32\rpcepmap.dll	base_address = 0x0	1	Fn
LOAD	sspicli.dll	base_address = 0x0	2	Fn
LOAD		base_address = 0x7ffb71500000	1	Fn
LOAD		base_address = 0x7ffb70700000	1	Fn
LOAD	RpcRtRemote.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70740000	1	Fn
LOAD	x:\windows\system32\rpcss.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb70b00000	1	Fn
LOAD	X:\windows\system32\rsaenh.dll	base_address = 0x0	1	Fn
GET_HANDLE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe		1	Fn
GET_HANDLE	rpcrt4.dll		2	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xf052360000	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70727e90	1	Fn
GET_PROC_ADDRESS		address_out = 0x0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb73ab8f70	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb73ab9000	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb73b07230	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70701860	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7078a100	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b01570	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b01080	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b06090	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b1e1d0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b02ce0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b0af70	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03880	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03a30	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03260	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b06be0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b04ea0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b027d0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b02b00	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b1d8d0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b024f0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b06830	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03c50	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b01030	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b05bb0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b0f290	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b0f750	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b03f50	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b02630	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b0d330	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb70b1d6e0	1	Fn

Service (3)

Operation	Service	Additional Information	Success	Amount	Logfile
OPEN_MGR	SERVICES_ACTIVE_DATABASE	host = Localhost		1	Fn
REGISTER_HANDLER				2	Fn

Registry (216)

Operation	Key	Additional Information	Amount	Logfile
CREATE_KEY	\REGISTRY\MACHINE\SOFTWARE\CLASSES		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions		1	Fn
OPEN_KEY			27	Fn
OPEN_KEY			8	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName		3	Fn
OPEN_KEY	\Registry\Machine\System\Setup		2	Fn
OPEN_KEY	Control Panel\International		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids		1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 1032168601360	1	Fn
READ_VALUE			19	Fn
READ_VALUE		value_name = RPCSS	2	Fn
READ_VALUE		value_name = MaxRpcSize	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = ComputerName	3	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = OOBEInProgress	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = SystemSetupInProgress	1	Fn
READ_VALUE		value_name = IdleTimerWindow	1	Fn
READ_VALUE	Control Panel\International		2	Fn
READ_VALUE	Control Panel\International		2	Fn
READ_VALUE	Control Panel\International	value_name = sCurrencyOverride	2	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 000602xx	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en	1	Fn
READ_VALUE		value_name = ServiceDll	2	Fn
READ_VALUE			39	Fn
READ_VALUE		value_name = ServiceManifest	2	Fn
READ_VALUE		value_name = ServiceMain	2	Fn
READ_VALUE		value_name = ListenOnInternet	1	Fn
READ_VALUE		value_name = 9	1	Fn
READ_VALUE		value_name = SecurityProviders	1	Fn
READ_VALUE		value_name = RemoteRpcDll	1	Fn
READ_VALUE		value_name = ServiceDllUnloadOnStop	1	Fn
READ_VALUE	Nameless FileMapping	value_name = PageAllocatorUseSystemHeap	1	Fn
READ_VALUE		value_name = PageAllocatorSystemHeapIsPrivate	1	Fn
READ_VALUE	Nameless FileMapping	value_name = AggressiveMTATesting	1	Fn
READ_VALUE		value_name = ActivationFailureLoggingLevel	1	Fn
READ_VALUE		value_name = CallFailureLoggingLevel	1	Fn
READ_VALUE		value_name = InvalidSecurityDescriptorLoggingLevel	1	Fn
READ_VALUE		value_name = DisableActivationSecurityCheck	1	Fn
READ_VALUE		value_name = UseRunAsTokenCache	1	Fn
READ_VALUE		value_name = IssueActivationRpcAtIdentify	1	Fn
READ_VALUE		value_name = ResumeTimeout	1	Fn
READ_VALUE		value_name = DoNotAddAllApplicationPackagesToRestrictions	1	Fn
READ_VALUE		value_name = DefaultLaunchPermission	2	Fn
READ_VALUE		value_name = MachineLaunchRestriction	2	Fn
READ_VALUE		value_name = MachineLaunchRestriction	1	Fn
READ_VALUE		value_name = MachineAccessRestriction	2	Fn
READ_VALUE		value_name = MachineAccessRestriction	1	Fn
READ_VALUE		value_name = RemoteHandleCacheMaxSize	1	Fn
READ_VALUE		value_name = RemoteHandleCacheMaxLifetime	1	Fn
READ_VALUE		value_name = RemoteHandleCacheMaxIdleTimeout	1	Fn
READ_VALUE		value_name = StaleMidTimeout	1	Fn
READ_VALUE		value_name = SRPRunningObjectChecks	1	Fn
READ_VALUE		value_name = SRPActivateAsActivatorChecks	1	Fn
READ_VALUE		value_name = EnableSystemDynamicIPTracking	1	Fn
READ_VALUE		value_name = EnableEELogging	1	Fn
READ_VALUE		value_name = LogEEInfoAsNative	1	Fn
READ_VALUE		value_name = DCOM Security	1	Fn
READ_VALUE		value_name = EnableDCOM	1	Fn
READ_VALUE		value_name = OleModalLoopBehavior	1	Fn
READ_VALUE		value_name = DCOMSCMRemoteCallFlags	1	Fn
READ_VALUE		value_name = BreakOnUnexpectedActivationErrors	1	Fn
READ_VALUE		value_name = EnableDCOMHTTP	1	Fn
READ_VALUE		value_name = IgnoreServerExceptions	1	Fn
READ_VALUE		value_name = BreakOnSilencedServerExceptions	1	Fn
READ_VALUE		value_name = LegacyAuthenticationService	1	Fn
READ_VALUE		value_name = LegacyAuthenticationLevel	1	Fn
READ_VALUE		value_name = LegacyImpersonationLevel	1	Fn
READ_VALUE		value_name = LegacyMutualAuthentication	1	Fn
READ_VALUE		value_name = LegacySecureReferences	1	Fn
READ_VALUE		value_name = PingInterval	1	Fn
READ_VALUE		value_name = UserPingSetQuota	1	Fn
READ_VALUE		value_name = MaxActivationRetriesPerServer	1	Fn
READ_VALUE		value_name = Type	1	Fn
READ_VALUE		value_name = Image Path	4	Fn
READ_VALUE		value_name = MachineGuid	4	Fn
READ_VALUE		value_name = DCOM Protocols	1	Fn
READ_VALUE		value_name = WinSock_Registry_Version	2	Fn
READ_VALUE		value_name = NameSpace_Callout	2	Fn
READ_VALUE		value_name = Serial_Access_Num	4	Fn
READ_VALUE		value_name = Next_Catalog_Entry_ID	1	Fn
READ_VALUE		value_name = Num_Catalog_Entries64	2	Fn
READ_VALUE		value_name = LibraryPath	2	Fn
READ_VALUE		value_name = DisplayString	4	Fn
READ_VALUE		value_name = ProviderId	1	Fn
READ_VALUE		value_name = AddressFamily	1	Fn
READ_VALUE		value_name = SupportedNameSpace	1	Fn
READ_VALUE		value_name = Enabled	1	Fn
READ_VALUE		value_name = Version	1	Fn
READ_VALUE		value_name = StoresServiceClassInfo	1	Fn
READ_VALUE		value_name = ProviderInfo	2	Fn
READ_VALUE		value_name = Ws2_32NumHandleBuckets	1	Fn

Driver (7)

Operation	Driver	Additional Information	Amount	Logfile
CONTROL			2	Fn
CONTROL	\device\ndis	control_code = 0x170010	1	Fn
CONTROL		control_code = 0x390008	1	Fn
CONTROL		control_code = 0x110004	1	Fn
CONTROL		control_code = 0x110008	2	Fn

System (14)

Operation	Information	Amount	Logfile
GET_INFO	type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION	1	Fn
GET_INFO	type = SYSTEM_BASIC_INFORMATION	7	Fn
GET_INFO		2	Fn
GET_INFO	type = SYSTEM_PROCESSOR_INFORMATION	4	Fn

Process #14: winpeshl.exe

(Host: 641, Network: 0)

Information	Value
ID / OS PID	#14 / 0x278
OS Parent PID	0x194 (\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe
Command Line	winpeshl.exe
Monitor	Start Time: 00:01:54, Reason: Child Process
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:13
OS Thread IDs	#116 0x27C #121 0x28C

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x000000a3b7c80000	0xa3b7c80000	0xa3b7c9ffff	Private Memory	Readable, Writable
pagefile_0x000000a3b7c80000	0xa3b7c80000	0xa3b7c8ffff	Pagefile Backed File	Readable, Writable
private_0x000000a3b7c90000	0xa3b7c90000	0xa3b7c96fff	Private Memory	Readable, Writable
pagefile_0x000000a3b7ca0000	0xa3b7ca0000	0xa3b7caefff	Pagefile Backed File	Readable
private_0x000000a3b7cb0000	0xa3b7cb0000	0xa3b7d2ffff	Private Memory	Readable, Writable
pagefile_0x000000a3b7d30000	0xa3b7d30000	0xa3b7d33fff	Pagefile Backed File	Readable
private_0x000000a3b7d40000	0xa3b7d40000	0xa3b7d41fff	Private Memory	Readable, Writable
pagefile_0x000000a3b7d50000	0xa3b7d50000	0xa3b7d51fff	Pagefile Backed File	Readable
private_0x000000a3b7d60000	0xa3b7d60000	0xa3b7e5ffff	Private Memory	Readable, Writable
locale.nls	0xa3b7e60000	0xa3b7eddfff	Memory Mapped File	Readable
private_0x000000a3b7ee0000	0xa3b7ee0000	0xa3b7ee6fff	Private Memory	Readable, Writable
winpeshl.exe.mui	0xa3b7ef0000	0xa3b7ef0fff	Memory Mapped File	Readable
private_0x000000a3b7f00000	0xa3b7f00000	0xa3b7f00fff	Private Memory	Readable, Writable
private_0x000000a3b7f10000	0xa3b7f10000	0xa3b7f10fff	Private Memory	Readable, Writable
SETUPAPI.dll.mui	0xa3b7f20000	0xa3b7f2bfff	Memory Mapped File	Readable
newdev.dll.mui	0xa3b7f30000	0xa3b7f36fff	Memory Mapped File	Readable
private_0x000000a3b7f90000	0xa3b7f90000	0xa3b7f9ffff	Private Memory	Readable, Writable
pagefile_0x000000a3b7fa0000	0xa3b7fa0000	0xa3b8127fff	Pagefile Backed File	Readable
pagefile_0x000000a3b8130000	0xa3b8130000	0xa3b82b0fff	Pagefile Backed File	Readable
pagefile_0x000000a3b82c0000	0xa3b82c0000	0xa3b96bffff	Pagefile Backed File	Readable
private_0x000000a3b96c0000	0xa3b96c0000	0xa3b973ffff	Private Memory	Readable, Writable
private_0x000000a3b9870000	0xa3b9870000	0xa3b987ffff	Private Memory	Readable, Writable
sortdefault.nls	0xa3b9880000	0xa3b9b54fff	Memory Mapped File	Readable
pagefile_0x00007ff74d7a0000	0x7ff74d7a0000	0x7ff74d89ffff	Pagefile Backed File	Readable
pagefile_0x00007ff74d8a0000	0x7ff74d8a0000	0x7ff74d8c2fff	Pagefile Backed File	Readable
private_0x00007ff74d8ca000	0x7ff74d8ca000	0x7ff74d8cafff	Private Memory	Readable, Writable
private_0x00007ff74d8cc000	0x7ff74d8cc000	0x7ff74d8cdfff	Private Memory	Readable, Writable
private_0x00007ff74d8ce000	0x7ff74d8ce000	0x7ff74d8cffff	Private Memory	Readable, Writable
winpeshl.exe	0x7ff74e410000	0x7ff74e498fff	Memory Mapped File	Readable, Writable, Executable
drvstore.dll	0x7ffb6fe50000	0x7ffb6ff0afff	Memory Mapped File	Readable, Writable, Executable
SHCORE.DLL	0x7ffb701b0000	0x7ffb70261fff	Memory Mapped File	Readable, Writable, Executable
MPR.dll	0x7ffb70270000	0x7ffb7028dfff	Memory Mapped File	Readable, Writable, Executable
wkscli.dll	0x7ffb70290000	0x7ffb702a6fff	Memory Mapped File	Readable, Writable, Executable
WpeUtil.dll	0x7ffb702b0000	0x7ffb702cefff	Memory Mapped File	Readable, Writable, Executable
devrtl.DLL	0x7ffb702d0000	0x7ffb702e5fff	Memory Mapped File	Readable, Writable, Executable
WINNSI.DLL	0x7ffb702f0000	0x7ffb702f9fff	Memory Mapped File	Readable, Writable, Executable
FLTLIB.DLL	0x7ffb70350000	0x7ffb70359fff	Memory Mapped File	Readable, Writable, Executable
UNATTEND.DLL	0x7ffb70360000	0x7ffb7039ffff	Memory Mapped File	Readable, Writable, Executable
Input.dll	0x7ffb703a0000	0x7ffb703e2fff	Memory Mapped File	Readable, Writable, Executable
newdev.dll	0x7ffb703f0000	0x7ffb70445fff	Memory Mapped File	Readable, Writable, Executable
IPHLPAPI.DLL	0x7ffb70450000	0x7ffb70479fff	Memory Mapped File	Readable, Writable, Executable
UxTheme.dll	0x7ffb70480000	0x7ffb705a8fff	Memory Mapped File	Readable, Writable, Executable
DEVOBJ.dll	0x7ffb705b0000	0x7ffb705d7fff	Memory Mapped File	Readable, Writable, Executable
spinf.dll	0x7ffb709a0000	0x7ffb709bdfff	Memory Mapped File	Readable, Writable, Executable
USERENV.dll	0x7ffb70dd0000	0x7ffb70df0fff	Memory Mapped File	Readable, Writable, Executable
DNSAPI.dll	0x7ffb70e40000	0x7ffb70ee3fff	Memory Mapped File	Readable, Writable, Executable
profapi.dll	0x7ffb716b0000	0x7ffb716c4fff	Memory Mapped File	Readable, Writable, Executable
kernelbase.dll	0x7ffb71760000	0x7ffb71874fff	Memory Mapped File	Readable, Writable, Executable
CFGMGR32.dll	0x7ffb71880000	0x7ffb718cefff	Memory Mapped File	Readable, Writable, Executable
Setupapi.dll	0x7ffb718d0000	0x7ffb71aa9fff	Memory Mapped File	Readable, Writable, Executable
gdi32.dll	0x7ffb71ad0000	0x7ffb71c20fff	Memory Mapped File	Readable, Writable, Executable
SHELL32.dll	0x7ffb71c30000	0x7ffb73148fff	Memory Mapped File	Readable, Writable, Executable
SHLWAPI.dll	0x7ffb73300000	0x7ffb73353fff	Memory Mapped File	Readable, Writable, Executable
WS2_32.dll	0x7ffb73360000	0x7ffb733b9fff	Memory Mapped File	Readable, Writable, Executable
sechost.dll	0x7ffb733c0000	0x7ffb73418fff	Memory Mapped File	Readable, Writable, Executable
kernel32.dll	0x7ffb73480000	0x7ffb735bdfff	Memory Mapped File	Readable, Writable, Executable
OLEAUT32.dll	0x7ffb735c0000	0x7ffb73680fff	Memory Mapped File	Readable, Writable, Executable
advapi32.dll	0x7ffb73690000	0x7ffb73739fff	Memory Mapped File	Readable, Writable, Executable
combase.dll	0x7ffb73740000	0x7ffb73950fff	Memory Mapped File	Readable, Writable, Executable
rpcrt4.dll	0x7ffb73a30000	0x7ffb73b70fff	Memory Mapped File	Readable, Writable, Executable
MSCTF.dll	0x7ffb73b80000	0x7ffb73cd2fff	Memory Mapped File	Readable, Writable, Executable
ole32.dll	0x7ffb73ce0000	0x7ffb73e73fff	Memory Mapped File	Readable, Writable, Executable
NSI.dll	0x7ffb73e80000	0x7ffb73e88fff	Memory Mapped File	Readable, Writable, Executable
user32.dll	0x7ffb73e90000	0x7ffb74006fff	Memory Mapped File	Readable, Writable, Executable
IMM32.dll	0x7ffb74010000	0x7ffb74045fff	Memory Mapped File	Readable, Writable, Executable
MSVCRT.dll	0x7ffb74050000	0x7ffb740f9fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Amount	Logfile
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x1e8	address = 0xd9cbf50000, size = 16384	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x1e8	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe	0x198	address = 0xa3b7d40000, size = 4704	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe	0x198	address = 0x7ff74d8ca2d8, size = 8	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x1e8	address = 0xd9cbf60000, size = 8192	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x1e8	No corresponding api call detected. Probably injected code via shellcode.	1

Host Behavior

File (66)

Operation	Filename	Additional Information	Amount	Logfile
CREATE	\device\deviceapi\cmapi	desired_access = GENERIC_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE			3	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN_IF, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\apps.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\defltbase.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\newdev.dll	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.ini	desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	3	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.ini	size = 53	1	Fn Data
WRITE			25	Fn
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log	size = 2	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log	size = 50	6	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log	size = 20	6	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log	size = 72	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log	size = 4	6	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log	size = 246	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log	size = 44	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log	size = 110	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log	size = 170	1	Fn Data
WRITE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log	size = 58	1	Fn Data

Process (18)

Operation	Process Name	Additional Information	Amount	Logfile
CREATE			2	Fn
CREATE		desired_access = MAXIMUM_ALLOWED, creation_flags = CREATE_NEW_PROCESS_GROUP	2	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	3	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	2	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	2	Fn
GET_INFO			2	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	4	Fn

Memory (6)

Operation	Address	Additional Information	Amount	Logfile
ALLOC	0xa3b7d2f2e8	process_name = , size = 703163724872, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE	1	Fn
ALLOC	0xa3b7d2f2b8	process_name = , size = 703163724824, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE	1	Fn
WRITE	0x6356410000	process_name = , size = 4704	1	Fn Data
WRITE	0x7ff618a9a2d8	process_name = , size = 8	1	Fn Data
WRITE	0xe5e5420000	process_name = , size = 4704	1	Fn Data
WRITE	0x7ff72999c2d8	process_name = , size = 8	1	Fn Data

Thread (3)

Operation	Process Name	Additional Information	Success	Amount	Logfile
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ff74e412780, desired_access = THREAD_ALL_ACCESS		1	Fn
RESUME				2	Fn

Module (44)

Operation	Module	Additional Information	Amount	Logfile
LOAD		base_address = 0x7ffb73e90000	1	Fn
LOAD	user32.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb74120000	1	Fn
LOAD	ntdll.dll	base_address = 0x0	1	Fn
LOAD	kernel32.dll	base_address = 0x0	1	Fn
GET_HANDLE	X:\windows\system32\IMM32.DLL		2	Fn
GET_HANDLE	rpcrt4.dll		1	Fn
GET_HANDLE	X:\windows\system32\oleaut32.dll		1	Fn
GET_HANDLE	ext-ms-win-ole32-oleautomation-l1-1-0.dll		1	Fn
GET_HANDLE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe		4	Fn
GET_HANDLE	advapi32.dll		1	Fn
GET_HANDLE	ntdll.dll		1	Fn
GET_HANDLE	kernel32.dll		1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping		2	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\apps.inf, maximum_size = 703191041456, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\defltbase.inf, maximum_size = 703191041456, protection = PAGE_READONLY	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xa3b9740000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xa3b9880000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe	os_pid = 0x278, address = 0xa3b7f40000	2	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xa3b7f40000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xa3b7f40000	1	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, base_address = 0xa3b9740000	1	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe	os_pid = 0x278	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb741751c0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7413b300	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7413c360	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb74175650	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb73483210	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb73e91700	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb73e91b00	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb74190030	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb741e0720	1	Fn

Registry (78)

Operation	Key	Additional Information	Amount	Logfile
OPEN_KEY	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide		3	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\		1	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize		1	Fn
OPEN_KEY			8	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale		1	Fn
OPEN_KEY	\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls		1	Fn
OPEN_KEY	\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option		1	Fn
OPEN_KEY	\Registry\Machine\System\Setup		2	Fn
OPEN_KEY	\REGISTRY\MACHINE		6	Fn
OPEN_KEY	\REGISTRY\MACHINE\System\Setup		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup		2	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Microsoft\EmbeddedNT\Security		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall		1	Fn
OPEN_KEY	Control Panel\International		1	Fn
READ_VALUE	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide	value_name = PreferExternalManifest	3	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 703163720896	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	value_name = DisableMetaFiles	1	Fn
READ_VALUE		value_name = LoadAppInit_DLLs	1	Fn
READ_VALUE		value_name = PageAllocatorUseSystemHeap	1	Fn
READ_VALUE		value_name = PageAllocatorSystemHeapIsPrivate	1	Fn
READ_VALUE		value_name = AggressiveMTATesting	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = Disable	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = SourcePath	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = DevicePath	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale	value_name = en-US	1	Fn
READ_VALUE			6	Fn
READ_VALUE		value_name = SystemSetupInProgress	1	Fn
READ_VALUE		value_name = InstRoot	2	Fn
READ_VALUE			2	Fn
READ_VALUE		value_name = DisableExtraFonts	1	Fn
READ_VALUE		value_name = CustomBackground	3	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = 140717948767312	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = ShimEnable	1	Fn
READ_VALUE		value_name = DisableRemovableStorageInit	1	Fn
READ_VALUE	\REGISTRY\MACHINE\System\Setup	value_name = SystemSetupInProgress	1	Fn
READ_VALUE	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	value_name = MinimizeFootprint	1	Fn
READ_VALUE	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	value_name = LogLevel	1	Fn
READ_VALUE	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	value_name = LogMask	1	Fn
READ_VALUE	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	value_name = LogMaxFileSize	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 000602xx	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en	1	Fn
READ_VALUE	Control Panel\International		1	Fn
READ_VALUE	Control Panel\International		1	Fn
READ_VALUE	Control Panel\International	value_name = sCurrencyOverride	1	Fn

Driver (309)

Operation	Driver	Additional Information	Amount	Logfile
CONTROL	\device\deviceapi\cmapi	control_code = 0x470803	1	Fn
CONTROL	\device\deviceapi\cmapi	control_code = 0x470843	42	Fn
CONTROL	\device\deviceapi\cmapi	control_code = 0x470813	45	Fn
CONTROL	\device\deviceapi\cmapi	control_code = 0x470827	15	Fn
CONTROL			103	Fn
CONTROL		control_code = 0x470813	101	Fn
CONTROL		control_code = 0x47086b	2	Fn

System (75)

Operation	Information	Amount	Logfile
SLEEP		23	Fn
SLEEP	duration = 1 milliseconds (0.001 seconds)	43	Fn
GET_INFO	type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION	1	Fn
GET_INFO	type = SYSTEM_BASIC_INFORMATION	6	Fn
GET_INFO	type = SYSTEM_PROCESSOR_INFORMATION	2	Fn

Mutex (41)

Operation	Additional Information	Amount	Logfile
CREATE	initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	11	Fn
CREATE		8	Fn
RELEASE		22	Fn

Ini (1)

Operation	Filename	Additional Information	Success	Amount	Logfile
READ	Win.ini			1	Fn

Process #15: winlogon.exe

Information	Value
ID / OS PID	#15 / 0x26c
OS Parent PID	0x194 (\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe
Command Line	winlogon.exe
Monitor	Start Time: 00:01:54, Reason: Child Process
Unmonitor	End Time: 00:01:54, Reason: Terminated
Monitor Duration	00:00:00
OS Thread IDs
Remarks	No high level activity detected in monitored regions

Process #16: wallpaperhost.exe

(Host: 1938, Network: 0)

Information	Value
ID / OS PID	#16 / 0x290
OS Parent PID	0x278 (\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe
Command Line	X:\windows\system32\WallpaperHost.exe
Monitor	Start Time: 00:01:55, Reason: Child Process
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:12
OS Thread IDs	#122 0x294 #124 0x2A0 #125 0x2A4

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x0000006356340000	0x6356340000	0x635635ffff	Private Memory	Readable, Writable
pagefile_0x0000006356340000	0x6356340000	0x635634ffff	Pagefile Backed File	Readable, Writable
private_0x0000006356350000	0x6356350000	0x6356356fff	Private Memory	Readable, Writable
pagefile_0x0000006356360000	0x6356360000	0x635636efff	Pagefile Backed File	Readable
private_0x0000006356370000	0x6356370000	0x63563effff	Private Memory	Readable, Writable
pagefile_0x00000063563f0000	0x63563f0000	0x63563f3fff	Pagefile Backed File	Readable
pagefile_0x0000006356400000	0x6356400000	0x6356402fff	Pagefile Backed File	Readable
private_0x0000006356410000	0x6356410000	0x6356411fff	Private Memory	Readable, Writable
locale.nls	0x6356420000	0x635649dfff	Memory Mapped File	Readable
private_0x00000063564a0000	0x63564a0000	0x63564affff	Private Memory	Readable, Writable
private_0x00000063564b0000	0x63564b0000	0x63564b6fff	Private Memory	Readable, Writable
private_0x00000063564c0000	0x63564c0000	0x63564c0fff	Private Memory	Readable, Writable
private_0x00000063564c0000	0x63564c0000	0x63564c0fff	Private Memory	Readable, Writable
private_0x00000063564d0000	0x63564d0000	0x63564d0fff	Private Memory	Readable, Writable
pagefile_0x00000063564e0000	0x63564e0000	0x63564e0fff	Pagefile Backed File	Readable
pagefile_0x00000063564f0000	0x63564f0000	0x63564f0fff	Pagefile Backed File	Readable, Writable
SETUPAPI.dll.mui	0x6356500000	0x635650bfff	Memory Mapped File	Readable
pagefile_0x0000006356510000	0x6356510000	0x6356510fff	Pagefile Backed File	Readable, Writable
private_0x0000006356520000	0x6356520000	0x6356520fff	Private Memory	Readable, Writable
private_0x0000006356520000	0x6356520000	0x6356520fff	Private Memory	Readable, Writable
pagefile_0x0000006356530000	0x6356530000	0x6356530fff	Pagefile Backed File	Readable, Writable
pagefile_0x0000006356530000	0x6356530000	0x6356530fff	Pagefile Backed File	Readable, Writable
private_0x0000006356560000	0x6356560000	0x635665ffff	Private Memory	Readable, Writable
pagefile_0x0000006356660000	0x6356660000	0x63567e7fff	Pagefile Backed File	Readable
pagefile_0x00000063567f0000	0x63567f0000	0x6356970fff	Pagefile Backed File	Readable
pagefile_0x0000006356980000	0x6356980000	0x6357d7ffff	Pagefile Backed File	Readable
sortdefault.nls	0x6357d80000	0x6358054fff	Memory Mapped File	Readable
private_0x0000006358060000	0x6358060000	0x63580dffff	Private Memory	Readable, Writable
private_0x00000063580e0000	0x63580e0000	0x635815ffff	Private Memory	Readable, Writable
private_0x0000006358160000	0x6358160000	0x635825ffff	Private Memory	Readable, Writable
private_0x0000006358160000	0x6358160000	0x635825ffff	Private Memory	Readable, Writable
private_0x0000006358160000	0x6358160000	0x635825ffff	Private Memory	Readable, Writable
private_0x0000006358260000	0x6358260000	0x635855ffff	Private Memory	Readable, Writable
shell32.dll.mui	0x6358560000	0x63585c5fff	Memory Mapped File	Readable
pagefile_0x00007df5ff8e0000	0x7df5ff8e0000	0x7ff5ff8dffff	Pagefile Backed File	-
pagefile_0x00007ff618970000	0x7ff618970000	0x7ff618a6ffff	Pagefile Backed File	Readable
pagefile_0x00007ff618a70000	0x7ff618a70000	0x7ff618a92fff	Pagefile Backed File	Readable
private_0x00007ff618a98000	0x7ff618a98000	0x7ff618a99fff	Private Memory	Readable, Writable
private_0x00007ff618a9a000	0x7ff618a9a000	0x7ff618a9afff	Private Memory	Readable, Writable
private_0x00007ff618a9c000	0x7ff618a9c000	0x7ff618a9dfff	Private Memory	Readable, Writable
private_0x00007ff618a9e000	0x7ff618a9e000	0x7ff618a9ffff	Private Memory	Readable, Writable
WallpaperHost.exe	0x7ff619840000	0x7ff619846fff	Memory Mapped File	Readable, Writable, Executable
WindowsCodecs.dll	0x7ffb6f900000	0x7ffb6faadfff	Memory Mapped File	Readable, Writable, Executable
WindowsCodecs.dll	0x7ffb6f900000	0x7ffb6faadfff	Memory Mapped File	Readable, Writable, Executable
WINBRAND.dll	0x7ffb6faa0000	0x7ffb6faadfff	Memory Mapped File	Readable, Writable, Executable
propsys.dll	0x7ffb6fab0000	0x7ffb6fc2efff	Memory Mapped File	Readable, Writable, Executable
WLDP.DLL	0x7ffb6fc30000	0x7ffb6fc3cfff	Memory Mapped File	Readable, Writable, Executable
kernel.appcore.dll	0x7ffb6fe40000	0x7ffb6fe4afff	Memory Mapped File	Readable, Writable, Executable
SHCORE.DLL	0x7ffb701b0000	0x7ffb70261fff	Memory Mapped File	Readable, Writable, Executable
winsta.dll	0x7ffb70940000	0x7ffb70999fff	Memory Mapped File	Readable, Writable, Executable
bcryptPrimitives.dll	0x7ffb71580000	0x7ffb715e2fff	Memory Mapped File	Readable, Writable, Executable
CRYPTBASE.dll	0x7ffb715f0000	0x7ffb715fafff	Memory Mapped File	Readable, Writable, Executable
profapi.dll	0x7ffb716b0000	0x7ffb716c4fff	Memory Mapped File	Readable, Writable, Executable
kernelbase.dll	0x7ffb71760000	0x7ffb71874fff	Memory Mapped File	Readable, Writable, Executable
CFGMGR32.dll	0x7ffb71880000	0x7ffb718cefff	Memory Mapped File	Readable, Writable, Executable
Setupapi.dll	0x7ffb718d0000	0x7ffb71aa9fff	Memory Mapped File	Readable, Writable, Executable
gdi32.dll	0x7ffb71ad0000	0x7ffb71c20fff	Memory Mapped File	Readable, Writable, Executable
SHELL32.dll	0x7ffb71c30000	0x7ffb73148fff	Memory Mapped File	Readable, Writable, Executable
SHLWAPI.dll	0x7ffb73300000	0x7ffb73353fff	Memory Mapped File	Readable, Writable, Executable
sechost.dll	0x7ffb733c0000	0x7ffb73418fff	Memory Mapped File	Readable, Writable, Executable
kernel32.dll	0x7ffb73480000	0x7ffb735bdfff	Memory Mapped File	Readable, Writable, Executable
OLEAUT32.dll	0x7ffb735c0000	0x7ffb73680fff	Memory Mapped File	Readable, Writable, Executable
advapi32.dll	0x7ffb73690000	0x7ffb73739fff	Memory Mapped File	Readable, Writable, Executable
combase.dll	0x7ffb73740000	0x7ffb73950fff	Memory Mapped File	Readable, Writable, Executable
rpcrt4.dll	0x7ffb73a30000	0x7ffb73b70fff	Memory Mapped File	Readable, Writable, Executable
MSCTF.dll	0x7ffb73b80000	0x7ffb73cd2fff	Memory Mapped File	Readable, Writable, Executable
ole32.dll	0x7ffb73ce0000	0x7ffb73e73fff	Memory Mapped File	Readable, Writable, Executable
user32.dll	0x7ffb73e90000	0x7ffb74006fff	Memory Mapped File	Readable, Writable, Executable
IMM32.dll	0x7ffb74010000	0x7ffb74045fff	Memory Mapped File	Readable, Writable, Executable
MSVCRT.dll	0x7ffb74050000	0x7ffb740f9fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Amount	Logfile
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x1e8	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x1e8	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x1e8	address = 0xd9cbf60000, size = 12288	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x1e8	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe	0x27c	address = 0x6356410000, size = 4704	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe	0x27c	address = 0x7ff618a9a2d8, size = 8	1	Fn Data

Host Behavior

File (864)

Operation	Filename	Additional Information	Amount	Logfile
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	262	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	261	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	261	Fn
CREATE			4	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winre.jpg	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	4	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winre.jpg	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	3	Fn
CREATE	\device\mountpointmanager	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	9	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\	desired_access = FILE_READ_DATA, FILE_READ_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows	desired_access = FILE_READ_DATA, FILE_READ_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32	desired_access = FILE_READ_DATA, FILE_READ_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\deviceapi\cmapi	desired_access = GENERIC_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\local\microsoft\windows\caches	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\local	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\local\microsoft	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\local\microsoft\windows	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\local\microsoft\windows\caches	desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0	1	Fn
CREATE			3	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\local\microsoft\windows\caches\cversions.1.db	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\desktop\desktop.ini	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\documents\desktop.ini	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\music\desktop.ini	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\pictures\desktop.ini	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\videos\desktop.ini	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\downloads\desktop.ini	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	2	Fn
CREATE_DIR			8	Fn
CREATE_DIR			3	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	2	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, open_options = FILE_SYNCHRONOUS_IO_ALERT	2	Fn
OPEN	c:	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE	1	Fn
OPEN	c:	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, open_options = FILE_SYNCHRONOUS_IO_ALERT	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\local\microsoft\windows\caches	desired_access = READ_CONTROL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_OPEN_REPARSE_POINT	4	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\local\microsoft\windows\caches\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000000.db	desired_access = FILE_READ_ATTRIBUTES, DELETE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT	1	Fn
DELETE			1	Fn
READ			2	Fn
READ	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winre.jpg	size = 4096	2	Fn Data

Process (52)

Operation	Process Name	Additional Information	Amount	Logfile
OPEN_TOKEN			22	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	7	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	2	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	10	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	6	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	3	Fn

Thread (1)

Operation	Process Name	Additional Information	Success	Amount	Logfile
CREATE_WORKITEM				1	Fn

Module (89)

Operation	Module	Additional Information	Amount	Logfile
LOAD	X:\windows\system32\IMM32.DLL	base_address = 0x0	1	Fn
LOAD	X:\windows\system32\shell32.dll	base_address = 0x0	1	Fn
LOAD	rpcrt4.dll	base_address = 0x0	1	Fn
LOAD	kernel32.dll	base_address = 0x0	1	Fn
LOAD	WLDP.DLL		1	Fn
LOAD	X:\windows\system32\propsys.dll		1	Fn
LOAD		base_address = 0x7ffb6fab0000	1	Fn
LOAD	X:\windows\system32\ole32.dll	base_address = 0x0	1	Fn
LOAD	X:\windows\system32\windowscodecs.dll		2	Fn
LOAD	WLDP.DLL	base_address = 0x0	4	Fn
LOAD		base_address = 0x0	4	Fn
GET_HANDLE	rpcrt4.dll		1	Fn
GET_HANDLE	X:\windows\system32\IMM32.DLL		1	Fn
GET_HANDLE	X:\windows\system32\IMM32.DLL		2	Fn
GET_HANDLE	X:\windows\system32\oleaut32.dll		1	Fn
GET_HANDLE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe		4	Fn
GET_HANDLE	X:\windows\system32\rpcss.dll		1	Fn
GET_HANDLE	combase.dll		1	Fn
GET_HANDLE	ntdll.dll		27	Fn
GET_HANDLE	ext-ms-win-ole32-oleautomation-l1-1-0.dll		1	Fn
GET_HANDLE	USER32.dll		1	Fn
CREATE_MAPPING	Nameless FileMapping		4	Fn
CREATE_MAPPING	windows_shell_global_counters	module_name = rpcrt4.dll, maximum_size = 426648726032, protection = PAGE_READWRITE	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winre.jpg, maximum_size = 426648714144, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winre.jpg, maximum_size = 0, protection = PAGE_READONLY	3	Fn
CREATE_MAPPING	Global\windows_shell_global_counters	reg_name = \REGISTRY\MACHINE\Software\Classes\ActivatableClasses\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}, maximum_size = 426648702736, protection = PAGE_READWRITE	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winre.jpg, maximum_size = 426648713904, protection = PAGE_READONLY	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, address = 0x63564e0000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe	os_pid = 0x290, address = 0x63564f0000	1	Fn
MAP	windows_shell_global_counters	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x63564f0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6357d80000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe	os_pid = 0x290, address = 0x6356500000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6356500000	2	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe	os_pid = 0x290, address = 0x6356510000	1	Fn
MAP	Global\windows_shell_global_counters	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6356510000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe	os_pid = 0x290, address = 0x6356520000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6356520000	3	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe	os_pid = 0x290	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7413b300	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7413c360	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb74175650	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb741751c0	1	Fn

Com (24)

Operation	Class	Interface	Additional Information	Amount	Logfile
CREATE				1	Fn
CREATE	{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}	IClassFactory		1	Fn
QUERY	{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}	IClassFactory	new_interface = {ECF31D61-E474-453C-BEE7-DE68E441C6D0},	1	Fn
QUERY	{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}	{ECF31D61-E474-453C-BEE7-DE68E441C6D0}	new_interface = {ECF31D61-E474-453C-BEE7-DE68E441C6D0}	1	Fn
METHOD		IUnknown	method = AddRef	6	Fn
METHOD		IPersist	method = GetClassID	2	Fn
METHOD	{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}	IClassFactory	method = CreateInstance	1	Fn
METHOD	{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}	{ECF31D61-E474-453C-BEE7-DE68E441C6D0}	method = AddRef	2	Fn

Registry (805)

Operation	Key	Additional Information	Amount	Logfile
CREATE_KEY	Control Panel\Desktop		4	Fn
CREATE_KEY	\REGISTRY\MACHINE\SOFTWARE\CLASSES		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\		1	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-18_Classes		3	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Microsoft\WindowsRuntime\CLSID		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Microsoft\WindowsRuntime\CLSID\{75048700-EF1F-11D0-9888-006097DEACF9}		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Classes\ActivatableClasses\CLSID		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Classes\ActivatableClasses\CLSID\{75048700-EF1F-11D0-9888-006097DEACF9}		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale\Control Panel\International		1	Fn
OPEN_KEY			32	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName		1	Fn
OPEN_KEY	\Registry\Machine\System\Setup		2	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids		1	Fn
OPEN_KEY			33	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows\Tablet PC\		1	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Microsoft\WindowsRuntime\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Classes\ActivatableClasses\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Microsoft\WindowsRuntime\CLSID\{7E5FE3D9-985F-4908-91F9-EE19F9FD1514}		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Classes\ActivatableClasses\CLSID\{7E5FE3D9-985F-4908-91F9-EE19F9FD1514}		1	Fn
OPEN_KEY	\REGISTRY\USER\S-1-5-18\Software\Classes\ActivatableClasses\CLSID		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Microsoft\WindowsRuntime\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Classes\ActivatableClasses\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Locale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups		1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 426648723168	1	Fn
READ_VALUE		value_name = PageAllocatorUseSystemHeap	1	Fn
READ_VALUE		value_name = PageAllocatorSystemHeapIsPrivate	1	Fn
READ_VALUE		value_name = AggressiveMTATesting	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	value_name = DisableMetaFiles	1	Fn
READ_VALUE		value_name = LoadAppInit_DLLs	1	Fn
READ_VALUE		value_name = Com+Enabled	1	Fn
READ_VALUE		value_name = 426648726872	2	Fn
READ_VALUE		value_name = InprocServer32	1	Fn
READ_VALUE		value_name = 426648726760	2	Fn
READ_VALUE		value_name = 426648726632	1	Fn
READ_VALUE		value_name = ThreadingModel	1	Fn
READ_VALUE		value_name = MaxSxSHashCount	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale\Control Panel\International		1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale\Control Panel\International		1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale\Control Panel\International	value_name = sCurrencyOverride	1	Fn
READ_VALUE			30	Fn
READ_VALUE		value_name = SystemSetupInProgress	1	Fn
READ_VALUE			31	Fn
READ_VALUE		value_name = OOBEInProgress	1	Fn
READ_VALUE		value_name = MaxRpcSize	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = ComputerName	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = OOBEInProgress	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = SystemSetupInProgress	1	Fn
READ_VALUE		value_name = IdleTimerWindow	1	Fn
READ_VALUE		value_name = Category	7	Fn
READ_VALUE		value_name = Name	7	Fn
READ_VALUE		value_name = ParentFolder	6	Fn
READ_VALUE		value_name = Description	7	Fn
READ_VALUE		value_name = RelativePath	7	Fn
READ_VALUE		value_name = ParsingName	7	Fn
READ_VALUE		value_name = InfoTip	4	Fn
READ_VALUE		value_name = LocalizedName	2	Fn
READ_VALUE		value_name = Icon	2	Fn
READ_VALUE		value_name = Security	7	Fn
READ_VALUE		value_name = StreamResource	7	Fn
READ_VALUE		value_name = StreamResourceType	7	Fn
READ_VALUE		value_name = LocalRedirectOnly	7	Fn
READ_VALUE		value_name = Roamable	2	Fn
READ_VALUE		value_name = PreCreate	1	Fn
READ_VALUE		value_name = Stream	7	Fn
READ_VALUE		value_name = PublishExpandedPath	5	Fn
READ_VALUE		value_name = DefinitionFlags	7	Fn
READ_VALUE		value_name = Attributes	3	Fn
READ_VALUE		value_name = FolderTypeID	7	Fn
READ_VALUE		value_name = InitFolderHandler	7	Fn
READ_VALUE		value_name = AppData	2	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 000602xx	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en	1	Fn
READ_VALUE	Nameless FileMapping	value_name = Category	2	Fn
READ_VALUE	Nameless FileMapping	value_name = Name	2	Fn
READ_VALUE	Nameless FileMapping	value_name = ParentFolder	2	Fn
READ_VALUE	Nameless FileMapping	value_name = Description	2	Fn
READ_VALUE	Nameless FileMapping	value_name = RelativePath	1	Fn
READ_VALUE	Nameless FileMapping	value_name = ParsingName	2	Fn
READ_VALUE	Nameless FileMapping	value_name = InfoTip	2	Fn
READ_VALUE	Nameless FileMapping	value_name = LocalizedName	1	Fn
READ_VALUE	Nameless FileMapping	value_name = Icon	1	Fn
READ_VALUE	Nameless FileMapping	value_name = Security	2	Fn
READ_VALUE	Nameless FileMapping	value_name = StreamResource	2	Fn
READ_VALUE	Nameless FileMapping	value_name = StreamResourceType	2	Fn
READ_VALUE	Nameless FileMapping	value_name = LocalRedirectOnly	2	Fn
READ_VALUE	Nameless FileMapping	value_name = Roamable	1	Fn
READ_VALUE	Nameless FileMapping	value_name = PreCreate	1	Fn
READ_VALUE	Nameless FileMapping	value_name = Stream	2	Fn
READ_VALUE	Nameless FileMapping	value_name = PublishExpandedPath	1	Fn
READ_VALUE	Nameless FileMapping	value_name = DefinitionFlags	2	Fn
READ_VALUE	Nameless FileMapping	value_name = Attributes	1	Fn
READ_VALUE	Nameless FileMapping	value_name = FolderTypeID	2	Fn
READ_VALUE	Nameless FileMapping	value_name = InitFolderHandler	2	Fn
READ_VALUE		value_name = ProfileImagePath	14	Fn
READ_VALUE		value_name = LastUpdated	1	Fn
READ_VALUE		value_name = TranscodedImageCount	1	Fn
READ_VALUE		value_name = TranscodedImageCache_000	1	Fn
READ_VALUE		value_name = TranscodedImageCache_001	1	Fn
READ_VALUE		value_name = TranscodedImageCache_002	1	Fn
READ_VALUE		value_name = TranscodedImageCache_003	1	Fn
READ_VALUE		value_name = TranscodedImageCache_004	1	Fn
READ_VALUE		value_name = TranscodedImageCache_005	1	Fn
READ_VALUE		value_name = TranscodedImageCache_006	1	Fn
READ_VALUE		value_name = TranscodedImageCache_007	1	Fn
READ_VALUE		value_name = TranscodedImageCache_008	1	Fn
READ_VALUE		value_name = TranscodedImageCache_009	1	Fn
READ_VALUE		value_name = TranscodedImageCache_010	1	Fn
READ_VALUE		value_name = TranscodedImageCache_011	1	Fn
READ_VALUE		value_name = TranscodedImageCache_012	1	Fn
READ_VALUE		value_name = TranscodedImageCache_013	1	Fn
READ_VALUE		value_name = TranscodedImageCache_014	1	Fn
READ_VALUE		value_name = TranscodedImageCache_015	1	Fn
READ_VALUE		value_name = TranscodedImageCache_016	1	Fn
READ_VALUE		value_name = TranscodedImageCache_017	1	Fn
READ_VALUE		value_name = TranscodedImageCache_018	1	Fn
READ_VALUE		value_name = TranscodedImageCache_019	1	Fn
READ_VALUE		value_name = TranscodedImageCache_020	1	Fn
READ_VALUE		value_name = TranscodedImageCache_021	1	Fn
READ_VALUE		value_name = TranscodedImageCache_022	1	Fn
READ_VALUE		value_name = TranscodedImageCache_023	1	Fn
READ_VALUE		value_name = TranscodedImageCache_024	1	Fn
READ_VALUE		value_name = TranscodedImageCache_025	1	Fn
READ_VALUE		value_name = TranscodedImageCache_026	1	Fn
READ_VALUE		value_name = TranscodedImageCache_027	1	Fn
READ_VALUE		value_name = TranscodedImageCache_028	1	Fn
READ_VALUE		value_name = TranscodedImageCache_029	1	Fn
READ_VALUE		value_name = TranscodedImageCache_030	1	Fn
READ_VALUE		value_name = TranscodedImageCache_031	1	Fn
READ_VALUE		value_name = TranscodedImageCache_032	1	Fn
READ_VALUE		value_name = TranscodedImageCache_033	1	Fn
READ_VALUE		value_name = TranscodedImageCache_034	1	Fn
READ_VALUE		value_name = TranscodedImageCache_035	1	Fn
READ_VALUE		value_name = TranscodedImageCache_036	1	Fn
READ_VALUE		value_name = TranscodedImageCache_037	1	Fn
READ_VALUE		value_name = TranscodedImageCache_038	1	Fn
READ_VALUE		value_name = TranscodedImageCache_039	1	Fn
READ_VALUE		value_name = TranscodedImageCache_040	1	Fn
READ_VALUE		value_name = TranscodedImageCache_041	1	Fn
READ_VALUE		value_name = TranscodedImageCache_042	1	Fn
READ_VALUE		value_name = TranscodedImageCache_043	1	Fn
READ_VALUE		value_name = TranscodedImageCache_044	1	Fn
READ_VALUE		value_name = TranscodedImageCache_045	1	Fn
READ_VALUE		value_name = TranscodedImageCache_046	1	Fn
READ_VALUE		value_name = TranscodedImageCache_047	1	Fn
READ_VALUE		value_name = TranscodedImageCache_048	1	Fn
READ_VALUE		value_name = TranscodedImageCache_049	1	Fn
READ_VALUE		value_name = TranscodedImageCache_050	1	Fn
READ_VALUE		value_name = TranscodedImageCache_051	1	Fn
READ_VALUE		value_name = TranscodedImageCache_052	1	Fn
READ_VALUE		value_name = TranscodedImageCache_053	1	Fn
READ_VALUE		value_name = TranscodedImageCache_054	1	Fn
READ_VALUE		value_name = TranscodedImageCache_055	1	Fn
READ_VALUE		value_name = TranscodedImageCache_056	1	Fn
READ_VALUE		value_name = TranscodedImageCache_057	1	Fn
READ_VALUE		value_name = TranscodedImageCache_058	1	Fn
READ_VALUE		value_name = TranscodedImageCache_059	1	Fn
READ_VALUE		value_name = TranscodedImageCache_060	1	Fn
READ_VALUE		value_name = TranscodedImageCache_061	1	Fn
READ_VALUE		value_name = TranscodedImageCache_062	1	Fn
READ_VALUE		value_name = TranscodedImageCache_063	1	Fn
READ_VALUE		value_name = TranscodedImageCache_064	1	Fn
READ_VALUE		value_name = TranscodedImageCache_065	1	Fn
READ_VALUE		value_name = TranscodedImageCache_066	1	Fn
READ_VALUE		value_name = TranscodedImageCache_067	1	Fn
READ_VALUE		value_name = TranscodedImageCache_068	1	Fn
READ_VALUE		value_name = TranscodedImageCache_069	1	Fn
READ_VALUE		value_name = TranscodedImageCache_070	1	Fn
READ_VALUE		value_name = TranscodedImageCache_071	1	Fn
READ_VALUE		value_name = TranscodedImageCache_072	1	Fn
READ_VALUE		value_name = TranscodedImageCache_073	1	Fn
READ_VALUE		value_name = TranscodedImageCache_074	1	Fn
READ_VALUE		value_name = TranscodedImageCache_075	1	Fn
READ_VALUE		value_name = TranscodedImageCache_076	1	Fn
READ_VALUE		value_name = TranscodedImageCache_077	1	Fn
READ_VALUE		value_name = TranscodedImageCache_078	1	Fn
READ_VALUE		value_name = TranscodedImageCache_079	1	Fn
READ_VALUE		value_name = TranscodedImageCache_080	1	Fn
READ_VALUE		value_name = TranscodedImageCache_081	1	Fn
READ_VALUE		value_name = TranscodedImageCache_082	1	Fn
READ_VALUE		value_name = TranscodedImageCache_083	1	Fn
READ_VALUE		value_name = TranscodedImageCache_084	1	Fn
READ_VALUE		value_name = TranscodedImageCache_085	1	Fn
READ_VALUE		value_name = TranscodedImageCache_086	1	Fn
READ_VALUE		value_name = TranscodedImageCache_087	1	Fn
READ_VALUE		value_name = TranscodedImageCache_088	1	Fn
READ_VALUE		value_name = TranscodedImageCache_089	1	Fn
READ_VALUE		value_name = TranscodedImageCache_090	1	Fn
READ_VALUE		value_name = TranscodedImageCache_091	1	Fn
READ_VALUE		value_name = TranscodedImageCache_092	1	Fn
READ_VALUE		value_name = TranscodedImageCache_093	1	Fn
READ_VALUE		value_name = TranscodedImageCache_094	1	Fn
READ_VALUE		value_name = TranscodedImageCache_095	1	Fn
READ_VALUE		value_name = TranscodedImageCache_096	1	Fn
READ_VALUE		value_name = TranscodedImageCache_097	1	Fn
READ_VALUE		value_name = TranscodedImageCache_098	1	Fn
READ_VALUE		value_name = TranscodedImageCache_099	1	Fn
READ_VALUE		value_name = TranscodedImageCache_100	1	Fn
READ_VALUE		value_name = TranscodedImageCache_101	1	Fn
READ_VALUE		value_name = TranscodedImageCache_102	1	Fn
READ_VALUE		value_name = TranscodedImageCache_103	1	Fn
READ_VALUE		value_name = TranscodedImageCache_104	1	Fn
READ_VALUE		value_name = TranscodedImageCache_105	1	Fn
READ_VALUE		value_name = TranscodedImageCache_106	1	Fn
READ_VALUE		value_name = TranscodedImageCache_107	1	Fn
READ_VALUE		value_name = TranscodedImageCache_108	1	Fn
READ_VALUE		value_name = TranscodedImageCache_109	1	Fn
READ_VALUE		value_name = TranscodedImageCache_110	1	Fn
READ_VALUE		value_name = TranscodedImageCache_111	1	Fn
READ_VALUE		value_name = TranscodedImageCache_112	1	Fn
READ_VALUE		value_name = TranscodedImageCache_113	1	Fn
READ_VALUE		value_name = TranscodedImageCache_114	1	Fn
READ_VALUE		value_name = TranscodedImageCache_115	1	Fn
READ_VALUE		value_name = TranscodedImageCache_116	1	Fn
READ_VALUE		value_name = TranscodedImageCache_117	1	Fn
READ_VALUE		value_name = TranscodedImageCache_118	1	Fn
READ_VALUE		value_name = TranscodedImageCache_119	1	Fn
READ_VALUE		value_name = TranscodedImageCache_120	1	Fn
READ_VALUE		value_name = TranscodedImageCache_121	1	Fn
READ_VALUE		value_name = TranscodedImageCache_122	1	Fn
READ_VALUE		value_name = TranscodedImageCache_123	1	Fn
READ_VALUE		value_name = TranscodedImageCache_124	1	Fn
READ_VALUE		value_name = TranscodedImageCache_125	1	Fn
READ_VALUE		value_name = TranscodedImageCache_126	1	Fn
READ_VALUE		value_name = TranscodedImageCache_127	1	Fn
READ_VALUE		value_name = TranscodedImageCache_128	1	Fn
READ_VALUE		value_name = TranscodedImageCache_129	1	Fn
READ_VALUE		value_name = TranscodedImageCache_130	1	Fn
READ_VALUE		value_name = TranscodedImageCache_131	1	Fn
READ_VALUE		value_name = TranscodedImageCache_132	1	Fn
READ_VALUE		value_name = TranscodedImageCache_133	1	Fn
READ_VALUE		value_name = TranscodedImageCache_134	1	Fn
READ_VALUE		value_name = TranscodedImageCache_135	1	Fn
READ_VALUE		value_name = TranscodedImageCache_136	1	Fn
READ_VALUE		value_name = TranscodedImageCache_137	1	Fn
READ_VALUE		value_name = TranscodedImageCache_138	1	Fn
READ_VALUE		value_name = TranscodedImageCache_139	1	Fn
READ_VALUE		value_name = TranscodedImageCache_140	1	Fn
READ_VALUE		value_name = TranscodedImageCache_141	1	Fn
READ_VALUE		value_name = TranscodedImageCache_142	1	Fn
READ_VALUE		value_name = TranscodedImageCache_143	1	Fn
READ_VALUE		value_name = TranscodedImageCache_144	1	Fn
READ_VALUE		value_name = TranscodedImageCache_145	1	Fn
READ_VALUE		value_name = TranscodedImageCache_146	1	Fn
READ_VALUE		value_name = TranscodedImageCache_147	1	Fn
READ_VALUE		value_name = TranscodedImageCache_148	1	Fn
READ_VALUE		value_name = TranscodedImageCache_149	1	Fn
READ_VALUE		value_name = TranscodedImageCache_150	1	Fn
READ_VALUE		value_name = TranscodedImageCache_151	1	Fn
READ_VALUE		value_name = TranscodedImageCache_152	1	Fn
READ_VALUE		value_name = TranscodedImageCache_153	1	Fn
READ_VALUE		value_name = TranscodedImageCache_154	1	Fn
READ_VALUE		value_name = TranscodedImageCache_155	1	Fn
READ_VALUE		value_name = TranscodedImageCache_156	1	Fn
READ_VALUE		value_name = TranscodedImageCache_157	1	Fn
READ_VALUE		value_name = TranscodedImageCache_158	1	Fn
READ_VALUE		value_name = TranscodedImageCache_159	1	Fn
READ_VALUE		value_name = TranscodedImageCache_160	1	Fn
READ_VALUE		value_name = TranscodedImageCache_161	1	Fn
READ_VALUE		value_name = TranscodedImageCache_162	1	Fn
READ_VALUE		value_name = TranscodedImageCache_163	1	Fn
READ_VALUE		value_name = TranscodedImageCache_164	1	Fn
READ_VALUE		value_name = TranscodedImageCache_165	1	Fn
READ_VALUE		value_name = TranscodedImageCache_166	1	Fn
READ_VALUE		value_name = TranscodedImageCache_167	1	Fn
READ_VALUE		value_name = TranscodedImageCache_168	1	Fn
READ_VALUE		value_name = TranscodedImageCache_169	1	Fn
READ_VALUE		value_name = TranscodedImageCache_170	1	Fn
READ_VALUE		value_name = TranscodedImageCache_171	1	Fn
READ_VALUE		value_name = TranscodedImageCache_172	1	Fn
READ_VALUE		value_name = TranscodedImageCache_173	1	Fn
READ_VALUE		value_name = TranscodedImageCache_174	1	Fn
READ_VALUE		value_name = TranscodedImageCache_175	1	Fn
READ_VALUE		value_name = TranscodedImageCache_176	1	Fn
READ_VALUE		value_name = TranscodedImageCache_177	1	Fn
READ_VALUE		value_name = TranscodedImageCache_178	1	Fn
READ_VALUE		value_name = TranscodedImageCache_179	1	Fn
READ_VALUE		value_name = TranscodedImageCache_180	1	Fn
READ_VALUE		value_name = TranscodedImageCache_181	1	Fn
READ_VALUE		value_name = TranscodedImageCache_182	1	Fn
READ_VALUE		value_name = TranscodedImageCache_183	1	Fn
READ_VALUE		value_name = TranscodedImageCache_184	1	Fn
READ_VALUE		value_name = TranscodedImageCache_185	1	Fn
READ_VALUE		value_name = TranscodedImageCache_186	1	Fn
READ_VALUE		value_name = TranscodedImageCache_187	1	Fn
READ_VALUE		value_name = TranscodedImageCache_188	1	Fn
READ_VALUE		value_name = TranscodedImageCache_189	1	Fn
READ_VALUE		value_name = TranscodedImageCache_190	1	Fn
READ_VALUE		value_name = TranscodedImageCache_191	1	Fn
READ_VALUE		value_name = TranscodedImageCache_192	1	Fn
READ_VALUE		value_name = TranscodedImageCache_193	1	Fn
READ_VALUE		value_name = TranscodedImageCache_194	1	Fn
READ_VALUE		value_name = TranscodedImageCache_195	1	Fn
READ_VALUE		value_name = TranscodedImageCache_196	1	Fn
READ_VALUE		value_name = TranscodedImageCache_197	1	Fn
READ_VALUE		value_name = TranscodedImageCache_198	1	Fn
READ_VALUE		value_name = TranscodedImageCache_199	1	Fn
READ_VALUE		value_name = TranscodedImageCache_200	1	Fn
READ_VALUE		value_name = TranscodedImageCache_201	1	Fn
READ_VALUE		value_name = TranscodedImageCache_202	1	Fn
READ_VALUE		value_name = TranscodedImageCache_203	1	Fn
READ_VALUE		value_name = TranscodedImageCache_204	1	Fn
READ_VALUE		value_name = TranscodedImageCache_205	1	Fn
READ_VALUE		value_name = TranscodedImageCache_206	1	Fn
READ_VALUE		value_name = TranscodedImageCache_207	1	Fn
READ_VALUE		value_name = TranscodedImageCache_208	1	Fn
READ_VALUE		value_name = TranscodedImageCache_209	1	Fn
READ_VALUE		value_name = TranscodedImageCache_210	1	Fn
READ_VALUE		value_name = TranscodedImageCache_211	1	Fn
READ_VALUE		value_name = TranscodedImageCache_212	1	Fn
READ_VALUE		value_name = TranscodedImageCache_213	1	Fn
READ_VALUE		value_name = TranscodedImageCache_214	1	Fn
READ_VALUE		value_name = TranscodedImageCache_215	1	Fn
READ_VALUE		value_name = TranscodedImageCache_216	1	Fn
READ_VALUE		value_name = TranscodedImageCache_217	1	Fn
READ_VALUE		value_name = TranscodedImageCache_218	1	Fn
READ_VALUE		value_name = TranscodedImageCache_219	1	Fn
READ_VALUE		value_name = TranscodedImageCache_220	1	Fn
READ_VALUE		value_name = TranscodedImageCache_221	1	Fn
READ_VALUE		value_name = TranscodedImageCache_222	1	Fn
READ_VALUE		value_name = TranscodedImageCache_223	1	Fn
READ_VALUE		value_name = TranscodedImageCache_224	1	Fn
READ_VALUE		value_name = TranscodedImageCache_225	1	Fn
READ_VALUE		value_name = TranscodedImageCache_226	1	Fn
READ_VALUE		value_name = TranscodedImageCache_227	1	Fn
READ_VALUE		value_name = TranscodedImageCache_228	1	Fn
READ_VALUE		value_name = TranscodedImageCache_229	1	Fn
READ_VALUE		value_name = TranscodedImageCache_230	1	Fn
READ_VALUE		value_name = TranscodedImageCache_231	1	Fn
READ_VALUE		value_name = TranscodedImageCache_232	1	Fn
READ_VALUE		value_name = TranscodedImageCache_233	1	Fn
READ_VALUE		value_name = TranscodedImageCache_234	1	Fn
READ_VALUE		value_name = TranscodedImageCache_235	1	Fn
READ_VALUE		value_name = TranscodedImageCache_236	1	Fn
READ_VALUE		value_name = TranscodedImageCache_237	1	Fn
READ_VALUE		value_name = TranscodedImageCache_238	1	Fn
READ_VALUE		value_name = TranscodedImageCache_239	1	Fn
READ_VALUE		value_name = TranscodedImageCache_240	1	Fn
READ_VALUE		value_name = TranscodedImageCache_241	1	Fn
READ_VALUE		value_name = TranscodedImageCache_242	1	Fn
READ_VALUE		value_name = TranscodedImageCache_243	1	Fn
READ_VALUE		value_name = TranscodedImageCache_244	1	Fn
READ_VALUE		value_name = TranscodedImageCache_245	1	Fn
READ_VALUE		value_name = TranscodedImageCache_246	1	Fn
READ_VALUE		value_name = TranscodedImageCache_247	1	Fn
READ_VALUE		value_name = TranscodedImageCache_248	1	Fn
READ_VALUE		value_name = TranscodedImageCache_249	1	Fn
READ_VALUE		value_name = TranscodedImageCache_250	1	Fn
READ_VALUE		value_name = TranscodedImageCache_251	1	Fn
READ_VALUE		value_name = TranscodedImageCache_252	1	Fn
READ_VALUE		value_name = TranscodedImageCache_253	1	Fn
READ_VALUE		value_name = TranscodedImageCache_254	1	Fn
READ_VALUE		value_name = TranscodedImageCache_255	1	Fn
READ_VALUE		value_name = PanoramaThreshold	1	Fn
READ_VALUE		value_name = MaxVirtualDesktopDimension	1	Fn
READ_VALUE	Control Panel\Desktop	value_name = MaxMonitorDimension	1	Fn
READ_VALUE	Nameless FileMapping	value_name = AutoColorization	2	Fn
READ_VALUE	Control Panel\Desktop	value_name = DisplayVersion	1	Fn
READ_VALUE	Control Panel\Desktop	value_name = PaintDesktopVersion	1	Fn
READ_VALUE	Nameless FileMapping	value_name = TileWallpaper	1	Fn
READ_VALUE	Nameless FileMapping	value_name = WallpaperStyle	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System	value_name = Wallpaper	1	Fn
READ_VALUE		value_name = TileWallpaper	1	Fn
READ_VALUE		value_name = WallpaperStyle	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoPropertiesMyComputer	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\	value_name = NoPropertiesMyComputer	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoPropertiesMyComputer	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoPropertiesRecycleBin	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\	value_name = NoPropertiesRecycleBin	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoPropertiesRecycleBin	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\	value_name = NoControlPanel	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\	value_name = NoSetFolders	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoInternetIcon	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\	value_name = NoInternetIcon	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoInternetIcon	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoCommonGroups	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\	value_name = NoCommonGroups	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoCommonGroups	1	Fn
READ_VALUE		value_name = Attributes	1	Fn
READ_VALUE		value_name = CallForAttributes	1	Fn
READ_VALUE		value_name = CallForAttributes	1	Fn
READ_VALUE		value_name = RestrictedAttributes	1	Fn
READ_VALUE		value_name = RestrictedAttributes	1	Fn
READ_VALUE		value_name = FolderValueFlags	1	Fn
READ_VALUE		value_name = FolderValueFlags	1	Fn
READ_VALUE		value_name = {20D04FE0-3AEA-1069-A2D8-08002B30309D}	1	Fn
READ_VALUE	HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	value_name = DriveMask	1	Fn
READ_VALUE		value_name = DriveMask	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = AllowFileCLSIDJunctions	1	Fn
READ_VALUE		value_name = AllowFileCLSIDJunctions	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = AllowFileCLSIDJunctions	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = DontShowSuperHidden	1	Fn
READ_VALUE		value_name = DontShowSuperHidden	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = DontShowSuperHidden	1	Fn
READ_VALUE		value_name = ShellState	2	Fn
READ_VALUE		value_name = ShellState	2	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Tablet PC\	value_name = IsTabletPC	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoWebView	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Tablet PC\	value_name = NoWebView	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoWebView	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = ClassicShell	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Tablet PC\	value_name = ClassicShell	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = ClassicShell	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = SeparateProcess	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Tablet PC\	value_name = SeparateProcess	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = SeparateProcess	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoNetCrawling	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Tablet PC\	value_name = NoNetCrawling	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoNetCrawling	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Tablet PC\	value_name = DocObject	1	Fn
READ_VALUE		value_name = DocObject	2	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Tablet PC\	value_name = BrowseInPlace	1	Fn
READ_VALUE		value_name = BrowseInPlace	2	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Tablet PC\	value_name = IsShortcut	1	Fn
READ_VALUE		value_name = IsShortcut	2	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Tablet PC\	value_name = AlwaysShowExt	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Tablet PC\	value_name = NeverShowExt	1	Fn
READ_VALUE		value_name = NeverShowExt	2	Fn
READ_VALUE	Nameless FileMapping	value_name = RelativePath	1	Fn
READ_VALUE	Nameless FileMapping	value_name = LocalizedName	1	Fn
READ_VALUE	Nameless FileMapping	value_name = Icon	1	Fn
READ_VALUE	Nameless FileMapping	value_name = Roamable	1	Fn
READ_VALUE	Nameless FileMapping	value_name = PreCreate	1	Fn
READ_VALUE	Nameless FileMapping	value_name = PublishExpandedPath	1	Fn
READ_VALUE	Nameless FileMapping	value_name = Attributes	1	Fn
READ_VALUE		value_name = Desktop	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = Disable	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = SourcePath	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = DevicePath	1	Fn
READ_VALUE		value_name = 426648700712	2	Fn
READ_VALUE	Nameless FileMapping	value_name = InprocServer32	1	Fn
READ_VALUE	Nameless FileMapping	value_name = 426648700600	2	Fn
READ_VALUE	Nameless FileMapping	value_name = 426648700472	1	Fn
READ_VALUE	Nameless FileMapping	value_name = ThreadingModel	1	Fn
READ_VALUE	\device\mountpointmanager	value_name = Local AppData	6	Fn
READ_VALUE		value_name = Local AppData	6	Fn
READ_VALUE		value_name = ParentFolder	1	Fn
READ_VALUE		value_name = PreCreate	6	Fn
READ_VALUE		value_name = PublishExpandedPath	2	Fn
READ_VALUE		value_name = {1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}	1	Fn
READ_VALUE		value_name = ParsingName	5	Fn
READ_VALUE		value_name = LocalizedName	5	Fn
READ_VALUE		value_name = Icon	5	Fn
READ_VALUE		value_name = Roamable	5	Fn
READ_VALUE		value_name = Attributes	5	Fn
READ_VALUE		value_name = Personal	1	Fn
READ_VALUE		value_name = InfoTip	3	Fn
READ_VALUE		value_name = My Music	1	Fn
READ_VALUE		value_name = My Pictures	1	Fn
READ_VALUE		value_name = My Video	1	Fn
READ_VALUE		value_name = {374DE290-123F-4565-9164-39C4925E467B}	1	Fn
READ_VALUE		value_name = EnableAnchorContext	1	Fn
READ_VALUE		value_name = 426648723496	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winre.jpg	value_name = InprocServer32	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winre.jpg	value_name = 426648723384	2	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winre.jpg	value_name = 426648723256	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winre.jpg	value_name = ThreadingModel	1	Fn
READ_VALUE		value_name = DisplayVersion	1	Fn
READ_VALUE		value_name = PaintDesktopVersion	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Locale	value_name = 00000409	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups	value_name = 1	1	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winre.jpg	value_name = DisplayVersion	7	Fn
READ_VALUE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winre.jpg	value_name = PaintDesktopVersion	1	Fn
WRITE_VALUE	Control Panel\Desktop	value_name = MaxVirtualDesktopDimension, data = 1024	1	Fn
WRITE_VALUE	Control Panel\Desktop	value_name = MaxMonitorDimension, data = 1024	1	Fn
WRITE_VALUE	Control Panel\Desktop	value_name = TranscodedImageCount, data = 1	1	Fn
WRITE_VALUE	Control Panel\Desktop	value_name = LastUpdated, data = 4294967295	1	Fn
DELETE_VALUE		value_name = TranscodedImageCache_000	1	Fn
CHECK_KEY	\Registry\Machine\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3		5	Fn
CHECK_KEY	\Registry\Machine\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3		5	Fn
CHECK_KEY	HKEY_CURRENT_USER\\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3		5	Fn
CHECK_KEY	\Registry\Machine\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\8A334AA8052DD244A647306A76B8178FA215F344		2	Fn
CHECK_KEY	\Registry\Machine\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\8A334AA8052DD244A647306A76B8178FA215F344		2	Fn
CHECK_KEY	HKEY_CURRENT_USER\\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\8A334AA8052DD244A647306A76B8178FA215F344		2	Fn

Driver (25)

Operation	Driver	Additional Information	Amount	Logfile
CONTROL			1	Fn
CONTROL		control_code = 0x390008	1	Fn
CONTROL	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}	control_code = 0x4d0008	2	Fn
CONTROL	\device\mountpointmanager	control_code = 0x6d0008	3	Fn
CONTROL	\device\mountpointmanager	control_code = 0x6d0008	3	Fn
CONTROL	\device\deviceapi\cmapi	control_code = 0x470807	2	Fn
CONTROL	c:	control_code = 0x4d0008	1	Fn
CONTROL	\device\mountpointmanager	control_code = 0x6d0034	6	Fn
CONTROL	\device\mountpointmanager	control_code = 0x6d0034	6	Fn

System (47)

Operation	Information	Amount	Logfile
GET_INFO	type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION	1	Fn
GET_INFO	type = SYSTEM_BASIC_INFORMATION	10	Fn
GET_INFO	type = SYSTEM_PROCESSOR_INFORMATION	4	Fn
GET_INFO		17	Fn
GET_INFO		15	Fn

Mutex (31)

Operation	Name	Additional Information	Amount	Logfile
CREATE			5	Fn
CREATE		initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	7	Fn
OPEN	Local\MSCTF.Asm.MutexDefault1	desired_access = SYNCHRONIZE	1	Fn
OPEN	CicLoadWinStaWinSta0	desired_access = SYNCHRONIZE	1	Fn
RELEASE			17	Fn

Process #17: recenv.exe

(Host: 1112, Network: 0)

Information	Value
ID / OS PID	#17 / 0x298
OS Parent PID	0x278 (\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe
Command Line	X:\sources\recovery\recenv.exe
Monitor	Start Time: 00:01:55, Reason: Child Process
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:12
OS Thread IDs	#123 0x29C #126 0x2A8

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x000000e5e5350000	0xe5e5350000	0xe5e536ffff	Private Memory	Readable, Writable
pagefile_0x000000e5e5350000	0xe5e5350000	0xe5e535ffff	Pagefile Backed File	Readable, Writable
private_0x000000e5e5360000	0xe5e5360000	0xe5e5366fff	Private Memory	Readable, Writable
pagefile_0x000000e5e5370000	0xe5e5370000	0xe5e537efff	Pagefile Backed File	Readable
private_0x000000e5e5380000	0xe5e5380000	0xe5e53fffff	Private Memory	Readable, Writable
pagefile_0x000000e5e5400000	0xe5e5400000	0xe5e5403fff	Pagefile Backed File	Readable
pagefile_0x000000e5e5410000	0xe5e5410000	0xe5e5411fff	Pagefile Backed File	Readable
private_0x000000e5e5420000	0xe5e5420000	0xe5e5421fff	Private Memory	Readable, Writable
pagefile_0x000000e5e5430000	0xe5e5430000	0xe5e5431fff	Pagefile Backed File	Readable
pagefile_0x000000e5e5440000	0xe5e5440000	0xe5e5441fff	Pagefile Backed File	Readable
private_0x000000e5e5450000	0xe5e5450000	0xe5e5456fff	Private Memory	Readable, Writable
recenv.exe.mui	0xe5e5460000	0xe5e5465fff	Memory Mapped File	Readable
private_0x000000e5e5470000	0xe5e5470000	0xe5e547ffff	Private Memory	Readable, Writable
private_0x000000e5e5480000	0xe5e5480000	0xe5e5480fff	Private Memory	Readable, Writable
private_0x000000e5e5490000	0xe5e5490000	0xe5e558ffff	Private Memory	Readable, Writable
locale.nls	0xe5e5590000	0xe5e560dfff	Memory Mapped File	Readable
pagefile_0x000000e5e5610000	0xe5e5610000	0xe5e5797fff	Pagefile Backed File	Readable
pagefile_0x000000e5e57a0000	0xe5e57a0000	0xe5e5920fff	Pagefile Backed File	Readable
pagefile_0x000000e5e5930000	0xe5e5930000	0xe5e6d2ffff	Pagefile Backed File	Readable
private_0x000000e5e6d30000	0xe5e6d30000	0xe5e6d30fff	Private Memory	Readable, Writable
SETUPAPI.dll.mui	0xe5e6d40000	0xe5e6d4bfff	Memory Mapped File	Readable
pagefile_0x000000e5e6d50000	0xe5e6d50000	0xe5e6d52fff	Pagefile Backed File	Readable
newdev.dll.mui	0xe5e6d60000	0xe5e6d66fff	Memory Mapped File	Readable
private_0x000000e5e6d70000	0xe5e6d70000	0xe5e6deffff	Private Memory	Readable, Writable
private_0x000000e5e6e50000	0xe5e6e50000	0xe5e6e5ffff	Private Memory	Readable, Writable
sortdefault.nls	0xe5e6e60000	0xe5e7134fff	Memory Mapped File	Readable
private_0x000000e5e7140000	0xe5e7140000	0xe5e723ffff	Private Memory	Readable, Writable
pagefile_0x00007ff729870000	0x7ff729870000	0x7ff72996ffff	Pagefile Backed File	Readable
pagefile_0x00007ff729970000	0x7ff729970000	0x7ff729992fff	Pagefile Backed File	Readable
private_0x00007ff72999a000	0x7ff72999a000	0x7ff72999bfff	Private Memory	Readable, Writable
private_0x00007ff72999c000	0x7ff72999c000	0x7ff72999cfff	Private Memory	Readable, Writable
private_0x00007ff72999e000	0x7ff72999e000	0x7ff72999ffff	Private Memory	Readable, Writable
recenv.exe	0x7ff729ec0000	0x7ff729f63fff	Memory Mapped File	Readable, Writable, Executable
DismApi.DLL	0x7ffb6fc40000	0x7ffb6fce2fff	Memory Mapped File	Readable, Writable, Executable
WDSCORE.dll	0x7ffb6fcf0000	0x7ffb6fd37fff	Memory Mapped File	Readable, Writable, Executable
ReAgent.dll	0x7ffb6fd40000	0x7ffb6fe2ffff	Memory Mapped File	Readable, Writable, Executable
VERSION.dll	0x7ffb6fe30000	0x7ffb6fe39fff	Memory Mapped File	Readable, Writable, Executable
drvstore.dll	0x7ffb6fe50000	0x7ffb6ff0afff	Memory Mapped File	Readable, Writable, Executable
COMCTL32.dll	0x7ffb6ff10000	0x7ffb7018afff	Memory Mapped File	Readable, Writable, Executable
SHCORE.DLL	0x7ffb701b0000	0x7ffb70261fff	Memory Mapped File	Readable, Writable, Executable
MPR.dll	0x7ffb70270000	0x7ffb7028dfff	Memory Mapped File	Readable, Writable, Executable
wkscli.dll	0x7ffb70290000	0x7ffb702a6fff	Memory Mapped File	Readable, Writable, Executable
WpeUtil.dll	0x7ffb702b0000	0x7ffb702cefff	Memory Mapped File	Readable, Writable, Executable
devrtl.DLL	0x7ffb702d0000	0x7ffb702e5fff	Memory Mapped File	Readable, Writable, Executable
WINNSI.DLL	0x7ffb702f0000	0x7ffb702f9fff	Memory Mapped File	Readable, Writable, Executable
FLTLIB.DLL	0x7ffb70350000	0x7ffb70359fff	Memory Mapped File	Readable, Writable, Executable
UNATTEND.DLL	0x7ffb70360000	0x7ffb7039ffff	Memory Mapped File	Readable, Writable, Executable
Input.dll	0x7ffb703a0000	0x7ffb703e2fff	Memory Mapped File	Readable, Writable, Executable
newdev.dll	0x7ffb703f0000	0x7ffb70445fff	Memory Mapped File	Readable, Writable, Executable
IPHLPAPI.DLL	0x7ffb70450000	0x7ffb70479fff	Memory Mapped File	Readable, Writable, Executable
UxTheme.dll	0x7ffb70480000	0x7ffb705a8fff	Memory Mapped File	Readable, Writable, Executable
DEVOBJ.dll	0x7ffb705b0000	0x7ffb705d7fff	Memory Mapped File	Readable, Writable, Executable
spinf.dll	0x7ffb709a0000	0x7ffb709bdfff	Memory Mapped File	Readable, Writable, Executable
USERENV.dll	0x7ffb70dd0000	0x7ffb70df0fff	Memory Mapped File	Readable, Writable, Executable
DNSAPI.dll	0x7ffb70e40000	0x7ffb70ee3fff	Memory Mapped File	Readable, Writable, Executable
powrprof.dll	0x7ffb71530000	0x7ffb71575fff	Memory Mapped File	Readable, Writable, Executable
profapi.dll	0x7ffb716b0000	0x7ffb716c4fff	Memory Mapped File	Readable, Writable, Executable
kernelbase.dll	0x7ffb71760000	0x7ffb71874fff	Memory Mapped File	Readable, Writable, Executable
CFGMGR32.dll	0x7ffb71880000	0x7ffb718cefff	Memory Mapped File	Readable, Writable, Executable
Setupapi.dll	0x7ffb718d0000	0x7ffb71aa9fff	Memory Mapped File	Readable, Writable, Executable
IMAGEHLP.dll	0x7ffb71ab0000	0x7ffb71ac5fff	Memory Mapped File	Readable, Writable, Executable
gdi32.dll	0x7ffb71ad0000	0x7ffb71c20fff	Memory Mapped File	Readable, Writable, Executable
SHELL32.dll	0x7ffb71c30000	0x7ffb73148fff	Memory Mapped File	Readable, Writable, Executable
SHLWAPI.dll	0x7ffb73300000	0x7ffb73353fff	Memory Mapped File	Readable, Writable, Executable
WS2_32.dll	0x7ffb73360000	0x7ffb733b9fff	Memory Mapped File	Readable, Writable, Executable
sechost.dll	0x7ffb733c0000	0x7ffb73418fff	Memory Mapped File	Readable, Writable, Executable
kernel32.dll	0x7ffb73480000	0x7ffb735bdfff	Memory Mapped File	Readable, Writable, Executable
OLEAUT32.dll	0x7ffb735c0000	0x7ffb73680fff	Memory Mapped File	Readable, Writable, Executable
advapi32.dll	0x7ffb73690000	0x7ffb73739fff	Memory Mapped File	Readable, Writable, Executable
combase.dll	0x7ffb73740000	0x7ffb73950fff	Memory Mapped File	Readable, Writable, Executable
rpcrt4.dll	0x7ffb73a30000	0x7ffb73b70fff	Memory Mapped File	Readable, Writable, Executable
MSCTF.dll	0x7ffb73b80000	0x7ffb73cd2fff	Memory Mapped File	Readable, Writable, Executable
ole32.dll	0x7ffb73ce0000	0x7ffb73e73fff	Memory Mapped File	Readable, Writable, Executable
NSI.dll	0x7ffb73e80000	0x7ffb73e88fff	Memory Mapped File	Readable, Writable, Executable
user32.dll	0x7ffb73e90000	0x7ffb74006fff	Memory Mapped File	Readable, Writable, Executable
IMM32.dll	0x7ffb74010000	0x7ffb74045fff	Memory Mapped File	Readable, Writable, Executable
MSVCRT.dll	0x7ffb74050000	0x7ffb740f9fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Amount	Logfile
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe	0x27c	address = 0xe5e5420000, size = 4704	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe	0x27c	address = 0x7ff72999c2d8, size = 8	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x1e8	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x1e8	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x1e8	address = 0xd9cbf90000, size = 12288	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x1e8	No corresponding api call detected. Probably injected code via shellcode.	1

Host Behavior

File (39)

Operation	Filename	Additional Information	Amount	Logfile
CREATE	\device\deviceapi\cmapi	desired_access = GENERIC_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE			11	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\apps.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\defltbase.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\defltwk.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\dwup.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errata.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fontsetup.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netnb.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\puwk.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ramdisk.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sceregvl.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\secrecs.inf	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\reagent.dll	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\newdev.dll	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\windowsshell.manifest	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE	1	Fn
OPEN	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\	desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT	12	Fn

Process (31)

Operation	Process Name	Additional Information	Amount	Logfile
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	3	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	2	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	22	Fn

Thread (1)

Operation	Process Name	Additional Information	Success	Amount	Logfile
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ff729ece3c4, desired_access = THREAD_ALL_ACCESS		1	Fn

Module (84)

Operation	Module	Additional Information	Amount	Logfile
LOAD	rpcrt4.dll	base_address = 0x0	1	Fn
LOAD	ntdll.dll	base_address = 0x0	1	Fn
LOAD	kernel32.dll	base_address = 0x0	1	Fn
GET_HANDLE	X:\windows\system32\IMM32.DLL		2	Fn
GET_HANDLE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe		1	Fn
GET_HANDLE	LPK.dll		1	Fn
GET_HANDLE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe		3	Fn
GET_HANDLE	GDI32.dll		1	Fn
GET_HANDLE	rpcrt4.dll		1	Fn
GET_HANDLE	X:\windows\system32\oleaut32.dll		1	Fn
GET_HANDLE	ext-ms-win-ole32-oleautomation-l1-1-0.dll		1	Fn
GET_HANDLE	advapi32.dll		1	Fn
GET_HANDLE	ntdll.dll		1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\windowsshell.manifest, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping		11	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\apps.inf, maximum_size = 987420871104, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\defltbase.inf, maximum_size = 987420871104, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\defltwk.inf, maximum_size = 987420871104, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\dwup.inf, maximum_size = 987420871104, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errata.inf, maximum_size = 987420871104, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fontsetup.inf, maximum_size = 987420871104, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netnb.inf, maximum_size = 987420871104, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\puwk.inf, maximum_size = 987420871104, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ramdisk.inf, maximum_size = 987420871104, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sceregvl.inf, maximum_size = 987420871104, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\secrecs.inf, maximum_size = 987420871104, protection = PAGE_READONLY	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6d40000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6e60000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe	os_pid = 0x298, address = 0xe5e6df0000	10	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000	3	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000	1	Fn
MAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe	os_pid = 0x298, address = 0xe5e7240000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e7240000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000	1	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, base_address = 0xe5e6d40000	1	Fn
UNMAP	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe	os_pid = 0x298	11	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb71bf7350	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb741751c0	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7413b300	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb7413c360	2	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb74175650	1	Fn

Service (3)

Operation	Service	Additional Information	Amount	Logfile
OPEN_MGR	SERVICES_ACTIVE_DATABASE	host = Localhost	1	Fn
OPEN			1	Fn
SET_CONFIG			1	Fn

Registry (229)

Operation	Key	Additional Information	Amount	Logfile
CREATE_KEY			1	Fn
CREATE_KEY	System\CurrentControlSet\Services\Tcpip\Parameters		1	Fn
OPEN_KEY	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide		3	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\		1	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize		1	Fn
OPEN_KEY			6	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName		1	Fn
OPEN_KEY	\Registry\Machine\System\Setup		2	Fn
OPEN_KEY			2	Fn
OPEN_KEY	\REGISTRY\MACHINE		6	Fn
OPEN_KEY	\REGISTRY\MACHINE\System\Setup		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup		2	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Microsoft\EmbeddedNT\Security		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall		1	Fn
OPEN_KEY	Control Panel\International		1	Fn
READ_VALUE	\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide	value_name = PreferExternalManifest	3	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 987393678784	1	Fn
READ_VALUE	STD_OUTPUT_HANDLE	value_name = DisableMetaFiles	1	Fn
READ_VALUE		value_name = LoadAppInit_DLLs	1	Fn
READ_VALUE	Nameless FileMapping	value_name = PageAllocatorUseSystemHeap	1	Fn
READ_VALUE	Nameless FileMapping	value_name = PageAllocatorSystemHeapIsPrivate	1	Fn
READ_VALUE	Nameless FileMapping	value_name = AggressiveMTATesting	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = Disable	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = SourcePath	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR	value_name = DevicePath	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale	value_name = en-US	1	Fn
READ_VALUE			2	Fn
READ_VALUE		value_name = SystemSetupInProgress	2	Fn
READ_VALUE		value_name = MaxRpcSize	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = ComputerName	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = OOBEInProgress	1	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = SystemSetupInProgress	1	Fn
READ_VALUE		value_name = IdleTimerWindow	1	Fn
READ_VALUE			79	Fn
READ_VALUE		value_name = SetComputerName	1	Fn
READ_VALUE		value_name = QueryAdapterName	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = DisableAdapterDomainName	1	Fn
READ_VALUE		value_name = UseDomainNameDevolution	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = UseDomainNameDevolution	1	Fn
READ_VALUE		value_name = DomainNameDevolutionLevel	1	Fn
READ_VALUE		value_name = PrioritizeRecordData	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = PrioritizeRecordData	1	Fn
READ_VALUE		value_name = AllowUnqualifiedQuery	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = AllowUnqualifiedQuery	1	Fn
READ_VALUE		value_name = AppendToMultiLabelName	1	Fn
READ_VALUE		value_name = ScreenBadTlds	1	Fn
READ_VALUE		value_name = ScreenUnreachableServers	1	Fn
READ_VALUE		value_name = ScreenDefaultServers	1	Fn
READ_VALUE		value_name = DynamicServerQueryOrder	1	Fn
READ_VALUE		value_name = FilterClusterIp	1	Fn
READ_VALUE		value_name = WaitForNameErrorOnAll	1	Fn
READ_VALUE		value_name = UseEdns	1	Fn
READ_VALUE		value_name = DnsSecureNameQueryFallback	1	Fn
READ_VALUE		value_name = EnableDAForAllNetworks	1	Fn
READ_VALUE		value_name = DirectAccessQueryOrder	1	Fn
READ_VALUE		value_name = QueryIpMatching	1	Fn
READ_VALUE		value_name = UseHostsFile	1	Fn
READ_VALUE		value_name = AddrConfigControl	1	Fn
READ_VALUE		value_name = DisableSmartNameResolution	1	Fn
READ_VALUE		value_name = PreferLocalOverLowerBindingDNS	1	Fn
READ_VALUE		value_name = QueryNetBTFQDN	1	Fn
READ_VALUE		value_name = DisableSmartProtocolReordering	1	Fn
READ_VALUE		value_name = UdpRecvBufferSize	1	Fn
READ_VALUE		value_name = DisableParallelAandAAAA	1	Fn
READ_VALUE		value_name = DisableCoalescing	1	Fn
READ_VALUE		value_name = FilterVPNTrigger	1	Fn
READ_VALUE		value_name = RegistrationEnabled	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = DisableDynamicUpdate	1	Fn
READ_VALUE		value_name = RegisterPrimaryName	1	Fn
READ_VALUE		value_name = RegisterAdapterName	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = EnableAdapterDomainNameRegistration	1	Fn
READ_VALUE		value_name = RegisterReverseLookup	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = DisableReverseAddressRegistrations	1	Fn
READ_VALUE		value_name = RegisterWanAdapters	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = DisableWanDynamicUpdate	1	Fn
READ_VALUE		value_name = RegistrationTtl	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = DefaultRegistrationTTL	1	Fn
READ_VALUE		value_name = RegistrationRefreshInterval	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = DefaultRegistrationRefreshInterval	1	Fn
READ_VALUE		value_name = RegistrationMaxAddressCount	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = MaxNumberOfAddressesToRegister	1	Fn
READ_VALUE		value_name = UpdateSecurityLevel	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = UpdateSecurityLevel	1	Fn
READ_VALUE		value_name = UpdateTopLevelDomainZones	1	Fn
READ_VALUE		value_name = DowncaseSpnCauseApiOwnerIsTooLazy	1	Fn
READ_VALUE		value_name = RegistrationOverwrite	1	Fn
READ_VALUE		value_name = MaxCacheSize	1	Fn
READ_VALUE		value_name = MaxCacheTtl	1	Fn
READ_VALUE		value_name = MaxNegativeCacheTtl	1	Fn
READ_VALUE		value_name = AdapterTimeoutLimit	1	Fn
READ_VALUE		value_name = ServerPriorityTimeLimit	1	Fn
READ_VALUE		value_name = MaxCachedSockets	1	Fn
READ_VALUE		value_name = DisableServerUnreachability	1	Fn
READ_VALUE		value_name = EnableMulticast	1	Fn
READ_VALUE		value_name = MulticastResponderFlags	1	Fn
READ_VALUE		value_name = MulticastSenderFlags	1	Fn
READ_VALUE		value_name = MulticastSenderMaxTimeout	1	Fn
READ_VALUE		value_name = DnsTest	1	Fn
READ_VALUE		value_name = UseCompartments	1	Fn
READ_VALUE		value_name = CacheAllCompartments	1	Fn
READ_VALUE		value_name = UseNewRegistration	1	Fn
READ_VALUE		value_name = ResolverRegistration	1	Fn
READ_VALUE		value_name = ResolverRegistrationOnly	1	Fn
READ_VALUE		value_name = NewDhcpSrvRegistration	1	Fn
READ_VALUE		value_name = DirectAccessPreferLocal	1	Fn
READ_VALUE		value_name = DisableIdnEncoding	1	Fn
READ_VALUE		value_name = EnableIdnMapping	1	Fn
READ_VALUE		value_name = TestMode_AdaptiveTimeoutHistoryLength	1	Fn
READ_VALUE		value_name = TestMode_AdaptiveTimeoutRecalculationInterval	1	Fn
READ_VALUE		value_name = DnsQueryTimeouts	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = DnsQueryTimeouts	1	Fn
READ_VALUE		value_name = DnsQuickQueryTimeouts	1	Fn
READ_VALUE	System\CurrentControlSet\Services\Tcpip\Parameters	value_name = DnsQuickQueryTimeouts	1	Fn
READ_VALUE	\REGISTRY\MACHINE\System\Setup	value_name = SystemSetupInProgress	1	Fn
READ_VALUE	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	value_name = MinimizeFootprint	1	Fn
READ_VALUE		value_name = SQMServiceList	1	Fn
READ_VALUE	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	value_name = LogLevel	1	Fn
READ_VALUE	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	value_name = LogMask	1	Fn
READ_VALUE	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup	value_name = LogMaxFileSize	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 000602xx	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en	1	Fn
READ_VALUE	Control Panel\International		1	Fn
READ_VALUE	Control Panel\International		1	Fn
READ_VALUE	Control Panel\International	value_name = sCurrencyOverride	1	Fn

Driver (565)

Operation	Driver	Additional Information	Amount	Logfile
CONTROL	\device\deviceapi\cmapi	control_code = 0x470803	1	Fn
CONTROL	\device\deviceapi\cmapi	control_code = 0x470843	42	Fn
CONTROL	\device\deviceapi\cmapi	control_code = 0x470813	45	Fn
CONTROL	\device\deviceapi\cmapi	control_code = 0x470827	15	Fn
CONTROL			231	Fn
CONTROL		control_code = 0x470813	220	Fn
CONTROL		control_code = 0x47086b	11	Fn

User (1)

Operation	User/Group/Server	Additional Information	Success	Amount	Logfile
SET_PRIVILEGE	Localhost	privilege = SeRestorePrivilege, enable_privilege = 1		1	Fn

System (99)

Operation	Information	Amount	Logfile
SLEEP		34	Fn
SLEEP	duration = 1 milliseconds (0.001 seconds)	54	Fn
GET_INFO	type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION	1	Fn
GET_INFO	type = SYSTEM_BASIC_INFORMATION	7	Fn
GET_INFO	type = SYSTEM_PROCESSOR_INFORMATION	2	Fn
GET_INFO		1	Fn

Mutex (60)

Operation	Name	Additional Information	Amount	Logfile
CREATE		initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	19	Fn
CREATE			18	Fn
CREATE	WinPEProfilingMutex	initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
RELEASE			22	Fn

Process #18: svchost.exe

(Host: 231, Network: 0)

Information	Value
ID / OS PID	#18 / 0x2b0
OS Parent PID	0x1ac (c:\windows\system32\csrss.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe
Command Line	X:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Monitor	Start Time: 00:02:04, Reason: Child Process
Unmonitor	End Time: 00:02:07, Reason: Terminated by Timeout
Monitor Duration	00:00:03
OS Thread IDs	#127 0x2B4 #130 0x2C4 #131 0x2C8 #132 0x2CC #133 0x2D0

Region

Name	Start VA	End VA	Type	Permissions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable
private_0x00000020608b0000	0x20608b0000	0x20608cffff	Private Memory	Readable, Writable
pagefile_0x00000020608b0000	0x20608b0000	0x20608bffff	Pagefile Backed File	Readable, Writable
private_0x00000020608c0000	0x20608c0000	0x20608c6fff	Private Memory	Readable, Writable
pagefile_0x00000020608d0000	0x20608d0000	0x20608defff	Pagefile Backed File	Readable
private_0x00000020608e0000	0x20608e0000	0x206095ffff	Private Memory	Readable, Writable
pagefile_0x0000002060960000	0x2060960000	0x2060963fff	Pagefile Backed File	Readable
pagefile_0x0000002060970000	0x2060970000	0x2060970fff	Pagefile Backed File	Readable
private_0x0000002060980000	0x2060980000	0x2060981fff	Private Memory	Readable, Writable
locale.nls	0x2060990000	0x2060a0dfff	Memory Mapped File	Readable
private_0x0000002060a10000	0x2060a10000	0x2060a16fff	Private Memory	Readable, Writable
pagefile_0x0000002060a20000	0x2060a20000	0x2060adffff	Pagefile Backed File	Readable
svchost.exe.mui	0x2060ae0000	0x2060ae0fff	Memory Mapped File	Readable
private_0x0000002060af0000	0x2060af0000	0x2060af0fff	Private Memory	Readable, Writable
private_0x0000002060b00000	0x2060b00000	0x2060b00fff	Private Memory	Readable, Writable
private_0x0000002060b10000	0x2060b10000	0x2060b16fff	Private Memory	Readable, Writable
private_0x0000002060b20000	0x2060b20000	0x2060c1ffff	Private Memory	Readable, Writable
pagefile_0x0000002060c20000	0x2060c20000	0x2060da7fff	Pagefile Backed File	Readable
private_0x0000002060e00000	0x2060e00000	0x2060e0ffff	Private Memory	Readable, Writable
pagefile_0x0000002060e10000	0x2060e10000	0x2060f90fff	Pagefile Backed File	Readable
private_0x0000002060fa0000	0x2060fa0000	0x206101ffff	Private Memory	Readable, Writable
private_0x0000002061020000	0x2061020000	0x206109ffff	Private Memory	Readable, Writable
sortdefault.nls	0x20610a0000	0x2061374fff	Memory Mapped File	Readable
private_0x0000002061380000	0x2061380000	0x206147ffff	Private Memory	Readable, Writable
private_0x0000002061480000	0x2061480000	0x2061487fff	Private Memory	Readable, Writable
private_0x0000002061490000	0x2061490000	0x206150ffff	Private Memory	Readable, Writable
wevtapi.dll	0x2061510000	0x2061579fff	Memory Mapped File	Readable
private_0x0000002061580000	0x2061580000	0x20615fffff	Private Memory	Readable, Writable
pagefile_0x00007df5ff1d0000	0x7df5ff1d0000	0x7ff5ff1cffff	Pagefile Backed File	-
pagefile_0x00007ff7c98c0000	0x7ff7c98c0000	0x7ff7c99bffff	Pagefile Backed File	Readable
pagefile_0x00007ff7c99c0000	0x7ff7c99c0000	0x7ff7c99e2fff	Pagefile Backed File	Readable
private_0x00007ff7c99e5000	0x7ff7c99e5000	0x7ff7c99e6fff	Private Memory	Readable, Writable
private_0x00007ff7c99e7000	0x7ff7c99e7000	0x7ff7c99e8fff	Private Memory	Readable, Writable
private_0x00007ff7c99e9000	0x7ff7c99e9000	0x7ff7c99e9fff	Private Memory	Readable, Writable
private_0x00007ff7c99ea000	0x7ff7c99ea000	0x7ff7c99ebfff	Private Memory	Readable, Writable
private_0x00007ff7c99ec000	0x7ff7c99ec000	0x7ff7c99edfff	Private Memory	Readable, Writable
private_0x00007ff7c99ee000	0x7ff7c99ee000	0x7ff7c99effff	Private Memory	Readable, Writable
svchost.exe	0x7ff7ca810000	0x7ff7ca81cfff	Memory Mapped File	Readable, Writable, Executable
wevtsvc.dll	0x7ffb6f8f0000	0x7ffb6fa91fff	Memory Mapped File	Readable, Writable, Executable
kernel.appcore.dll	0x7ffb6fe40000	0x7ffb6fe4afff	Memory Mapped File	Readable, Writable, Executable
SspiCli.dll	0x7ffb71500000	0x7ffb7152dfff	Memory Mapped File	Readable, Writable, Executable
powrprof.dll	0x7ffb71530000	0x7ffb71575fff	Memory Mapped File	Readable, Writable, Executable
bcryptPrimitives.dll	0x7ffb71580000	0x7ffb715e2fff	Memory Mapped File	Readable, Writable, Executable
CRYPTBASE.dll	0x7ffb715f0000	0x7ffb715fafff	Memory Mapped File	Readable, Writable, Executable
kernelbase.dll	0x7ffb71760000	0x7ffb71874fff	Memory Mapped File	Readable, Writable, Executable
gdi32.dll	0x7ffb71ad0000	0x7ffb71c20fff	Memory Mapped File	Readable, Writable, Executable
sechost.dll	0x7ffb733c0000	0x7ffb73418fff	Memory Mapped File	Readable, Writable, Executable
kernel32.dll	0x7ffb73480000	0x7ffb735bdfff	Memory Mapped File	Readable, Writable, Executable
combase.dll	0x7ffb73740000	0x7ffb73950fff	Memory Mapped File	Readable, Writable, Executable
rpcrt4.dll	0x7ffb73a30000	0x7ffb73b70fff	Memory Mapped File	Readable, Writable, Executable
user32.dll	0x7ffb73e90000	0x7ffb74006fff	Memory Mapped File	Readable, Writable, Executable
MSVCRT.dll	0x7ffb74050000	0x7ffb740f9fff	Memory Mapped File	Readable, Writable, Executable
ntdll.dll	0x7ffb74120000	0x7ffb742cbfff	Memory Mapped File	Readable, Writable, Executable

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Amount	Logfile
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x188	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x188	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x188	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	0x188	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe	0x1b0	address = 0x2060980000, size = 4704	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe	0x1b0	address = 0x7ff7c99e92d8, size = 8	1	Fn Data
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1d0	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1d0	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1d0	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1d0	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1d0	No corresponding api call detected. Probably injected code via shellcode.	1
Modify Memory	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe	0x1d0	No corresponding api call detected. Probably injected code via shellcode.	1

Host Behavior

File (2)

Operation	Filename	Additional Information	Success	Amount	Logfile
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0		1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wevtapi.dll	desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0		1	Fn

Process (10)

Operation	Process Name	Additional Information	Amount	Logfile
OPEN_TOKEN			1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	1	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	4	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	2	Fn
GET_INFO	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134	2	Fn

Thread (2)

Operation	Process Name	Additional Information	Success	Amount	Logfile
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS		1	Fn
CREATE	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe	os_pid = 0x134, proc_address = 0x7ffb6f922a20, desired_access = THREAD_ALL_ACCESS		1	Fn

Module (19)

Operation	Module	Additional Information	Amount	Logfile
LOAD	rpcrt4.dll	base_address = 0x0	1	Fn
LOAD	kernel32.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x7ffb6f8f0000	1	Fn
LOAD	x:\windows\system32\wevtsvc.dll	base_address = 0x0	1	Fn
LOAD		base_address = 0x2061510002	1	Fn
LOAD		base_address = 0x7ffb73480000	1	Fn
LOAD	sspicli.dll	base_address = 0x0	2	Fn
LOAD		base_address = 0x7ffb71500000	1	Fn
GET_HANDLE	rpcrt4.dll		1	Fn
GET_HANDLE	X:\windows\system32\rpcss.dll		1	Fn
GET_HANDLE	ntdll.dll		1	Fn
GET_HANDLE	combase.dll		1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	Nameless FileMapping	file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wevtapi.dll, maximum_size = 0, protection = PAGE_READONLY	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x20610a0000	1	Fn
MAP	Nameless FileMapping	process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x2061510000	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb6f947ee0	1	Fn
GET_PROC_ADDRESS		address_out = 0x7ffb6f94efc0	1	Fn

Service (1)

Operation	Service	Additional Information	Success	Amount	Logfile
REGISTER_HANDLER				1	Fn

Com (1)

Operation	Class	Interface	Additional Information	Success	Amount	Logfile
CREATE					1	Fn

Registry (172)

Operation	Key	Additional Information	Amount	Logfile
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions		1	Fn
OPEN_KEY			17	Fn
OPEN_KEY			4	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\		1	Fn
OPEN_KEY	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName		5	Fn
OPEN_KEY	\Registry\Machine\System\Setup		4	Fn
OPEN_KEY	HKEY_USERS\S-1-5-19_Classes		1	Fn
OPEN_KEY	\REGISTRY\MACHINE\Software\Microsoft\Rpc\Extensions		1	Fn
OPEN_KEY	Control Panel\International		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids		1	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters		4	Fn
OPEN_KEY	\Registry\Machine\System\CurrentControlSet\Control\ComputerName		3	Fn
OPEN_KEY	\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option		1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 139059393024	1	Fn
READ_VALUE			26	Fn
READ_VALUE		value_name = LocalServiceNetworkRestricted	2	Fn
READ_VALUE		value_name = CoInitializeSecurityParam	1	Fn
READ_VALUE			21	Fn
READ_VALUE		value_name = CoInitializeSecurityAllowLowBox	1	Fn
READ_VALUE		value_name = AuthenticationLevel	1	Fn
READ_VALUE		value_name = ImpersonationLevel	1	Fn
READ_VALUE		value_name = AuthenticationCapabilities	1	Fn
READ_VALUE		value_name = CoInitializeSecurityAppID	1	Fn
READ_VALUE		value_name = DefaultRpcStackSize	1	Fn
READ_VALUE		value_name = RpcExceptionFilterMode	1	Fn
READ_VALUE		value_name = SystemCritical	1	Fn
READ_VALUE		value_name = NoGuiAccess	1	Fn
READ_VALUE		value_name = PageAllocatorUseSystemHeap	1	Fn
READ_VALUE		value_name = PageAllocatorSystemHeapIsPrivate	1	Fn
READ_VALUE		value_name = AggressiveMTATesting	1	Fn
READ_VALUE	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	value_name = DisableMetaFiles	1	Fn
READ_VALUE		value_name = LoadAppInit_DLLs	1	Fn
READ_VALUE		value_name = MaxRpcSize	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = ComputerName	5	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = OOBEInProgress	2	Fn
READ_VALUE	\Registry\Machine\System\Setup	value_name = SystemSetupInProgress	2	Fn
READ_VALUE		value_name = IdleTimerWindow	1	Fn
READ_VALUE	\REGISTRY\MACHINE\Software\Microsoft\Rpc\Extensions	value_name = NdrOleExtDLL	1	Fn
READ_VALUE	Control Panel\International		1	Fn
READ_VALUE	Control Panel\International		1	Fn
READ_VALUE	Control Panel\International	value_name = sCurrencyOverride	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions	value_name = 000602xx	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en-US	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids	value_name = en	1	Fn
READ_VALUE	Nameless FileMapping	value_name = ServiceDll	1	Fn
READ_VALUE	Nameless FileMapping	value_name = ServiceManifest	1	Fn
READ_VALUE	Nameless FileMapping	value_name = ServiceMain	2	Fn
READ_VALUE		value_name = CompatFlags	1	Fn
READ_VALUE		value_name = MaxSize	3	Fn
READ_VALUE		value_name = Retention	3	Fn
READ_VALUE		value_name = AutoBackupLogFiles	4	Fn
READ_VALUE		value_name = CustomSD	3	Fn
READ_VALUE		value_name = MaxSize	1	Fn
READ_VALUE		value_name = Retention	1	Fn
READ_VALUE		value_name = CustomSD	2	Fn
READ_VALUE		value_name = WarningLevel	1	Fn
READ_VALUE		value_name = SystemSetupInProgress	3	Fn
READ_VALUE		value_name = ProductName	1	Fn
READ_VALUE		value_name = CurrentType	3	Fn
READ_VALUE		value_name = InstallDate	1	Fn
READ_VALUE		value_name = BuildLab	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters	value_name = Hostname	4	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = SystemSetupInProgress	1	Fn
READ_VALUE	\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	value_name = 9	1	Fn
READ_VALUE		value_name = SecurityProviders	1	Fn
READ_VALUE		value_name = crashonauditfail	1	Fn

Driver (3)

Operation	Additional Information	Amount	Logfile
CONTROL		1	Fn
CONTROL	control_code = 0x390008	1	Fn
CONTROL	control_code = 0x110008	1	Fn

System (21)

Operation	Information	Amount	Logfile
SLEEP		2	Fn
SLEEP	duration = 1 milliseconds (0.001 seconds)	2	Fn
SLEEP		1	Fn
SLEEP	duration = 1 milliseconds (0.001 seconds)	1	Fn
GET_INFO	type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION	1	Fn
GET_INFO	type = SYSTEM_BASIC_INFORMATION	8	Fn
GET_INFO	type = SYSTEM_PROCESSOR_INFORMATION	3	Fn
GET_INFO		2	Fn
GET_INFO		1	Fn

Process #19: wallpaperhost.exe

Information	Value
ID / OS PID	#19 / 0x2ac
OS Parent PID	0x290 (\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe
Command Line	X:\windows\system32\WallpaperHost.exe
Monitor	Start Time: 00:02:04, Reason: Child Process
Unmonitor	End Time: 00:02:04, Reason: Terminated
Monitor Duration	00:00:00
OS Thread IDs
Remarks	No high level activity detected in monitored regions

Process #20: wallpaperhost.exe

Information	Value
ID / OS PID	#20 / 0x2b8
OS Parent PID	0x290 (\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe)
Initial Working Directory	X:\windows\system32
File Name	\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe
Command Line	X:\windows\system32\WallpaperHost.exe
Monitor	Start Time: 00:02:04, Reason: Child Process
Unmonitor	End Time: 00:02:04, Reason: Terminated
Monitor Duration	00:00:00
OS Thread IDs
Remarks	No high level activity detected in monitored regions