VMRay Analyzer Report
| Information | Value |
|---|---|
| ID / OS PID | #1 / 0x7a8 |
| OS Parent PID | 0x358 (c:\windows\explorer.exe) |
| Initial Working Directory | C:\Users\uWZPA0LPqa\Desktop |
| File Name | c:\users\uwzpa0lpqa\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe |
| Command Line | "C:\Users\uWZPA0LPqa\Desktop\cb91b8695d3990b5b5eae8a714bd357e.exe" |
| Monitor | Start Time: 00:00:38, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:29 |
| OS Thread IDs | #1 0xA98 #2 0x5FC |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| MOD | GET_PROC_ADDRESS | function = StrCmpNIA, address_out = 0x7551b430 |  | 1 | |
| MOD | GET_HANDLE | module_name = KERNEL32.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetTempPathA, address_out = 0x75985890 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetProcAddress, address_out = 0x75977b50 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetModuleHandleA, address_out = 0x75978f60 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CopyFileA, address_out = 0x7597fe50 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = LoadLibraryExA, address_out = 0x7597a970 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = FreeLibrary, address_out = 0x7597a790 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = DeleteFileA, address_out = 0x75988950 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetPrivateProfileIntA, address_out = 0x7597ca90 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetPrivateProfileStringA, address_out = 0x7597cb60 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = WritePrivateProfileStringA, address_out = 0x7597c590 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CreateFileA, address_out = 0x75988920 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = WriteFile, address_out = 0x75988cf0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CloseHandle, address_out = 0x759886f0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetTempFileNameA, address_out = 0x759a3bf0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetSystemTime, address_out = 0x75979200 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetFileAttributesA, address_out = 0x75988aa0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = DeviceIoControl, address_out = 0x75978a50 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = SystemTimeToFileTime, address_out = 0x7597a950 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetCurrentProcessId, address_out = 0x759722d0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = FreeLibraryAndExitThread, address_out = 0x75985c10 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetCurrentProcess, address_out = 0x759728e0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CreateFileW, address_out = 0x75988930 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetFileSize, address_out = 0x75988af0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = ReadFile, address_out = 0x75988c00 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = SetFilePointer, address_out = 0x75988c90 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = SetEndOfFile, address_out = 0x75988c50 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetModuleHandleW, address_out = 0x7597a0c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CopyFileW, address_out = 0x75986770 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CreateFileMappingA, address_out = 0x759770f0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = MapViewOfFile, address_out = 0x75978b50 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = UnmapViewOfFile, address_out = 0x7597a100 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = Sleep, address_out = 0x759782d0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = DeleteFileW, address_out = 0x75988960 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = ExitProcess, address_out = 0x75989850 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetCommandLineA, address_out = 0x7597b5a0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CreateThread, address_out = 0x7597a740 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetSystemTimeAsFileTime, address_out = 0x759770c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = VirtualProtect, address_out = 0x75978ab0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = VirtualFree, address_out = 0x75978f20 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetLastError, address_out = 0x759726e0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetVersionExA, address_out = 0x75978b10 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = MoveFileExW, address_out = 0x7597b950 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetTempFileNameW, address_out = 0x75988b80 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetTempPathW, address_out = 0x75988b90 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetModuleFileNameW, address_out = 0x7597a0e0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetWindowsDirectoryW, address_out = 0x7597b6c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = VirtualAlloc, address_out = 0x75978b90 | | 1 | |
| MOD | GET_HANDLE | module_name = ADVAPI32.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = QueryServiceStatusEx, address_out = 0x7545ce30 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = StartServiceA, address_out = 0x754746d0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = OpenSCManagerA, address_out = 0x75439510 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = OpenServiceA, address_out = 0x75474320 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = GetUserNameW, address_out = 0x75447190 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = OpenProcessToken, address_out = 0x75439290 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = RegCloseKey, address_out = 0x75439330 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = RegSetValueExA, address_out = 0x75446fb0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = RegCreateKeyA, address_out = 0x7545c620 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = CloseServiceHandle, address_out = 0x754394f0 | | 1 | |
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = RtlComputeCrc32, address_out = 0x779e7db0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = LdrAddRefDll, address_out = 0x77973f70 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwImpersonateThread, address_out = 0x7794d7e0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwOpenThread, address_out = 0x7794da70 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = RtlEqualUnicodeString, address_out = 0x7795a050 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwQueryInformationToken, address_out = 0x7794cb40 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = wcsncpy, address_out = 0x779ad5b0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwOpenFile, address_out = 0x7794cc60 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwClose, address_out = 0x7794ca20 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwLoadDriver, address_out = 0x7794d850 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = strncat, address_out = 0x77938c30 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwCreateEvent, address_out = 0x7794cdb0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = RtlInitUnicodeString, address_out = 0x77937520 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = _snwprintf, address_out = 0x779ac100 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = atoi, address_out = 0x779abbf0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwTestAlert, address_out = 0x7794e2f0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = RtlRandom, address_out = 0x779f2780 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwRaiseHardError, address_out = 0x7794ddb0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = RtlAdjustPrivilege, address_out = 0x779ab650 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwQuerySystemInformation, address_out = 0x7794cc90 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = sscanf, address_out = 0x779acff0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = strncpy, address_out = 0x77938d70 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = _chkstk, address_out = 0x77951140 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = memcpy, address_out = 0x779382c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = _snprintf, address_out = 0x779ac050 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = RtlImageNtHeader, address_out = 0x77964af0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwDeviceIoControlFile, address_out = 0x7794c9a0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = memset, address_out = 0x77938940 | | 1 | |
| MOD | GET_HANDLE | module_name = SHLWAPI.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = SHLWAPI.dll, function = StrStrIW, address_out = 0x75508bc0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = SHLWAPI.dll, function = SHDeleteKeyA, address_out = 0x7551ba40 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = SHLWAPI.dll, function = PathFileExistsW, address_out = 0x75508fc0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = SHLWAPI.dll, function = StrStrIA, address_out = 0x7550f9c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = SHLWAPI.dll, function = PathFileExistsA, address_out = 0x7551ab40 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = SHLWAPI.dll, function = PathAppendA, address_out = 0x7551aa60 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = SHLWAPI.dll, function = PathFindFileNameW, address_out = 0x75508ba0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = SHLWAPI.dll, function = SHGetValueA, address_out = 0x7550f890 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = SHLWAPI.dll, function = PathRemoveFileSpecA, address_out = 0x7551aee0 | | 1 | |
| MOD | GET_HANDLE | module_name = imagehlp.dll |  | 1 | |
| MOD | LOAD | module_name = imagehlp.dll, base_address = 0x75270000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = imagehlp.dll, function = CheckSumMappedFile, address_out = 0x75277d30 | | 1 | |
| MOD | GET_HANDLE | module_name = PSAPI.DLL | | 1 | |
| MOD | LOAD | module_name = PSAPI.DLL, base_address = 0x75550000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = PSAPI.DLL, function = GetMappedFileNameW, address_out = 0x75551720 | | 1 | |
| MOD | GET_HANDLE | module_name = RPCRT4.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = RPCRT4.dll, function = UuidCreateSequential, address_out = 0x7564bb50 | | 1 | |
| MOD | GET_HANDLE | module_name = WININET.dll | | 1 | |
| MOD | LOAD | module_name = WININET.dll, base_address = 0x74d90000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = WININET.dll, function = InternetCrackUrlA, address_out = 0x74e0fd30 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = WININET.dll, function = InternetConnectA, address_out = 0x74e3a3c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = WININET.dll, function = HttpOpenRequestA, address_out = 0x74e3a450 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = WININET.dll, function = HttpSendRequestA, address_out = 0x74e370c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = WININET.dll, function = InternetQueryOptionA, address_out = 0x74da1e40 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = WININET.dll, function = InternetSetOptionA, address_out = 0x74da4230 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = WININET.dll, function = InternetCloseHandle, address_out = 0x74db43c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = WININET.dll, function = InternetOpenA, address_out = 0x74dd34f0 | | 1 | |
| MOD | GET_HANDLE | module_name = SHELL32.dll | | 1 | |
| MOD | LOAD | module_name = SHELL32.dll, base_address = 0x75c60000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = SHELL32.dll, function = ShellExecuteW, address_out = 0x75d408f0 | | 1 | |
| MOD | GET_HANDLE | module_name = ole32.dll | | 1 | |
| MOD | LOAD | module_name = ole32.dll, base_address = 0x75aa0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ole32.dll, function = CoCreateInstance, address_out = 0x75800590 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ole32.dll, function = CoInitialize, address_out = 0x75aa9ec0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ole32.dll, function = CoUninitialize, address_out = 0x757eb890 | | 1 | |
| MOD | GET_HANDLE | module_name = WINSPOOL.DRV | | 1 | |
| MOD | LOAD | module_name = WINSPOOL.DRV, base_address = 0x74ab0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = WINSPOOL.DRV, function = DeletePrintProvidorW, address_out = 0x74ad6410 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = WINSPOOL.DRV, function = AddPrintProvidorW, address_out = 0x74ad4aa0 | | 1 | |
| MOD | GET_HANDLE | module_name = c:\users\uwzpa0lpqa\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe | | 1 | |
| MOD | GET_HANDLE | module_name = kernel32.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32.dll, function = IsWow64Process, address_out = 0x75978f40 | | 1 | |
| FILE | CREATE_TMPFILE | file_name = c:\users\uwzpa0~1\appdata\local\temp\ff1e.tmp, path = C:\Users\UWZPA0~1\AppData\Local\Temp\ | | 1 | |
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = _snwprintf, address_out = 0x779ac100 | | 1 | |
| FILE | OPEN | file_name = c:, desired_access = SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT | | 1 | |
| DRV | CONTROL | file_name = c:, control_code = 0x560000 | | 1 | |
| FILE | OPEN | file_name = \device\harddisk0\dr0, desired_access = SYNCHRONIZE, GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT | | 1 | |
| DRV | CONTROL | file_name = \device\harddisk0\dr0, control_code = 0x4d014 | | 266 | |
| FILE | CREATE_TMPFILE | file_name = c:\users\uwzpa0~1\appdata\local\temp\3e0d.tmp, path = C:\Users\UWZPA0~1\AppData\Local\Temp\ | | 1 | |
| FILE | MOVE | file_name = c:\users\uwzpa0~1\appdata\local\temp\3e0d.tmp, file_name = c:\users\uwzpa0lpqa\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe | | 1 | |
| FILE | MOVE | file_name = c:\users\uwzpa0~1\appdata\local\temp\3e0d.tmp | | 1 | |
| USER | SET_PRIVILEGE | server_name = Localhost, privilege = SeShutdownPrivilege, enable_privilege = 1 | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #2 / 0x4 |
| OS Parent PID | 0xffffffffffffffff (Unknown) |
| Initial Working Directory | |
| File Name | System |
| Command Line | |
| Monitor | Start Time: 00:01:20, Reason: Kernel Analysis |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:47 |
| OS Thread IDs | #3 0x8 #4 0x18 #5 0x14 #6 0x28 #7 0x38 #8 0x70 #9 0x74 #10 0x90 #11 0x94 #12 0x5C #13 0x30 #14 0x9C #15 0xAC #16 0xB0 #17 0x88 #18 0x84 #19 0x80 #20 0x8C #21 0xC8 #22 0x78 #23 0x7C #24 0xE0 #26 0x4C #28 0xFC #29 0x100 #30 0x104 #31 0x108 #32 0x110 #33 0xF4 #34 0x10C #35 0x58 #36 0x11C #37 0x10 #38 0x34 #39 0x124 #42 0x13C #43 0x144 #44 0x148 #57 0x20 #60 0x190 #61 0x140 #70 0xE8 #86 0x128 #89 0x1F0 #96 0x3C #118 0x48 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | |  |
| pagefile_0x000000d9847a0000 | 0xd9847a0000 | 0xd9847c2fff | Pagefile Backed File | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #3 / 0xec |
| OS Parent PID | 0x4 (System) |
| Initial Working Directory | X:\windows |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe |
| Monitor | Start Time: 00:01:27, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:40 |
| OS Thread IDs | #25 0xF0 #27 0xF8 #66 0x1A8 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x00000075205b0000 | 0x75205b0000 | 0x75205cffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000075205d0000 | 0x75205d0000 | 0x75205defff | Pagefile Backed File | Readable | | |
| private_0x00000075205e0000 | 0x75205e0000 | 0x752065ffff | Private Memory | Readable, Writable | | |
| pagefile_0x00007ff6fef70000 | 0x7ff6fef70000 | 0x7ff6fef92fff | Pagefile Backed File | Readable | | |
| private_0x00007ff6fef9c000 | 0x7ff6fef9c000 | 0x7ff6fef9cfff | Private Memory | Readable, Writable | | |
| private_0x00007ff6fef9e000 | 0x7ff6fef9e000 | 0x7ff6fef9ffff | Private Memory | Readable, Writable | | |
| smss.exe | 0x7ff6ff8f0000 | 0x7ff6ff914fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x7ffb74120000 | 0x7ffb742cbfff | Memory Mapped File | Readable, Writable, Executable | | |
| Information | Value |
|---|---|
| ID / OS PID | #4 / 0x12c |
| OS Parent PID | 0xec (c:\windows\system32\smss.exe) |
| Initial Working Directory | X:\windows |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe 00000000 00000050 |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:01:33, Reason: Terminated |
| Monitor Duration | 00:00:01 |
| OS Thread IDs | #40 0x130 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x000000af73b50000 | 0xaf73b50000 | 0xaf73b6ffff | Private Memory | Readable, Writable | | |
| pagefile_0x000000af73b70000 | 0xaf73b70000 | 0xaf73b7efff | Pagefile Backed File | Readable | | |
| private_0x000000af73b80000 | 0xaf73b80000 | 0xaf73bfffff | Private Memory | Readable, Writable | | |
| pagefile_0x00007ff6fef00000 | 0x7ff6fef00000 | 0x7ff6fef22fff | Pagefile Backed File | Readable | | |
| private_0x00007ff6fef2c000 | 0x7ff6fef2c000 | 0x7ff6fef2dfff | Private Memory | Readable, Writable | | |
| private_0x00007ff6fef2e000 | 0x7ff6fef2e000 | 0x7ff6fef2efff | Private Memory | Readable, Writable | | |
| smss.exe | 0x7ff6ff8f0000 | 0x7ff6ff914fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x7ffb74120000 | 0x7ffb742cbfff | Memory Mapped File | Readable, Writable, Executable | | |
| Information | Value |
|---|---|
| ID / OS PID | #5 / 0x134 |
| OS Parent PID | 0x12c (\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\smss.exe) |
| Initial Working Directory | X:\windows\system32 |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:35 |
| OS Thread IDs | #41 0x138 #45 0x14C #46 0x150 #47 0x154 #48 0x158 #58 0x188 #63 0x1A0 #64 0x1A4 #87 0x200 #128 0x2BC |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x0000004582960000 | 0x4582960000 | 0x458297ffff | Private Memory | Readable, Writable | | |
| private_0x0000004582960000 | 0x4582960000 | 0x4582966fff | Private Memory | Readable, Writable | | |
| csrss.exe.mui | 0x4582970000 | 0x4582970fff | Memory Mapped File | Readable | | |
| pagefile_0x0000004582980000 | 0x4582980000 | 0x458298efff | Pagefile Backed File | Readable | | |
| private_0x0000004582990000 | 0x4582990000 | 0x45829cffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000004582990000 | 0x4582990000 | 0x458299ffff | Pagefile Backed File | Readable, Writable | | |
| MARLETT.TTF | 0x45829a0000 | 0x45829a6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000045829b0000 | 0x45829b0000 | 0x45829c7fff | Pagefile Backed File | Readable | | |
| locale.nls | 0x45829d0000 | 0x4582a4dfff | Memory Mapped File | Readable | | |
| winsrv.DLL.mui | 0x4582a50000 | 0x4582a51fff | Memory Mapped File | Readable | | |
| private_0x0000004582a60000 | 0x4582a60000 | 0x4582a60fff | Private Memory | Readable, Writable | | |
| VGASYS.FON | 0x4582a70000 | 0x4582a71fff | Memory Mapped File | Readable | | |
| private_0x0000004582a80000 | 0x4582a80000 | 0x4582abffff | Private Memory | Readable, Writable | | |
| private_0x0000004582ac0000 | 0x4582ac0000 | 0x4582ac0fff | Private Memory | Readable, Writable | | |
| private_0x0000004582ad0000 | 0x4582ad0000 | 0x4582ad0fff | Private Memory | Readable, Writable | | |
| private_0x0000004582ae0000 | 0x4582ae0000 | 0x4582ae0fff | Private Memory | Readable, Writable | | |
| private_0x0000004582af0000 | 0x4582af0000 | 0x4582beffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000004582bf0000 | 0x4582bf0000 | 0x4582d70fff | Pagefile Backed File | Readable | | |
| private_0x0000004582d80000 | 0x4582d80000 | 0x4582dbffff | Private Memory | Readable, Writable | | |
| private_0x0000004582dc0000 | 0x4582dc0000 | 0x4582dfffff | Private Memory | Readable, Writable | | |
| private_0x0000004582e00000 | 0x4582e00000 | 0x4582e3ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000004582e40000 | 0x4582e40000 | 0x4582fc7fff | Pagefile Backed File | Readable | | |
| private_0x0000004582fd0000 | 0x4582fd0000 | 0x458300ffff | Private Memory | Readable, Writable | | |
| private_0x0000004583010000 | 0x4583010000 | 0x458304ffff | Private Memory | Readable, Writable | | |
| private_0x0000004583050000 | 0x4583050000 | 0x458308ffff | Private Memory | Readable, Writable | | |
| TAHOMABD.TTF | 0x4583090000 | 0x4583139fff | Memory Mapped File | Readable | | |
| TAHOMA.TTF | 0x4583140000 | 0x45831f6fff | Memory Mapped File | Readable | | |
| pagefile_0x0000004583200000 | 0x4583200000 | 0x458322ffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000004583230000 | 0x4583230000 | 0x458462ffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000004584630000 | 0x4584630000 | 0x458463ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000004584640000 | 0x4584640000 | 0x458464ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000004584650000 | 0x4584650000 | 0x458468ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000004584690000 | 0x4584690000 | 0x458469ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x00000045846a0000 | 0x45846a0000 | 0x45846affff | Pagefile Backed File | Readable, Writable | | |
| private_0x00007ff61939c000 | 0x7ff61939c000 | 0x7ff61939dfff | Private Memory | Readable, Writable | | |
| private_0x00007ff61939e000 | 0x7ff61939e000 | 0x7ff61939ffff | Private Memory | Readable, Writable | | |
| pagefile_0x00007ff6193a0000 | 0x7ff6193a0000 | 0x7ff61949ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x00007ff6194a0000 | 0x7ff6194a0000 | 0x7ff6194c2fff | Pagefile Backed File | Readable | | |
| private_0x00007ff6194c3000 | 0x7ff6194c3000 | 0x7ff6194c4fff | Private Memory | Readable, Writable | | |
| private_0x00007ff6194c5000 | 0x7ff6194c5000 | 0x7ff6194c6fff | Private Memory | Readable, Writable | | |
| private_0x00007ff6194c7000 | 0x7ff6194c7000 | 0x7ff6194c8fff | Private Memory | Readable, Writable | | |
| private_0x00007ff6194c9000 | 0x7ff6194c9000 | 0x7ff6194cafff | Private Memory | Readable, Writable | | |
| private_0x00007ff6194cb000 | 0x7ff6194cb000 | 0x7ff6194ccfff | Private Memory | Readable, Writable | | |
| private_0x00007ff6194cd000 | 0x7ff6194cd000 | 0x7ff6194cefff | Private Memory | Readable, Writable | | |
| private_0x00007ff6194cd000 | 0x7ff6194cd000 | 0x7ff6194cefff | Private Memory | Readable, Writable | | |
| private_0x00007ff6194cf000 | 0x7ff6194cf000 | 0x7ff6194cffff | Private Memory | Readable, Writable | | |
| csrss.exe | 0x7ff61a100000 | 0x7ff61a106fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcryptPrimitives.dll | 0x7ffb71580000 | 0x7ffb715e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| CRYPTBASE.dll | 0x7ffb715f0000 | 0x7ffb715fafff | Memory Mapped File | Readable, Writable, Executable | | |
| sxs.dll | 0x7ffb71600000 | 0x7ffb71698fff | Memory Mapped File | Readable, Writable, Executable | | |
| sxssrv.DLL | 0x7ffb716d0000 | 0x7ffb716dcfff | Memory Mapped File | Readable, Writable, Executable | | |
| winsrv.DLL | 0x7ffb716e0000 | 0x7ffb71713fff | Memory Mapped File | Readable, Writable, Executable | | |
| basesrv.DLL | 0x7ffb71720000 | 0x7ffb71732fff | Memory Mapped File | Readable, Writable, Executable | | |
| CSRSRV.dll | 0x7ffb71740000 | 0x7ffb71755fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernelbase.dll | 0x7ffb71760000 | 0x7ffb71874fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7ffb71ad0000 | 0x7ffb71c20fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x7ffb73480000 | 0x7ffb735bdfff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7ffb73a30000 | 0x7ffb73b70fff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x7ffb73e90000 | 0x7ffb74006fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x7ffb74120000 | 0x7ffb742cbfff | Memory Mapped File | Readable, Writable, Executable | | |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 2 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Terminal Server | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Terminal Server, value_name = TSAppCompat | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Terminal Server, value_name = TSUserEnabled | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| MOD | GET_HANDLE | module_name = csrsrv.dll | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize, value_name = DisableMetaFiles | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 7 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 298548457472, protection = PAGE_READWRITE | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x4584630000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x4584630000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 298548457472, protection = PAGE_READWRITE | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x4584690000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x4584690000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 298548458592, protection = PAGE_READWRITE | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x45846b0000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x45846b0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 298550616872 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.9600.16384_none_69e3a25fa94e130a.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.9600.16384_none_69e3a25fa94e130a.manifest, size = 4095 | | 1 | |
| FILE | READ | | 2 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.9600.16384_none_69e3a25fa94e130a.manifest, size = 8180 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 298550613992 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 298550613992 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 298550613992 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest, size = 4095 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x390008 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest, size = 8180 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 298550613992 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest, size = 8180 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest, size = 8180 | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 298550613992 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest, size = 8180 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest, size = 8180 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 298550618448, protection = PAGE_READWRITE | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x4584630000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x4584630000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 298550618992, protection = PAGE_READWRITE | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x4584630000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x4584630000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #6 / 0x15c |
| OS Parent PID | 0xec (c:\windows\system32\smss.exe) |
| Initial Working Directory | X:\windows |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe 00000001 00000050 |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:01:34, Reason: Terminated |
| Monitor Duration | 00:00:01 |
| OS Thread IDs | #49 0x160 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x000000ae85eb0000 | 0xae85eb0000 | 0xae85ecffff | Private Memory | Readable, Writable | | |
| pagefile_0x000000ae85ed0000 | 0xae85ed0000 | 0xae85edefff | Pagefile Backed File | Readable | | |
| private_0x000000ae85ee0000 | 0xae85ee0000 | 0xae85f5ffff | Private Memory | Readable, Writable | | |
| pagefile_0x00007ff6ff790000 | 0x7ff6ff790000 | 0x7ff6ff7b2fff | Pagefile Backed File | Readable | | |
| private_0x00007ff6ff7bd000 | 0x7ff6ff7bd000 | 0x7ff6ff7bdfff | Private Memory | Readable, Writable | | |
| private_0x00007ff6ff7be000 | 0x7ff6ff7be000 | 0x7ff6ff7bffff | Private Memory | Readable, Writable | | |
| smss.exe | 0x7ff6ff8f0000 | 0x7ff6ff914fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x7ffb74120000 | 0x7ffb742cbfff | Memory Mapped File | Readable, Writable, Executable | | |
| Information | Value |
|---|---|
| ID / OS PID | #7 / 0x164 |
| OS Parent PID | 0x12c (\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\smss.exe) |
| Initial Working Directory | X:\windows\system32 |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wininit.exe |
| Command Line | wininit.exe |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:34 |
| OS Thread IDs | #50 0x168 #59 0x18C #62 0x19C #65 0x1BC |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x0000005ebd140000 | 0x5ebd140000 | 0x5ebd15ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000005ebd140000 | 0x5ebd140000 | 0x5ebd14ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000005ebd150000 | 0x5ebd150000 | 0x5ebd156fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000005ebd160000 | 0x5ebd160000 | 0x5ebd16efff | Pagefile Backed File | Readable | | |
| private_0x0000005ebd170000 | 0x5ebd170000 | 0x5ebd1effff | Private Memory | Readable, Writable | | |
| private_0x0000005ebd1f0000 | 0x5ebd1f0000 | 0x5ebd1f6fff | Private Memory | Readable, Writable | | |
| wininit.exe.mui | 0x5ebd200000 | 0x5ebd201fff | Memory Mapped File | Readable | | |
| USER32.dll.mui | 0x5ebd200000 | 0x5ebd204fff | Memory Mapped File | Readable | | |
| private_0x0000005ebd210000 | 0x5ebd210000 | 0x5ebd210fff | Private Memory | Readable, Writable | | |
| private_0x0000005ebd220000 | 0x5ebd220000 | 0x5ebd220fff | Private Memory | Readable, Writable | | |
| USER32.dll.mui | 0x5ebd240000 | 0x5ebd244fff | Memory Mapped File | Readable | | |
| private_0x0000005ebd260000 | 0x5ebd260000 | 0x5ebd35ffff | Private Memory | Readable, Writable | | |
| locale.nls | 0x5ebd360000 | 0x5ebd3ddfff | Memory Mapped File | Readable | | |
| private_0x0000005ebd3e0000 | 0x5ebd3e0000 | 0x5ebd45ffff | Private Memory | Readable, Writable | | |
| private_0x0000005ebd460000 | 0x5ebd460000 | 0x5ebd4dffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000005ebd4e0000 | 0x5ebd4e0000 | 0x5ebd50ffff | Pagefile Backed File | Readable | | |
| private_0x0000005ebd510000 | 0x5ebd510000 | 0x5ebd51ffff | Private Memory | Readable, Writable | | |
| private_0x0000005ebd560000 | 0x5ebd560000 | 0x5ebd56ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000005ebd570000 | 0x5ebd570000 | 0x5ebd6f7fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000005ebd700000 | 0x5ebd700000 | 0x5ebd880fff | Pagefile Backed File | Readable | | |
| sortdefault.nls | 0x5ebd890000 | 0x5ebdb64fff | Memory Mapped File | Readable | | |
| private_0x0000005ebdb70000 | 0x5ebdb70000 | 0x5ebdbeffff | Private Memory | Readable, Writable | | |
| pagefile_0x00007df5ffd90000 | 0x7df5ffd90000 | 0x7ff5ffd8ffff | Pagefile Backed File | - | | |
| pagefile_0x00007df5ffd90000 | 0x7df5ffd90000 | 0x7ff5ffd8ffff | Pagefile Backed File | - | | |
| pagefile_0x00007ff73ef70000 | 0x7ff73ef70000 | 0x7ff73f06ffff | Pagefile Backed File | Readable | | |
| pagefile_0x00007ff73f070000 | 0x7ff73f070000 | 0x7ff73f092fff | Pagefile Backed File | Readable | | |
| private_0x00007ff73f096000 | 0x7ff73f096000 | 0x7ff73f097fff | Private Memory | Readable, Writable | | |
| private_0x00007ff73f098000 | 0x7ff73f098000 | 0x7ff73f099fff | Private Memory | Readable, Writable | | |
| private_0x00007ff73f09a000 | 0x7ff73f09a000 | 0x7ff73f09bfff | Private Memory | Readable, Writable | | |
| private_0x00007ff73f09c000 | 0x7ff73f09c000 | 0x7ff73f09dfff | Private Memory | Readable, Writable | | |
| private_0x00007ff73f09e000 | 0x7ff73f09e000 | 0x7ff73f09efff | Private Memory | Readable, Writable | | |
| wininit.exe | 0x7ff73f3b0000 | 0x7ff73f3d7fff | Memory Mapped File | Readable, Writable, Executable | | |
| KBDUS.DLL | 0x7ffb71690000 | 0x7ffb71693fff | Memory Mapped File | Readable, Writable, Executable | | |
| KBDUS.DLL | 0x7ffb71690000 | 0x7ffb71693fff | Memory Mapped File | Readable, Writable, Executable | | |
| wininitext.dll | 0x7ffb716a0000 | 0x7ffb716aafff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7ffb716b0000 | 0x7ffb716c4fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernelbase.dll | 0x7ffb71760000 | 0x7ffb71874fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7ffb71ad0000 | 0x7ffb71c20fff | Memory Mapped File | Readable, Writable, Executable | | |
| WS2_32.dll | 0x7ffb73360000 | 0x7ffb733b9fff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7ffb733c0000 | 0x7ffb73418fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x7ffb73480000 | 0x7ffb735bdfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7ffb73690000 | 0x7ffb73739fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7ffb73a30000 | 0x7ffb73b70fff | Memory Mapped File | Readable, Writable, Executable | | |
| NSI.dll | 0x7ffb73e80000 | 0x7ffb73e88fff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x7ffb73e90000 | 0x7ffb74006fff | Memory Mapped File | Readable, Writable, Executable | | |
| MSVCRT.dll | 0x7ffb74050000 | 0x7ffb740f9fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x7ffb74120000 | 0x7ffb742cbfff | Memory Mapped File | Readable, Writable, Executable | | |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 2 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 406899844400 | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wininit.exe | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = OOBEInProgress | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = SystemSetupInProgress | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = NV Hostname | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = NV Domain | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = Respecialize | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = SetupType | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = DisableLockWorkstation | | 1 | |
| PROC | OPEN_TOKEN | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = ProfileImagePath | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = ProfileImagePath | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = Public | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = Public | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = ProgramData | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = ProgramData | | 1 | |
| FILE | CREATE_DIR | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\temp, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | LOAD | module_name = rpcrt4.dll, base_address = 0x0 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = MaxRpcSize | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | |
| SYS | GET_INFO | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = IdleTimerWindow | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\ | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize, value_name = DisableMetaFiles | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = LoadAppInit_DLLs | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Respecialize | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SetupType | | 1 | |
| REG | OPEN_KEY | reg_name = Keyboard Layout\Preload | | 1 | |
| REG | READ_VALUE | reg_name = Keyboard Layout\Preload, value_name = 1 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409 | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409, value_name = Layout File | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409, value_name = Attributes | | 1 | |
| MOD | LOAD | module_name = KBDUS.DLL, base_address = 0x0 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\kbdus.dll, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 6 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeuib.ttf, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeuib.ttf, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x5ebd890000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, base_address = 0x5ebd890000 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 3 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeui.ttf, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeui.ttf, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x5ebd890000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, base_address = 0x5ebd890000 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 5 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\tahoma.ttf, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\tahoma.ttf, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x5ebd890000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, base_address = 0x5ebd890000 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 10 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\micross.ttf, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\micross.ttf, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x5ebd890000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, base_address = 0x5ebd890000 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 61 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = Disable | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International, value_name = sCurrencyOverride | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale, value_name = en-US | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale, value_name = en-US | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale, value_name = 00000409 | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups, value_name = 1 | | 1 | |
| SYS | CREATE_DESKTOP | | 2 | ||
| SYS | SWITCH_DESKTOP | | 1 | ||
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000010 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000010, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000010, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000010, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000011 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000011, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000011, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000011, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000012 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000012, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000012, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000012, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000070 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000070, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000070, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000070, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000071 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000071, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000071, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000071, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000072 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000072, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000072, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000072, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000104 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000104, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000104, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000104, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000200 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000200, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000200, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000200, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000201 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000201, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000201, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000201, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000202 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000202, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000202, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000202, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000203 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000203, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000203, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000203, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload, value_name = 1 | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload, value_name = 1 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload, value_name = 2 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload\Keyboard Layout\Preload | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload\Keyboard Layout\Preload, value_name = 1 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Substitutes | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Substitutes, value_name = 00000409 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409 | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409, value_name = Layout File | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409, value_name = Attributes | | 1 | |
| MOD | LOAD | module_name = KBDUS.DLL, base_address = 0x0 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\kbdus.dll, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000010 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000010, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000010, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000010, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000011 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000011, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000011, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000011, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000012 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000012, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000012, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000012, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000070 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000070, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000070, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000070, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000071 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000071, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000071, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000071, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000072 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000072, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000072, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000072, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000104 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000104, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000104, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000104, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000200 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000200, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000200, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000200, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000201 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000201, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000201, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000201, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000202 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000202, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000202, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000202, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000203 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000203, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000203, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000203, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload, value_name = 2 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SecureBoot | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload, value_name = DisableShutdownNamedPipe | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 000602xx | | 1 | |
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x0 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x5ebd890000 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en-US | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 4 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ProgramFilesDir | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = CommonFilesDir | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ProgramFilesDir (x86) | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = CommonFilesDir (x86) | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ProgramW6432Dir | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = CommonW6432Dir | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = DontWatchSysProcs | | 1 | |
| PROC | CREATE | process_name = | | 1 | |
| PROC | CREATE | process_name = , desired_access = MAXIMUM_ALLOWED, creation_flags = CREATE_IDLE_PRIORITY_CLASS, CREATE_NEW_PROCESS_GROUP | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls | | 1 | |
| PROC | GET_INFO | process_name = | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = PreferExternalManifest | | 1 | |
| THREAD | RESUME | | 1 | ||
| REG | OPEN_KEY | | 2 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ShutdownEventPending | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ShutdownStateSnapshot | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RunasPPL | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RunasPPLTest | | 1 | |
| PROC | CREATE | process_name = | | 1 | |
| PROC | CREATE | process_name = , desired_access = MAXIMUM_ALLOWED, creation_flags = CREATE_NEW_PROCESS_GROUP | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = 140717948767312 | | 1 | |
| PROC | GET_INFO | process_name = | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = PreferExternalManifest | | 1 | |
| MEM | ALLOC | address = 0x5ebd1eeb78, process_name = , size = 406899846360, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE | | 1 | |
| MEM | WRITE | address = 0x6b29b00000, process_name = , size = 4704 | | 1 | |
| MEM | WRITE | address = 0x7ff676b272d8, process_name = , size = 8 | | 1 | |
| THREAD | RESUME | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| THREAD | CREATE_WORKITEM | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableRemoteShutdownRPCInterface | | 1 | |
| THREAD | CREATE_WORKITEM | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| DRV | CONTROL | reg_name = Control Panel\Input Method\Hot Keys, control_code = 0x110008 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| SVC | OPEN_MGR | database_name = SERVICES_ACTIVE_DATABASE, host = Localhost | | 1 | |
| SVC | OPEN | | 1 | ||
| SVC | GET_INFO | type = Status | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 406902403200 milliseconds (406902403.200 seconds) | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| SVC | OPEN_MGR | database_name = SERVICES_ACTIVE_DATABASE, host = Localhost | | 1 | |
| SVC | OPEN | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = SQMServiceList | | 1 | |
| SVC | GET_INFO | type = Status | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 406902929056 milliseconds (406902929.056 seconds) | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = WinSock_Registry_Version | | 2 | |
| REG | READ_VALUE | value_name = AppFullPath | | 2 | |
| REG | READ_VALUE | value_name = PermittedLspCategories | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = NameSpace_Callout | | 2 | |
| REG | READ_VALUE | value_name = Serial_Access_Num | | 2 | |
| REG | READ_VALUE | value_name = Next_Catalog_Entry_ID | | 1 | |
| REG | READ_VALUE | value_name = Num_Catalog_Entries64 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = Serial_Access_Num | | 2 | |
| REG | READ_VALUE | value_name = Num_Catalog_Entries64 | | 1 | |
| REG | READ_VALUE | value_name = LibraryPath | | 2 | |
| REG | READ_VALUE | value_name = DisplayString | | 4 | |
| REG | READ_VALUE | value_name = ProviderId | | 1 | |
| REG | READ_VALUE | value_name = AddressFamily | | 1 | |
| REG | READ_VALUE | value_name = SupportedNameSpace | | 1 | |
| REG | READ_VALUE | value_name = Enabled | | 1 | |
| REG | READ_VALUE | value_name = Version | | 1 | |
| REG | READ_VALUE | value_name = StoresServiceClassInfo | | 1 | |
| REG | READ_VALUE | value_name = ProviderInfo | | 2 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = Ws2_32NumHandleBuckets | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 406902929136 milliseconds (406902929.136 seconds) | | 1 | |
| SVC | OPEN_MGR | database_name = SERVICES_ACTIVE_DATABASE, host = Localhost | | 1 | |
| SVC | OPEN | | 1 | ||
| SVC | GET_INFO | type = Status | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 406902929168 milliseconds (406902929.168 seconds) | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LoadAppInit_DLLs | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #8 / 0x16c |
| OS Parent PID | 0x15c (c:\windows\winstore\wshost.exe) |
| Initial Working Directory | X:\windows\system32 |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:34 |
| OS Thread IDs | #51 0x170 #52 0x174 #53 0x178 #54 0x17C #55 0x180 #56 0x184 #81 0x1E8 #84 0x1F8 #85 0x1FC #88 0x204 #113 0x268 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x000000d9c9ed0000 | 0xd9c9ed0000 | 0xd9c9eeffff | Private Memory | Readable, Writable | | |
| private_0x000000d9c9ed0000 | 0xd9c9ed0000 | 0xd9c9ed6fff | Private Memory | Readable, Writable | | |
| csrss.exe.mui | 0xd9c9ee0000 | 0xd9c9ee0fff | Memory Mapped File | Readable | | |
| pagefile_0x000000d9c9ef0000 | 0xd9c9ef0000 | 0xd9c9efefff | Pagefile Backed File | Readable | | |
| private_0x000000d9c9f00000 | 0xd9c9f00000 | 0xd9c9f3ffff | Private Memory | Readable, Writable | | |
| pagefile_0x000000d9c9f00000 | 0xd9c9f00000 | 0xd9c9f0ffff | Pagefile Backed File | Readable, Writable | | |
| MARLETT.TTF | 0xd9c9f10000 | 0xd9c9f16fff | Memory Mapped File | Readable | | |
| pagefile_0x000000d9c9f20000 | 0xd9c9f20000 | 0xd9c9f37fff | Pagefile Backed File | Readable | | |
| locale.nls | 0xd9c9f40000 | 0xd9c9fbdfff | Memory Mapped File | Readable | | |
| winsrv.DLL.mui | 0xd9c9fc0000 | 0xd9c9fc1fff | Memory Mapped File | Readable | | |
| private_0x000000d9c9fd0000 | 0xd9c9fd0000 | 0xd9c9fd0fff | Private Memory | Readable, Writable | | |
| private_0x000000d9c9fe0000 | 0xd9c9fe0000 | 0xd9c9fe0fff | Private Memory | Readable, Writable | | |
| private_0x000000d9c9ff0000 | 0xd9c9ff0000 | 0xd9c9ff0fff | Private Memory | Readable, Writable | | |
| private_0x000000d9ca000000 | 0xd9ca000000 | 0xd9ca000fff | Private Memory | Readable, Writable | | |
| VGASYS.FON | 0xd9ca010000 | 0xd9ca011fff | Memory Mapped File | Readable | | |
| private_0x000000d9ca020000 | 0xd9ca020000 | 0xd9ca05ffff | Private Memory | Readable, Writable | | |
| private_0x000000d9ca060000 | 0xd9ca060000 | 0xd9ca060fff | Private Memory | Readable, Writable | | |
| private_0x000000d9ca070000 | 0xd9ca070000 | 0xd9ca070fff | Private Memory | Readable, Writable | | |
| private_0x000000d9ca080000 | 0xd9ca080000 | 0xd9ca080fff | Private Memory | Readable, Writable | | |
| private_0x000000d9ca090000 | 0xd9ca090000 | 0xd9ca18ffff | Private Memory | Readable, Writable | | |
| pagefile_0x000000d9ca190000 | 0xd9ca190000 | 0xd9ca310fff | Pagefile Backed File | Readable | | |
| pagefile_0x000000d9ca320000 | 0xd9ca320000 | 0xd9ca61ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x000000d9ca620000 | 0xd9ca620000 | 0xd9ca65ffff | Private Memory | Readable, Writable | | |
| private_0x000000d9ca660000 | 0xd9ca660000 | 0xd9ca69ffff | Private Memory | Readable, Writable | | |
| private_0x000000d9ca6a0000 | 0xd9ca6a0000 | 0xd9ca6dffff | Private Memory | Readable, Writable | | |
| pagefile_0x000000d9ca6e0000 | 0xd9ca6e0000 | 0xd9ca867fff | Pagefile Backed File | Readable | | |
| private_0x000000d9ca870000 | 0xd9ca870000 | 0xd9ca8affff | Private Memory | Readable, Writable | | |
| private_0x000000d9ca8b0000 | 0xd9ca8b0000 | 0xd9ca8effff | Private Memory | Readable, Writable | | |
| private_0x000000d9ca8f0000 | 0xd9ca8f0000 | 0xd9ca92ffff | Private Memory | Readable, Writable | | |
| TAHOMABD.TTF | 0xd9ca930000 | 0xd9ca9d9fff | Memory Mapped File | Readable | | |
| TAHOMA.TTF | 0xd9ca9e0000 | 0xd9caa96fff | Memory Mapped File | Readable | | |
| pagefile_0x000000d9caaa0000 | 0xd9caaa0000 | 0xd9caacffff | Pagefile Backed File | Readable | | |
| pagefile_0x000000d9caad0000 | 0xd9caad0000 | 0xd9cbecffff | Pagefile Backed File | Readable | | |
| private_0x000000d9cbed0000 | 0xd9cbed0000 | 0xd9cbf0ffff | Private Memory | Readable, Writable | | |
| private_0x000000d9cbf10000 | 0xd9cbf10000 | 0xd9cbf4ffff | Private Memory | Readable, Writable | | |
| pagefile_0x000000d9cbf50000 | 0xd9cbf50000 | 0xd9cbf5ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x00007ff6196e8000 | 0x7ff6196e8000 | 0x7ff6196e9fff | Private Memory | Readable, Writable | | |
| private_0x00007ff6196ea000 | 0x7ff6196ea000 | 0x7ff6196ebfff | Private Memory | Readable, Writable | | |
| private_0x00007ff6196ec000 | 0x7ff6196ec000 | 0x7ff6196edfff | Private Memory | Readable, Writable | | |
| private_0x00007ff6196ee000 | 0x7ff6196ee000 | 0x7ff6196effff | Private Memory | Readable, Writable | | |
| pagefile_0x00007ff6196f0000 | 0x7ff6196f0000 | 0x7ff6197effff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x00007ff6197f0000 | 0x7ff6197f0000 | 0x7ff619812fff | Pagefile Backed File | Readable | | |
| private_0x00007ff619814000 | 0x7ff619814000 | 0x7ff619815fff | Private Memory | Readable, Writable | | |
| private_0x00007ff619816000 | 0x7ff619816000 | 0x7ff619817fff | Private Memory | Readable, Writable | | |
| private_0x00007ff619818000 | 0x7ff619818000 | 0x7ff619819fff | Private Memory | Readable, Writable | | |
| private_0x00007ff61981a000 | 0x7ff61981a000 | 0x7ff61981afff | Private Memory | Readable, Writable | | |
| private_0x00007ff61981c000 | 0x7ff61981c000 | 0x7ff61981dfff | Private Memory | Readable, Writable | | |
| private_0x00007ff61981e000 | 0x7ff61981e000 | 0x7ff61981ffff | Private Memory | Readable, Writable | | |
| private_0x00007ff61981e000 | 0x7ff61981e000 | 0x7ff61981ffff | Private Memory | Readable, Writable | | |
| csrss.exe | 0x7ff61a100000 | 0x7ff61a106fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcryptPrimitives.dll | 0x7ffb71580000 | 0x7ffb715e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| CRYPTBASE.dll | 0x7ffb715f0000 | 0x7ffb715fafff | Memory Mapped File | Readable, Writable, Executable | | |
| sxs.dll | 0x7ffb71600000 | 0x7ffb71698fff | Memory Mapped File | Readable, Writable, Executable | | |
| sxssrv.DLL | 0x7ffb716d0000 | 0x7ffb716dcfff | Memory Mapped File | Readable, Writable, Executable | | |
| winsrv.DLL | 0x7ffb716e0000 | 0x7ffb71713fff | Memory Mapped File | Readable, Writable, Executable | | |
| basesrv.DLL | 0x7ffb71720000 | 0x7ffb71732fff | Memory Mapped File | Readable, Writable, Executable | | |
| CSRSRV.dll | 0x7ffb71740000 | 0x7ffb71755fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernelbase.dll | 0x7ffb71760000 | 0x7ffb71874fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7ffb71ad0000 | 0x7ffb71c20fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x7ffb73480000 | 0x7ffb735bdfff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7ffb73a30000 | 0x7ffb73b70fff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x7ffb73e90000 | 0x7ffb74006fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x7ffb74120000 | 0x7ffb742cbfff | Memory Mapped File | Readable, Writable, Executable | | |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 2 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Terminal Server | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Terminal Server, value_name = TSAppCompat | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Terminal Server, value_name = TSUserEnabled | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| MOD | GET_HANDLE | module_name = csrsrv.dll | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize, value_name = DisableMetaFiles | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 7 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935403837784 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 8180 | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935403837784 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 8180 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 935403842240, protection = PAGE_READWRITE | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x16c, address = 0xd9cbf60000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xd9cbf60000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x16c | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935403838904 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 8180 | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935403838904 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 8180 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 935403843360, protection = PAGE_READWRITE | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x16c, address = 0xd9cbf80000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xd9cbf80000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x16c | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935406002472 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.9600.16384_none_69e3a25fa94e130a.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.9600.16384_none_69e3a25fa94e130a.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.9600.16384_none_69e3a25fa94e130a.manifest, size = 8180 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935405999592 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935405999592 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935405999592 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest, size = 4095 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x390008 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de.manifest, size = 8180 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935405999592 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489.manifest, size = 8180 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17415_none_34aa3313958e7a52.manifest, size = 8180 | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935405999592 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.9600.17415_none_bd4349237a1100f7.manifest, size = 8180 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.9600.16384_en-us_4ab3da74c23648d7.manifest, size = 8180 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 935406004048, protection = PAGE_READWRITE | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x16c, address = 0xd9cbf50000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xd9cbf50000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x16c | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935406001256 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 8180 | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935406001256 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 8180 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 935406005712, protection = PAGE_READWRITE | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x16c, address = 0xd9cbf60000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xd9cbf60000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x16c | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = targetNamespace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = targetNamespace | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = dpiAware | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = dpiAware | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935406000136 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 8180 | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935406000136 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 8180 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 935406004592, protection = PAGE_READWRITE | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x16c, address = 0xd9cbf60000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xd9cbf60000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x16c | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = targetNamespace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = targetNamespace | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = dpiAware | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = dpiAware | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935406001256 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb.manifest, size = 8180 | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = 935406001256 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 2 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 2 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 4095 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\winsxs\manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.9600.16384_en-us_7852a861195d56f0.manifest, size = 8180 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 935406005712, protection = PAGE_READWRITE | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x16c, address = 0xd9cbf90000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xd9cbf90000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x16c | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #9 / 0x194 |
| OS Parent PID | 0x15c (c:\windows\winstore\wshost.exe) |
| Initial Working Directory | X:\windows\system32 |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe |
| Command Line | winlogon.exe |
| Monitor | Start Time: 00:01:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:33 |
| OS Thread IDs | #67 0x198 #82 0x1EC #83 0x1F4 #114 0x270 #115 0x274 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x0000009f3e8a0000 | 0x9f3e8a0000 | 0x9f3e8bffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000009f3e8a0000 | 0x9f3e8a0000 | 0x9f3e8affff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000009f3e8b0000 | 0x9f3e8b0000 | 0x9f3e8b6fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000009f3e8c0000 | 0x9f3e8c0000 | 0x9f3e8cefff | Pagefile Backed File | Readable | | |
| private_0x0000009f3e8d0000 | 0x9f3e8d0000 | 0x9f3e94ffff | Private Memory | Readable, Writable | | |
| locale.nls | 0x9f3e950000 | 0x9f3e9cdfff | Memory Mapped File | Readable | | |
| private_0x0000009f3e9d0000 | 0x9f3e9d0000 | 0x9f3e9d6fff | Private Memory | Readable, Writable | | |
| winlogon.exe.mui | 0x9f3e9e0000 | 0x9f3e9e5fff | Memory Mapped File | Readable | | |
| USER32.dll.mui | 0x9f3e9e0000 | 0x9f3e9e4fff | Memory Mapped File | Readable | | |
| private_0x0000009f3e9f0000 | 0x9f3e9f0000 | 0x9f3e9f0fff | Private Memory | Readable, Writable | | |
| private_0x0000009f3ea00000 | 0x9f3ea00000 | 0x9f3ea00fff | Private Memory | Readable, Writable | | |
| private_0x0000009f3ea10000 | 0x9f3ea10000 | 0x9f3ea16fff | Private Memory | Readable, Writable | | |
| USER32.dll.mui | 0x9f3ea20000 | 0x9f3ea24fff | Memory Mapped File | Readable | | |
| Aero.msstyles.mui | 0x9f3ea20000 | 0x9f3ea20fff | Memory Mapped File | Readable | | |
| private_0x0000009f3ea30000 | 0x9f3ea30000 | 0x9f3ea30fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000009f3ea40000 | 0x9f3ea40000 | 0x9f3ea40fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000009f3ea50000 | 0x9f3ea50000 | 0x9f3eb4ffff | Private Memory | Readable, Writable | | |
| private_0x0000009f3eb50000 | 0x9f3eb50000 | 0x9f3ebcffff | Private Memory | Readable, Writable | | |
| private_0x0000009f3ebd0000 | 0x9f3ebd0000 | 0x9f3ec4ffff | Private Memory | Readable, Writable | | |
| private_0x0000009f3ebd0000 | 0x9f3ebd0000 | 0x9f3ec4ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000009f3ec50000 | 0x9f3ec50000 | 0x9f3ec7ffff | Pagefile Backed File | Readable | | |
| private_0x0000009f3ec80000 | 0x9f3ec80000 | 0x9f3ec8ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000009f3ec90000 | 0x9f3ec90000 | 0x9f3ee17fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000009f3ee20000 | 0x9f3ee20000 | 0x9f3efa0fff | Pagefile Backed File | Readable | | |
| sortdefault.nls | 0x9f3efb0000 | 0x9f3f284fff | Memory Mapped File | Readable | | |
| private_0x0000009f3f300000 | 0x9f3f300000 | 0x9f3f30ffff | Private Memory | Readable, Writable | | |
| Aero.msstyles | 0x9f3f310000 | 0x9f3f418fff | Memory Mapped File | Readable | | |
| private_0x0000009f3f390000 | 0x9f3f390000 | 0x9f3f40ffff | Private Memory | Readable, Writable | | |
| private_0x0000009f3f420000 | 0x9f3f420000 | 0x9f3fe1ffff | Private Memory | Readable, Writable | | |
| private_0x0000009f3fe20000 | 0x9f3fe20000 | 0x9f3ff1ffff | Private Memory | Readable, Writable | | |
| pagefile_0x00007df5ff3e0000 | 0x7df5ff3e0000 | 0x7ff5ff3dffff | Pagefile Backed File | - | | |
| pagefile_0x00007df5ff3e0000 | 0x7df5ff3e0000 | 0x7ff5ff3dffff | Pagefile Backed File | - | | |
| pagefile_0x00007ff7f6520000 | 0x7ff7f6520000 | 0x7ff7f661ffff | Pagefile Backed File | Readable | | |
| pagefile_0x00007ff7f6620000 | 0x7ff7f6620000 | 0x7ff7f6642fff | Pagefile Backed File | Readable | | |
| private_0x00007ff7f6644000 | 0x7ff7f6644000 | 0x7ff7f6645fff | Private Memory | Readable, Writable | | |
| private_0x00007ff7f6648000 | 0x7ff7f6648000 | 0x7ff7f6649fff | Private Memory | Readable, Writable | | |
| private_0x00007ff7f664a000 | 0x7ff7f664a000 | 0x7ff7f664bfff | Private Memory | Readable, Writable | | |
| private_0x00007ff7f664c000 | 0x7ff7f664c000 | 0x7ff7f664cfff | Private Memory | Readable, Writable | | |
| private_0x00007ff7f664c000 | 0x7ff7f664c000 | 0x7ff7f664cfff | Private Memory | Readable, Writable | | |
| private_0x00007ff7f664e000 | 0x7ff7f664e000 | 0x7ff7f664ffff | Private Memory | Readable, Writable | | |
| winlogon.exe | 0x7ff7f6bc0000 | 0x7ff7f6c52fff | Memory Mapped File | Readable, Writable, Executable | | |
| WindowsCodecs.dll | 0x7ffb702d0000 | 0x7ffb7047dfff | Memory Mapped File | Readable, Writable, Executable | | |
| UxTheme.dll | 0x7ffb70480000 | 0x7ffb705a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| uxinit.dll | 0x7ffb705e0000 | 0x7ffb705f6fff | Memory Mapped File | Readable, Writable, Executable | | |
| winsta.dll | 0x7ffb70940000 | 0x7ffb70999fff | Memory Mapped File | Readable, Writable, Executable | | |
| KBDUS.DLL | 0x7ffb70990000 | 0x7ffb70993fff | Memory Mapped File | Readable, Writable, Executable | | |
| KBDUS.DLL | 0x7ffb70a20000 | 0x7ffb70a23fff | Memory Mapped File | Readable, Writable, Executable | | |
| winlogonext.dll | 0x7ffb70a30000 | 0x7ffb70a48fff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7ffb70b00000 | 0x7ffb70b35fff | Memory Mapped File | Readable, Writable, Executable | | |
| CRYPTSP.dll | 0x7ffb71040000 | 0x7ffb7105ffff | Memory Mapped File | Readable, Writable, Executable | | |
| bcrypt.dll | 0x7ffb71260000 | 0x7ffb71285fff | Memory Mapped File | Readable, Writable, Executable | | |
| powrprof.dll | 0x7ffb71530000 | 0x7ffb71575fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcryptPrimitives.dll | 0x7ffb71580000 | 0x7ffb715e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| CRYPTBASE.dll | 0x7ffb715f0000 | 0x7ffb715fafff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7ffb716b0000 | 0x7ffb716c4fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernelbase.dll | 0x7ffb71760000 | 0x7ffb71874fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7ffb71ad0000 | 0x7ffb71c20fff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7ffb733c0000 | 0x7ffb73418fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x7ffb73480000 | 0x7ffb735bdfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7ffb73690000 | 0x7ffb73739fff | Memory Mapped File | Readable, Writable, Executable | | |
| combase.dll | 0x7ffb73740000 | 0x7ffb73950fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7ffb73a30000 | 0x7ffb73b70fff | Memory Mapped File | Readable, Writable, Executable | | |
| MSCTF.dll | 0x7ffb73b80000 | 0x7ffb73cd2fff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x7ffb73e90000 | 0x7ffb74006fff | Memory Mapped File | Readable, Writable, Executable | | |
| IMM32.dll | 0x7ffb74010000 | 0x7ffb74045fff | Memory Mapped File | Readable, Writable, Executable | | |
| MSVCRT.dll | 0x7ffb74050000 | 0x7ffb740f9fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x7ffb74120000 | 0x7ffb742cbfff | Memory Mapped File | Readable, Writable, Executable | | |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 2 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 683949743520 | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| MOD | GET_HANDLE | module_name = X:\windows\system32\IMM32.DLL | | 1 | |
| MOD | LOAD | module_name = X:\windows\system32\IMM32.DLL, base_address = 0x0 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| MOD | GET_HANDLE | module_name = X:\windows\system32\IMM32.DLL | | 2 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\ | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize, value_name = DisableMetaFiles | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = LoadAppInit_DLLs | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TracingControlLevel | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | CREATE_KEY | reg_name = \REGISTRY\MACHINE\SOFTWARE\CLASSES | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SimulateDebugSession | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Respecialize | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SetupType | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NoDebugThread | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | |
| REG | CREATE_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | WRITE_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName, data = MINWINPC | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = OOBEInProgress | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = SystemSetupInProgress | | 1 | |
| PROC | OPEN_TOKEN | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = ProfileImagePath | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = ProfileImagePath | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = Public | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = Public | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = ProgramData | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = ProgramData | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = ProgramFilesDir | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = CommonFilesDir | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = ProgramFilesDir (x86) | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = CommonFilesDir (x86) | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = ProgramW6432Dir | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = CommonW6432Dir | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = AllowBlockingAppsAtShutdown | | 1 | |
| MOD | LOAD | module_name = rpcrt4.dll, base_address = 0x0 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = MaxRpcSize | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = OOBEInProgress | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = SystemSetupInProgress | | 1 | |
| SYS | GET_INFO | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = IdleTimerWindow | | 1 | |
| REG | OPEN_KEY | reg_name = Keyboard Layout\Preload | | 1 | |
| REG | READ_VALUE | reg_name = Keyboard Layout\Preload, value_name = 1 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409 | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409, value_name = Layout File | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409, value_name = Attributes | | 1 | |
| MOD | LOAD | module_name = KBDUS.DLL, base_address = 0x0 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\kbdus.dll, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 6 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeuib.ttf, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeuib.ttf, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3efb0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, base_address = 0x9f3efb0000 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 3 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeui.ttf, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\segoeui.ttf, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3efb0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, base_address = 0x9f3efb0000 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 5 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\tahoma.ttf, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\tahoma.ttf, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3efb0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, base_address = 0x9f3efb0000 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 10 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\micross.ttf, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\fonts\micross.ttf, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3efb0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, base_address = 0x9f3efb0000 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 61 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = Disable | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR\Control Panel\International, value_name = sCurrencyOverride | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale, value_name = en-US | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale, value_name = en-US | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale, value_name = 00000409 | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups, value_name = 1 | | 1 | |
| SYS | CREATE_DESKTOP | | 2 | ||
| SYS | SWITCH_DESKTOP | | 1 | ||
| MOD | GET_HANDLE | module_name = IMM32.DLL | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000010 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000010, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000010, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000010, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000011 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000011, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000011, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000011, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000012 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000012, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000012, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000012, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000070 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000070, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000070, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000070, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000071 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000071, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000071, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000071, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000072 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000072, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000072, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000072, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000104 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000104, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000104, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000104, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000200 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000200, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000200, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000200, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000201 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000201, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000201, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000201, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000202 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000202, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000202, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000202, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000203 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000203, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000203, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000203, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload, value_name = 1 | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload, value_name = 1 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload, value_name = 2 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload\Keyboard Layout\Preload | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload\Keyboard Layout\Preload, value_name = 1 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Substitutes | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Substitutes, value_name = 00000409 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409 | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409, value_name = Layout File | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\00000409, value_name = Attributes | | 1 | |
| MOD | LOAD | module_name = KBDUS.DLL, base_address = 0x0 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\kbdus.dll, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000010 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000010, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000010, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000010, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000011 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000011, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000011, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000011, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000012 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000012, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000012, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000012, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000070 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000070, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000070, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000070, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000071 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000071, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000071, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000071, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000072 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000072, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000072, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000072, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000104 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000104, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000104, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000104, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000200 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000200, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000200, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000200, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000201 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000201, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000201, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000201, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000202 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000202, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000202, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000202, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\Input Method\Hot Keys\00000203 | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000203, value_name = Virtual Key | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000203, value_name = Key Modifiers | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys\00000203, value_name = Target IME | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\USER\S-1-5-18\Keyboard Layout\Preload, value_name = 2 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Control Panel\Input Method\Hot Keys, value_name = SecureBoot | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe, os_pid = 0x194, address = 0x9f3ea10000 | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3ea10000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe, os_pid = 0x194 | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | CREATE_KEY | | 1 | ||
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LMVersion | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = LMVersion | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | DELETE_VALUE | | 1 | ||
| REG | DELETE_VALUE | value_name = InstallTheme | | 1 | |
| REG | DELETE_VALUE | | 1 | ||
| REG | DELETE_VALUE | value_name = SetVisualStyle | | 1 | |
| REG | DELETE_VALUE | | 1 | ||
| REG | DELETE_VALUE | value_name = InstallVisualStyle | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | WRITE_VALUE | | 1 | ||
| REG | WRITE_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = LMVersion, data = 105 | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LMOverRide | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 000602xx | | 1 | |
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x0 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3efb0000 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en-US | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en | | 1 | |
| REG | WRITE_VALUE | | 1 | ||
| REG | WRITE_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = DllName, data = %SystemRoot%\resources\themes\Aero\Aero.msstyles | | 1 | |
| REG | WRITE_VALUE | | 1 | ||
| REG | WRITE_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = LMVersion, data = 105 | | 1 | |
| REG | WRITE_VALUE | | 1 | ||
| REG | WRITE_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = ThemeActive, data = 1 | | 1 | |
| REG | WRITE_VALUE | | 1 | ||
| REG | WRITE_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = LoadedBefore, data = 0 | | 1 | |
| REG | DELETE_VALUE | | 1 | ||
| REG | DELETE_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = ColorName | | 1 | |
| REG | DELETE_VALUE | | 1 | ||
| REG | DELETE_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = SizeName | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LoadedBefore | | 1 | |
| REG | WRITE_VALUE | | 1 | ||
| REG | WRITE_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = LoadedBefore, data = 0 | | 1 | |
| REG | WRITE_VALUE | | 1 | ||
| REG | WRITE_VALUE | value_name = LoadedBefore, data = 1 | | 1 | |
| SVC | OPEN_MGR | database_name = SERVICES_ACTIVE_DATABASE, host = Localhost | | 1 | |
| SVC | OPEN | | 1 | ||
| SVC | OPEN_MGR | database_name = SERVICES_ACTIVE_DATABASE, host = Localhost | | 1 | |
| SVC | OPEN | | 1 | ||
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | CREATE_KEY | | 1 | ||
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = LMVersion | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = LMVersion | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = LoadedBefore | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = DllName | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = ColorName | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = SizeName | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = LoadedBefore | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = LastUserLangID | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = LastLoadedDPI | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = LastLoadedPPI | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = LMVersion | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LMVersion | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe | | 1 | |
| MOD | GET_HANDLE | module_name = user32.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb73e94c30 | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe, os_pid = 0x194, address = 0x9f3ea10000 | | 1 | |
| MOD | MAP | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3ea10000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe, os_pid = 0x194 | | 1 | |
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = PageAllocatorUseSystemHeap | | 1 | |
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = PageAllocatorSystemHeapIsPrivate | | 1 | |
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\ThemeManager, value_name = AggressiveMTATesting | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | GET_HANDLE | module_name = rpcrt4.dll | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\vscache\aero.msstyles_1033_96.mss, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | LOAD | base_address = 0x9f3f310001 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3f310000 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles, value_name = Name | | 2 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles, value_name = Name | | 2 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles, value_name = Type | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles, value_name = Image Path | | 2 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles, value_name = Image Path | | 2 | |
| MOD | LOAD | base_address = 0x7ffb70b00000 | | 1 | |
| MOD | LOAD | module_name = X:\windows\system32\rsaenh.dll, base_address = 0x0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b01570 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b01080 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b06090 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b1e1d0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b02ce0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0af70 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03880 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03a30 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03260 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b06be0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b04ea0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b027d0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b02b00 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b1d8d0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b024f0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b06830 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03c50 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b01030 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b05bb0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0f290 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0f750 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03f50 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b02630 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0d330 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b1d6e0 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| PROC | OPEN_TOKEN | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineGuid | | 2 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineGuid | | 2 | |
| REG | OPEN_KEY | | 1 | ||
| PROC | OPEN_TOKEN | | 1 | ||
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x390008 | | 1 | |
| MOD | LOAD | base_address = 0x7ffb71580000 | | 1 | |
| MOD | LOAD | module_name = X:\windows\system32\bcryptprimitives.dll, base_address = 0x0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb715848b0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7159b3d0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe, os_pid = 0x194, address = 0x9f3f420000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3f420000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe, os_pid = 0x194 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles, size = 16 | | 1 | |
| FILE | READ | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles, size = 128 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\resources\themes\aero\aero.msstyles, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, base_address = 0x9f3f310000 | | 1 | |
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ff7f6bcf270, desired_access = THREAD_ALL_ACCESS | | 1 | |
| MOD | LOAD | base_address = 0x0 | | 1 | |
| MOD | LOAD | module_name = oobe\WinLGDep.dll, base_address = 0xc0000135 | | 1 | |
| SYS | SWITCH_DESKTOP | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 4 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ProgramFilesDir | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CommonFilesDir | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ProgramFilesDir (x86) | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CommonFilesDir (x86) | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ProgramW6432Dir | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CommonW6432Dir | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Userinit | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = userinit | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Userinit | | 1 | |
| REG | WRITE_VALUE | | 1 | ||
| REG | WRITE_VALUE | value_name = Userinit, data = | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Userinit | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Userinit | | 1 | |
| REG | WRITE_VALUE | | 1 | ||
| REG | WRITE_VALUE | value_name = Userinit, data = X:\windows\system32\userinit.exe, | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = System | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Cmdline | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | WRITE_VALUE | | 1 | ||
| REG | WRITE_VALUE | value_name = SetupType, data = 0 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | DELETE_VALUE | | 1 | ||
| REG | DELETE_VALUE | value_name = AutoAdminLogon | | 1 | |
| KEYBOARD | READ | result_out = 0 | | 2 | |
| PROC | OPEN_TOKEN | | 1 | ||
| PROC | CREATE | process_name = | | 1 | |
| PROC | CREATE | process_name = , desired_access = MAXIMUM_ALLOWED, creation_flags = CREATE_NEW_PROCESS_GROUP | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = 140717948767312 | | 1 | |
| PROC | GET_INFO | process_name = | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = PreferExternalManifest | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x9f3f410000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, base_address = 0x9f3f410000 | | 1 | |
| MEM | ALLOC | address = 0x9f3e94dc78, process_name = , size = 683949743576, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE | | 1 | |
| MEM | WRITE | address = 0xa3b7d40000, process_name = , size = 4704 | | 1 | |
| MEM | WRITE | address = 0x7ff74d8ca2d8, process_name = , size = 8 | | 1 | |
| THREAD | RESUME | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #10 / 0x1ac |
| OS Parent PID | 0x164 (c:\windows\system32\csrss.exe) |
| Initial Working Directory | X:\windows\system32 |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe |
| Command Line | X:\windows\system32\services.exe -setup |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:32 |
| OS Thread IDs | #68 0x1B0 #90 0x208 #91 0x20C #97 0x224 #111 0x260 #134 0x2D4 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x00000094cfe90000 | 0x94cfe90000 | 0x94cfeaffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000094cfe90000 | 0x94cfe90000 | 0x94cfe9ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000094cfea0000 | 0x94cfea0000 | 0x94cfea6fff | Private Memory | Readable, Writable | | |
| pagefile_0x00000094cfeb0000 | 0x94cfeb0000 | 0x94cfebefff | Pagefile Backed File | Readable | | |
| private_0x00000094cfec0000 | 0x94cfec0000 | 0x94cff3ffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000094cff40000 | 0x94cff40000 | 0x94cff43fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000094cff50000 | 0x94cff50000 | 0x94cff50fff | Pagefile Backed File | Readable | | |
| locale.nls | 0x94cff60000 | 0x94cffddfff | Memory Mapped File | Readable | | |
| private_0x00000094cffe0000 | 0x94cffe0000 | 0x94cffe6fff | Private Memory | Readable, Writable | | |
| pagefile_0x00000094cfff0000 | 0x94cfff0000 | 0x94cfff2fff | Pagefile Backed File | Readable, Writable | | |
| services.exe.mui | 0x94d0000000 | 0x94d0004fff | Memory Mapped File | Readable | | |
| private_0x00000094d0040000 | 0x94d0040000 | 0x94d004ffff | Private Memory | Readable, Writable | | |
| private_0x00000094d00c0000 | 0x94d00c0000 | 0x94d01bffff | Private Memory | Readable, Writable | | |
| sortdefault.nls | 0x94d01c0000 | 0x94d0494fff | Memory Mapped File | Readable | | |
| private_0x00000094d04a0000 | 0x94d04a0000 | 0x94d059ffff | Private Memory | Readable, Writable | | |
| private_0x00000094d05a0000 | 0x94d05a0000 | 0x94d079ffff | Private Memory | Readable, Writable | | |
| private_0x00000094d07a0000 | 0x94d07a0000 | 0x94d081ffff | Private Memory | Readable, Writable | | |
| private_0x00000094d0820000 | 0x94d0820000 | 0x94d089ffff | Private Memory | Readable, Writable | | |
| private_0x00000094d08a0000 | 0x94d08a0000 | 0x94d091ffff | Private Memory | Readable, Writable | | |
| private_0x00000094d0920000 | 0x94d0920000 | 0x94d099ffff | Private Memory | Readable, Writable | | |
| pagefile_0x00007df5fff40000 | 0x7df5fff40000 | 0x7ff5fff3ffff | Pagefile Backed File | - | | |
| pagefile_0x00007df5fff40000 | 0x7df5fff40000 | 0x7ff5fff3ffff | Pagefile Backed File | - | | |
| pagefile_0x00007df5fff40000 | 0x7df5fff40000 | 0x7ff5fff3ffff | Pagefile Backed File | - | | |
| pagefile_0x00007ff672770000 | 0x7ff672770000 | 0x7ff67286ffff | Pagefile Backed File | Readable | | |
| pagefile_0x00007ff672870000 | 0x7ff672870000 | 0x7ff672892fff | Pagefile Backed File | Readable | | |
| private_0x00007ff672893000 | 0x7ff672893000 | 0x7ff672893fff | Private Memory | Readable, Writable | | |
| private_0x00007ff672896000 | 0x7ff672896000 | 0x7ff672897fff | Private Memory | Readable, Writable | | |
| private_0x00007ff672898000 | 0x7ff672898000 | 0x7ff672899fff | Private Memory | Readable, Writable | | |
| private_0x00007ff67289a000 | 0x7ff67289a000 | 0x7ff67289bfff | Private Memory | Readable, Writable | | |
| private_0x00007ff67289c000 | 0x7ff67289c000 | 0x7ff67289dfff | Private Memory | Readable, Writable | | |
| private_0x00007ff67289e000 | 0x7ff67289e000 | 0x7ff67289ffff | Private Memory | Readable, Writable | | |
| services.exe | 0x7ff673060000 | 0x7ff6730c5fff | Memory Mapped File | Readable, Writable, Executable | | |
| AUTHZ.dll | 0x7ffb70860000 | 0x7ffb708a7fff | Memory Mapped File | Readable, Writable, Executable | | |
| scesrv.dll | 0x7ffb708b0000 | 0x7ffb70939fff | Memory Mapped File | Readable, Writable, Executable | | |
| spinf.dll | 0x7ffb709a0000 | 0x7ffb709bdfff | Memory Mapped File | Readable, Writable, Executable | | |
| srvcli.dll | 0x7ffb709c0000 | 0x7ffb709e5fff | Memory Mapped File | Readable, Writable, Executable | | |
| EventAggregation.dll | 0x7ffb709f0000 | 0x7ffb709fafff | Memory Mapped File | Readable, Writable, Executable | | |
| DABAPI.dll | 0x7ffb70a00000 | 0x7ffb70a07fff | Memory Mapped File | Readable, Writable, Executable | | |
| scext.dll | 0x7ffb70a10000 | 0x7ffb70a20fff | Memory Mapped File | Readable, Writable, Executable | | |
| SspiCli.dll | 0x7ffb71500000 | 0x7ffb7152dfff | Memory Mapped File | Readable, Writable, Executable | | |
| bcryptPrimitives.dll | 0x7ffb71580000 | 0x7ffb715e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| CRYPTBASE.dll | 0x7ffb715f0000 | 0x7ffb715fafff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7ffb716b0000 | 0x7ffb716c4fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernelbase.dll | 0x7ffb71760000 | 0x7ffb71874fff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7ffb733c0000 | 0x7ffb73418fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x7ffb73480000 | 0x7ffb735bdfff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7ffb73a30000 | 0x7ffb73b70fff | Memory Mapped File | Readable, Writable, Executable | | |
| MSVCRT.dll | 0x7ffb74050000 | 0x7ffb740f9fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x7ffb74120000 | 0x7ffb742cbfff | Memory Mapped File | Readable, Writable, Executable | | |
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Amount | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x188 | address = 0x4584630000, size = 16384 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x188 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x188 | address = 0x4584630000, size = 4096 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x188 | No corresponding api call detected. Probably injected code via shellcode. | | 1 |
| Category | Operation | Information | Success | Amount | Logfile | |
|---|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 3 | ||
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| DRV | CONTROL | | 1 | |||
| DRV | CONTROL | control_code = 0x390008 | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\logfiles\scm\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| FILE | CREATE_DIR | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\logfiles, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE_DIR | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\logfiles\scm\, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = OOBEInProgress | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = SystemSetupInProgress | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| MOD | LOAD | base_address = 0x7ffb70a10000 | | 1 | ||
| MOD | LOAD | module_name = X:\windows\system32\scext.dll | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 639144026960 | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = RpcCacheTimeout | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70a14450 | | 1 | ||
| USER | SET_PRIVILEGE | server_name = Localhost | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = EnableTakeOwnershipEvent | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = RpcOverTcpKeepAliveTimes | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = rpcrt4.dll | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb73af9360 | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = rpcrt4.dll | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb73a7f1a0 | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = kernelbase.dll | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7177b660 | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7415d1b0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7416bc00 | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb74174670 | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.inf, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\1394.inf_loc, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\1394.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale, value_name = en-US | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale, value_name = en-US | | 1 | ||
| MUTEX | CREATE | | 1 | |||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 000602xx | | 1 | ||
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d01c0000 | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en-US | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 96 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 22 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 12 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 14192 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 246 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 400 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1188 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1312 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\1394.pnf, size = 1312 | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 2 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 2 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.inf, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\acpi.inf_loc, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\acpi.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| MUTEX | CREATE | | 1 | |||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 96 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 22 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 12 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 7056 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 250 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 304 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 744 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 812 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 812 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpi.pnf, size = 12 | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 2 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 2 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.inf, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\acpipagr.inf_loc, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\acpipagr.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| MUTEX | CREATE | | 1 | |||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 96 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 22 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 12 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 4972 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 250 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 208 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 396 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 420 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpipagr.pnf, size = 420 | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 2 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 2 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.inf, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\acpitime.inf_loc, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\acpitime.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| MUTEX | CREATE | | 1 | |||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 96 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 22 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 12 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 5448 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 250 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 208 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 444 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 468 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\acpitime.pnf, size = 468 | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 2 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisplayName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings, value_name = StringCacheGeneration | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E | | 1 | ||
| REG | CREATE_KEY | reg_name = \Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1\52C64B7E | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache | | 1 | ||
| REG | CREATE_KEY | reg_name = \Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\1 | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\Software\Classes\Local Settings\MuiCache\1\52C64B7E | | 1 | ||
| REG | CREATE_KEY | reg_name = \Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\Software\Classes\Local Settings\MuiCache\1\52C64B7E | | 1 | ||
| REG | WRITE_VALUE | reg_name = \Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\Software\Classes\Local Settings\MuiCache\1\52C64B7E, value_name = LanguageList, data = en-US | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\Software\Classes\Local Settings\MuiCache\1\52C64B7E, value_name = @%systemroot%\system32\drivers\afd.sys,-1000 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\afd.sys, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\drivers\afd.sys, maximum_size = 0, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xfe90000 | | 1 | ||
| REG | WRITE_VALUE | reg_name = \Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings\Software\Classes\Local Settings\MuiCache\Software\Classes\Local Settings\MuiCache\1\52C64B7E, value_name = @%systemroot%\system32\drivers\afd.sys,-1000, data = Ancillary Function Driver for Winsock | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, base_address = 0xfe90000 | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 2 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.inf, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94d04a0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94d04a0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\machine.inf_loc, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\machine.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| MUTEX | CREATE | | 1 | |||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 96 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 22 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 12 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 741276 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 250 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 2176 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 53292 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 59588 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\machine.pnf, size = 59588 | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 2 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 2 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.inf, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\cpu.inf_loc, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\cpu.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| MUTEX | CREATE | | 1 | |||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 96 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 22 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 12 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 17988 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 256 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 848 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 2304 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 2756 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, size = 2756 | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 2 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 2 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\cpu.pnf, maximum_size = 639144024192, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| REG | OPEN_KEY | reg_name = Control Panel\International | | 1 | ||
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | ||
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | ||
| REG | READ_VALUE | reg_name = Control Panel\International, value_name = sCurrencyOverride | | 1 | ||
| MUTEX | CREATE | | 1 | |||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 2 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 2 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.inf, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\arcsas.inf_loc, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\arcsas.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| MUTEX | CREATE | | 1 | |||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 96 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 22 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 12 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 43384 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 256 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 368 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 5052 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 5840 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\arcsas.pnf, size = 5840 | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 2 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 2 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.inf, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\mshdc.inf_loc, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\mshdc.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| MUTEX | CREATE | | 1 | |||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 96 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 22 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 12 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 48332 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 244 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 1312 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 5736 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 6928 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\mshdc.pnf, size = 6928 | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 2 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 2 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.inf, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\netbvbda.inf_loc, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\netbvbda.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| MUTEX | CREATE | | 1 | |||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 96 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 22 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 12 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 8044 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 250 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 544 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1068 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1268 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netbvbda.pnf, size = 1268 | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 2 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 2 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.inf, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\bcmfn2.inf_loc, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\driverstore\en-us\bcmfn2.inf_loc, maximum_size = 639144024704, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac, address = 0x94cfff0000 | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x94cfff0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe, os_pid = 0x1ac | | 1 | ||
| MUTEX | CREATE | | 1 | |||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 96 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 22 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 12 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 5004 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 250 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 208 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 432 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 484 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 1 | | 1 | ||
| FILE | WRITE | | 1 | |||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\bcmfn2.pnf, size = 484 | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| For performance reasons, the remaining 9069 entries are omitted. Click to download all 10069 entries as text file (6.98 MB). | ||||||
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| DRV | CONTROL | control_code = 0x110008 | | 1 | |
| SVC | OPEN_MGR | database_name = SERVICES_ACTIVE_DATABASE, host = Localhost | | 1 | |
| SVC | OPEN | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = SQMServiceList | | 1 | |
| SVC | GET_INFO | type = Status | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 639153338176 milliseconds (639153338.176 seconds) | | 1 | |
| SVC | GET_INFO | type = Status | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 639153338176 milliseconds (639153338.176 seconds) | | 1 | |
| SVC | GET_INFO | type = Status | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 639153338176 milliseconds (639153338.176 seconds) | | 1 | |
| SVC | GET_INFO | type = Status | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 639153338176 milliseconds (639153338.176 seconds) | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| DRV | CONTROL | control_code = 0x110008 | | 1 | |
| PROC | GET_INFO | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = Disable | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | | 2 | |
| PROC | GET_INFO | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | | 2 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| PROC | GET_INFO | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | | 2 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #11 / 0x1b4 |
| OS Parent PID | 0x164 (c:\windows\system32\csrss.exe) |
| Initial Working Directory | X:\windows\system32 |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe |
| Command Line | X:\windows\system32\lsass.exe -setup |
| Monitor | Start Time: 00:01:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:31 |
| OS Thread IDs | #69 0x1B8 #71 0x1C0 #72 0x1C4 #73 0x1C8 #74 0x1CC #75 0x1D0 #76 0x1D4 #77 0x1D8 #78 0x1DC #79 0x1E0 #80 0x1E4 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x0000006b29a30000 | 0x6b29a30000 | 0x6b29a4ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000006b29a30000 | 0x6b29a30000 | 0x6b29a3ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000006b29a40000 | 0x6b29a40000 | 0x6b29a40fff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000006b29a50000 | 0x6b29a50000 | 0x6b29a5efff | Pagefile Backed File | Readable | | |
| private_0x0000006b29a60000 | 0x6b29a60000 | 0x6b29adffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000006b29ae0000 | 0x6b29ae0000 | 0x6b29ae3fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000006b29af0000 | 0x6b29af0000 | 0x6b29af0fff | Pagefile Backed File | Readable | | |
| private_0x0000006b29b00000 | 0x6b29b00000 | 0x6b29b01fff | Private Memory | Readable, Writable | | |
| private_0x0000006b29b10000 | 0x6b29b10000 | 0x6b29c0ffff | Private Memory | Readable, Writable | | |
| locale.nls | 0x6b29c10000 | 0x6b29c8dfff | Memory Mapped File | Readable | | |
| private_0x0000006b29c90000 | 0x6b29c90000 | 0x6b29d0ffff | Private Memory | Readable, Writable | | |
| private_0x0000006b29d10000 | 0x6b29d10000 | 0x6b29d16fff | Private Memory | Readable, Writable | | |
| private_0x0000006b29d20000 | 0x6b29d20000 | 0x6b29d2ffff | Private Memory | Readable, Writable | | |
| private_0x0000006b29d30000 | 0x6b29d30000 | 0x6b29d36fff | Private Memory | Readable, Writable | | |
| private_0x0000006b29d40000 | 0x6b29d40000 | 0x6b29dbffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000006b29dc0000 | 0x6b29dc0000 | 0x6b29dcffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000006b29dd0000 | 0x6b29dd0000 | 0x6b29ddffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000006b29de0000 | 0x6b29de0000 | 0x6b29e5ffff | Private Memory | Readable, Writable | | |
| private_0x0000006b29e60000 | 0x6b29e60000 | 0x6b29edffff | Private Memory | Readable, Writable | | |
| lsasrv.dll.mui | 0x6b29ee0000 | 0x6b29eeafff | Memory Mapped File | Readable | | |
| pagefile_0x0000006b29ef0000 | 0x6b29ef0000 | 0x6b29efffff | Pagefile Backed File | Readable, Writable | | |
| sortdefault.nls | 0x6b29f00000 | 0x6b2a1d4fff | Memory Mapped File | Readable | | |
| c_28591.nls | 0x6b2a1e0000 | 0x6b2a1f0fff | Memory Mapped File | Readable | | |
| private_0x0000006b2a200000 | 0x6b2a200000 | 0x6b2a200fff | Private Memory | Readable, Writable | | |
| private_0x0000006b2a210000 | 0x6b2a210000 | 0x6b2a28ffff | Private Memory | Readable, Writable | | |
| private_0x0000006b2a290000 | 0x6b2a290000 | 0x6b2a290fff | Private Memory | Readable, Writable | | |
| private_0x0000006b2a2a0000 | 0x6b2a2a0000 | 0x6b2a2a0fff | Private Memory | Readable, Writable | | |
| private_0x0000006b2a2b0000 | 0x6b2a2b0000 | 0x6b2a2b0fff | Private Memory | Readable, Writable | | |
| private_0x0000006b2a2c0000 | 0x6b2a2c0000 | 0x6b2a2c0fff | Private Memory | Readable, Writable | | |
| private_0x0000006b2a2d0000 | 0x6b2a2d0000 | 0x6b2a2d0fff | Private Memory | Readable, Writable | | |
| private_0x0000006b2a2e0000 | 0x6b2a2e0000 | 0x6b2a35ffff | Private Memory | Readable, Writable | | |
| private_0x0000006b2a360000 | 0x6b2a360000 | 0x6b2a3dffff | Private Memory | Readable, Writable | | |
| private_0x0000006b2a3e0000 | 0x6b2a3e0000 | 0x6b2a3e0fff | Private Memory | Readable, Writable | | |
| private_0x0000006b2a3e0000 | 0x6b2a3e0000 | 0x6b2a45ffff | Private Memory | Readable, Writable | | |
| samsrv.dll.mui | 0x6b2a460000 | 0x6b2a471fff | Memory Mapped File | Readable | | |
| private_0x0000006b2a480000 | 0x6b2a480000 | 0x6b2a4fffff | Private Memory | Readable, Writable | | |
| pagefile_0x00007df5ff8c0000 | 0x7df5ff8c0000 | 0x7ff5ff8bffff | Pagefile Backed File | - | | |
| private_0x00007ff6769f8000 | 0x7ff6769f8000 | 0x7ff6769f9fff | Private Memory | Readable, Writable | | |
| private_0x00007ff6769fa000 | 0x7ff6769fa000 | 0x7ff6769fbfff | Private Memory | Readable, Writable | | |
| private_0x00007ff6769fc000 | 0x7ff6769fc000 | 0x7ff6769fdfff | Private Memory | Readable, Writable | | |
| private_0x00007ff6769fe000 | 0x7ff6769fe000 | 0x7ff6769fffff | Private Memory | Readable, Writable | | |
| pagefile_0x00007ff676a00000 | 0x7ff676a00000 | 0x7ff676afffff | Pagefile Backed File | Readable | | |
| pagefile_0x00007ff676b00000 | 0x7ff676b00000 | 0x7ff676b22fff | Pagefile Backed File | Readable | | |
| private_0x00007ff676b23000 | 0x7ff676b23000 | 0x7ff676b24fff | Private Memory | Readable, Writable | | |
| private_0x00007ff676b25000 | 0x7ff676b25000 | 0x7ff676b26fff | Private Memory | Readable, Writable | | |
| private_0x00007ff676b27000 | 0x7ff676b27000 | 0x7ff676b27fff | Private Memory | Readable, Writable | | |
| private_0x00007ff676b28000 | 0x7ff676b28000 | 0x7ff676b29fff | Private Memory | Readable, Writable | | |
| private_0x00007ff676b2a000 | 0x7ff676b2a000 | 0x7ff676b2bfff | Private Memory | Readable, Writable | | |
| private_0x00007ff676b2c000 | 0x7ff676b2c000 | 0x7ff676b2dfff | Private Memory | Readable, Writable | | |
| private_0x00007ff676b2e000 | 0x7ff676b2e000 | 0x7ff676b2ffff | Private Memory | Readable, Writable | | |
| lsass.exe | 0x7ff6775e0000 | 0x7ff6775edfff | Memory Mapped File | Readable, Writable, Executable | | |
| winsta.dll | 0x7ffb70940000 | 0x7ffb70999fff | Memory Mapped File | Readable, Writable, Executable | | |
| dsrole.dll | 0x7ffb70a40000 | 0x7ffb70a49fff | Memory Mapped File | Readable, Writable, Executable | | |
| scecli.DLL | 0x7ffb70a50000 | 0x7ffb70a97fff | Memory Mapped File | Readable, Writable, Executable | | |
| dpapisrv.dll | 0x7ffb70aa0000 | 0x7ffb70ad2fff | Memory Mapped File | Readable, Writable, Executable | | |
| efslsaext.dll | 0x7ffb70ae0000 | 0x7ffb70af2fff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7ffb70b00000 | 0x7ffb70b35fff | Memory Mapped File | Readable, Writable, Executable | | |
| wdigest.DLL | 0x7ffb70b40000 | 0x7ffb70b7bfff | Memory Mapped File | Readable, Writable, Executable | | |
| CRYPT32.dll | 0x7ffb70b80000 | 0x7ffb70d5efff | Memory Mapped File | Readable, Writable, Executable | | |
| schannel.DLL | 0x7ffb70d60000 | 0x7ffb70dccfff | Memory Mapped File | Readable, Writable, Executable | | |
| USERENV.dll | 0x7ffb70dd0000 | 0x7ffb70df0fff | Memory Mapped File | Readable, Writable, Executable | | |
| logoncli.dll | 0x7ffb70e00000 | 0x7ffb70e3efff | Memory Mapped File | Readable, Writable, Executable | | |
| DNSAPI.dll | 0x7ffb70e40000 | 0x7ffb70ee3fff | Memory Mapped File | Readable, Writable, Executable | | |
| netlogon.DLL | 0x7ffb70ef0000 | 0x7ffb70fc0fff | Memory Mapped File | Readable, Writable, Executable | | |
| msv1_0.DLL | 0x7ffb70fd0000 | 0x7ffb7103bfff | Memory Mapped File | Readable, Writable, Executable | | |
| CRYPTSP.dll | 0x7ffb71040000 | 0x7ffb7105ffff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptdll.dll | 0x7ffb71060000 | 0x7ffb71079fff | Memory Mapped File | Readable, Writable, Executable | | |
| kerberos.DLL | 0x7ffb71080000 | 0x7ffb71172fff | Memory Mapped File | Readable, Writable, Executable | | |
| netjoin.dll | 0x7ffb71180000 | 0x7ffb711d0fff | Memory Mapped File | Readable, Writable, Executable | | |
| msprivs.DLL | 0x7ffb711e0000 | 0x7ffb711e1fff | Memory Mapped File | Readable, Writable, Executable | | |
| NTASN1.dll | 0x7ffb711f0000 | 0x7ffb71226fff | Memory Mapped File | Readable, Writable, Executable | | |
| ncrypt.dll | 0x7ffb71230000 | 0x7ffb71254fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcrypt.dll | 0x7ffb71260000 | 0x7ffb71285fff | Memory Mapped File | Readable, Writable, Executable | | |
| samsrv.dll | 0x7ffb71290000 | 0x7ffb7135ffff | Memory Mapped File | Readable, Writable, Executable | | |
| MSASN1.dll | 0x7ffb71360000 | 0x7ffb71370fff | Memory Mapped File | Readable, Writable, Executable | | |
| lsasrv.dll | 0x7ffb71380000 | 0x7ffb714e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| SspiSrv.dll | 0x7ffb714f0000 | 0x7ffb714fafff | Memory Mapped File | Readable, Writable, Executable | | |
| SspiCli.dll | 0x7ffb71500000 | 0x7ffb7152dfff | Memory Mapped File | Readable, Writable, Executable | | |
| powrprof.dll | 0x7ffb71530000 | 0x7ffb71575fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcryptPrimitives.dll | 0x7ffb71580000 | 0x7ffb715e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| CRYPTBASE.dll | 0x7ffb715f0000 | 0x7ffb715fafff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7ffb716b0000 | 0x7ffb716c4fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernelbase.dll | 0x7ffb71760000 | 0x7ffb71874fff | Memory Mapped File | Readable, Writable, Executable | | |
| CFGMGR32.dll | 0x7ffb71880000 | 0x7ffb718cefff | Memory Mapped File | Readable, Writable, Executable | | |
| WS2_32.dll | 0x7ffb73360000 | 0x7ffb733b9fff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7ffb733c0000 | 0x7ffb73418fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x7ffb73480000 | 0x7ffb735bdfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7ffb73690000 | 0x7ffb73739fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7ffb73a30000 | 0x7ffb73b70fff | Memory Mapped File | Readable, Writable, Executable | | |
| NSI.dll | 0x7ffb73e80000 | 0x7ffb73e88fff | Memory Mapped File | Readable, Writable, Executable | | |
| MSVCRT.dll | 0x7ffb74050000 | 0x7ffb740f9fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x7ffb74120000 | 0x7ffb742cbfff | Memory Mapped File | Readable, Writable, Executable | | |
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Amount | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wininit.exe | 0x168 | address = 0x6b29b00000, size = 4704 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wininit.exe | 0x168 | address = 0x7ff676b272d8, size = 8 | | 1 |
| Category | Operation | Information | Success | Amount | Logfile | |
|---|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 2 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ff6775e1250, desired_access = THREAD_ALL_ACCESS | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Extensions | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Extensions | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb71380000 | | 1 | ||
| MOD | LOAD | module_name = lsasrv.dll, base_address = 0x0 | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 460260763712 | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| FILE | CREATE | file_name = \device\deviceapi\cmapi, desired_access = GENERIC_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb713f4880 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb713f6a00 | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | WRITE_VALUE | | 1 | |||
| REG | WRITE_VALUE | value_name = LsaPid, data = 436 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = GeneralThreadLifespan | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DedicatedThreadLifespan | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = HighPriority | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CritSecSpinCount | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ffb713f2020, desired_access = THREAD_ALL_ACCESS | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Debug.Memory.v2.1b4, module_name = lsasrv.dll, maximum_size = 460260768064, protection = PAGE_READWRITE | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4, address = 0x6b29dc0000 | | 1 | ||
| MOD | MAP | module_name = Debug.Memory.v2.1b4, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6b29dc0000 | | 1 | ||
| INI | READ | file_name = Win.ini | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, size = 92 | | 1 | ||
| PROC | OPEN_TOKEN | | 1 | |||
| INI | READ | file_name = Win.ini | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, size = 92 | | 1 | ||
| INI | READ | file_name = Win.ini | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, size = 92 | | 1 | ||
| INI | READ | file_name = Win.ini | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, size = 92 | | 1 | ||
| INI | READ | file_name = Win.ini | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, size = 92 | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| MOD | LOAD | module_name = rpcrt4.dll, base_address = 0x0 | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| REG | READ_VALUE | value_name = MaxRpcSize | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = OOBEInProgress | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = SystemSetupInProgress | | 1 | ||
| SYS | GET_INFO | | 1 | |||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| REG | READ_VALUE | value_name = IdleTimerWindow | | 1 | ||
| PROC | OPEN_TOKEN | | 2 | |||
| REG | OPEN_KEY | | 3 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableRestrictedAdminOutboundCreds | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableRestrictedAdmin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = TokenLeakDetectDelaySecs | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = IdCacheEntryLifeSpan | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamWaitNoTimeout | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SuppressExtendedProtection | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LogToFile | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SendOptionalMechlistMIC | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = AcceptUnsafeUnprotectedNegotiation | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CrashOnAuditFail | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = NegEventMask | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SPMInfoLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableCredMan | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableDomainCreds | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = HourlyLogLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = AuthenticateAnonymousOnlineIDs | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = TurnOffAnonymousBlock | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = EveryoneIncludesAnonymous | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableAutomaticRestartSignOn | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableConnectedNTLMPassword | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = NoConnectedUser | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ApplyPolicyToAnonymousLogon | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = EnableLocalLogonSid | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = EnableLinkedConnections | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = FilterAdministratorToken | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisplayLastLogonInfo | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = FilterNetworkAuthenticationTokens | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LocalAccountTokenFilterPolicy | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableRestrictionTraversal | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ScForceOption | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = EnableVirtualization | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = EnableDebugCheck | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableRestrictedAdminOutboundCreds | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableRestrictedAdmin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = TokenLeakDetectDelaySecs | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = IdCacheEntryLifeSpan | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamWaitNoTimeout | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SuppressExtendedProtection | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LogToFile | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SendOptionalMechlistMIC | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = AcceptUnsafeUnprotectedNegotiation | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CrashOnAuditFail | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = NegEventMask | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SPMInfoLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableCredMan | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableDomainCreds | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = HourlyLogLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = AuthenticateAnonymousOnlineIDs | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = TurnOffAnonymousBlock | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = EveryoneIncludesAnonymous | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableAutomaticRestartSignOn | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableConnectedNTLMPassword | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = NoConnectedUser | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ApplyPolicyToAnonymousLogon | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = EnableLocalLogonSid | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = EnableLinkedConnections | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = FilterAdministratorToken | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisplayLastLogonInfo | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = FilterNetworkAuthenticationTokens | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LocalAccountTokenFilterPolicy | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableRestrictionTraversal | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ScForceOption | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = EnableVirtualization | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Preferred | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Security Packages | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Security Packages | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Security Packages | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Security Packages | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Security Packages | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Security Packages | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Authentication Packages | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Authentication Packages | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| MOD | LOAD | base_address = 0x7ffb71380000 | | 1 | ||
| MOD | LOAD | module_name = LSASRV.DLL, base_address = 0x0 | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = Disable | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = lspdbginfolevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = LsaDbExtPt | | 1 | ||
| DRV | CONTROL | | 1 | |||
| DRV | CONTROL | control_code = 0x390008 | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | DELETE_KEY | | 8 | |||
| REG | CREATE_KEY | | 1 | |||
| REG | CREATE_KEY | reg_name = JD | | 1 | ||
| REG | WRITE_VALUE | | 1 | |||
| REG | WRITE_VALUE | reg_name = JD, value_name = Lookup | | 1 | ||
| REG | CREATE_KEY | | 1 | |||
| REG | CREATE_KEY | reg_name = Skew1 | | 1 | ||
| REG | WRITE_VALUE | | 1 | |||
| REG | WRITE_VALUE | reg_name = Skew1, value_name = SkewMatrix | | 1 | ||
| REG | CREATE_KEY | | 1 | |||
| REG | CREATE_KEY | reg_name = GBG | | 1 | ||
| REG | WRITE_VALUE | | 1 | |||
| REG | WRITE_VALUE | reg_name = GBG, value_name = GrafBlumGroup | | 1 | ||
| REG | CREATE_KEY | | 1 | |||
| REG | CREATE_KEY | reg_name = Data | | 1 | ||
| REG | WRITE_VALUE | | 1 | |||
| REG | WRITE_VALUE | reg_name = Data, value_name = Pattern | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | WRITE_VALUE | | 1 | |||
| REG | WRITE_VALUE | value_name = SecureBoot, data = 1 | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | CREATE_KEY | | 1 | |||
| REG | CREATE_KEY | reg_name = System\CurrentControlSet\Control\Lsa\Audit | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\Lsa\Audit, value_name = SpecialGroups | | 1 | ||
| REG | CREATE_KEY | | 1 | |||
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = lsasrv.dll | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| MOD | LOAD | base_address = 0x0 | | 1 | ||
| MOD | LOAD | module_name = negoexts, base_address = 0xc0000135 | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb71080000 | | 1 | ||
| MOD | LOAD | module_name = kerberos, base_address = 0x0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb710c5d28 | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = kerberos.dll | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = kerberos.dll | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Debug.Trace.Memory.1b4, module_name = kerberos, maximum_size = 460260765872, protection = PAGE_READWRITE | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4, address = 0x6b29ef0000 | | 1 | ||
| MOD | MAP | module_name = Debug.Trace.Memory.1b4, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6b29ef0000 | | 1 | ||
| DBG | CHECK_FOR_PRESENCE | type = DEBUGGER, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = KerbDebugLevel | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Hostname | | 1 | ||
| REG | CREATE_KEY | | 1 | |||
| REG | CREATE_KEY | reg_name = System\CurrentControlSet\Control\Lsa\Kerberos\Domains | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = KerbControlLevel | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SupportedEncryptionTypes | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = MaxTokenSize | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DHDomainParameters | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | value_name = WinSock_Registry_Version | | 2 | ||
| REG | READ_VALUE | value_name = AppFullPath | | 2 | ||
| REG | READ_VALUE | value_name = PermittedLspCategories | | 1 | ||
| REG | READ_VALUE | value_name = NameSpace_Callout | | 2 | ||
| REG | READ_VALUE | value_name = Serial_Access_Num | | 2 | ||
| REG | READ_VALUE | value_name = Next_Catalog_Entry_ID | | 1 | ||
| REG | READ_VALUE | value_name = Num_Catalog_Entries64 | | 1 | ||
| REG | READ_VALUE | value_name = Num_Catalog_Entries | | 1 | ||
| REG | READ_VALUE | value_name = Serial_Access_Num | | 1 | ||
| REG | CREATE_KEY | reg_name = 00000001 | | 1 | ||
| REG | CREATE_KEY | reg_name = Catalog_Entries64 | | 1 | ||
| REG | WRITE_VALUE | value_name = Num_Catalog_Entries64, data = 0 | | 1 | ||
| REG | WRITE_VALUE | value_name = Next_Catalog_Entry_ID, data = 1001 | | 1 | ||
| REG | WRITE_VALUE | value_name = Serial_Access_Num, data = 2 | | 1 | ||
| REG | DELETE_KEY | reg_name = Catalog_Entries64 | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| REG | READ_VALUE | reg_name = Catalog_Entries64, value_name = Serial_Access_Num | | 2 | ||
| REG | READ_VALUE | reg_name = Catalog_Entries64, value_name = Num_Catalog_Entries64 | | 1 | ||
| REG | READ_VALUE | reg_name = Catalog_Entries64, value_name = Num_Catalog_Entries | | 1 | ||
| REG | READ_VALUE | value_name = LibraryPath | | 2 | ||
| REG | READ_VALUE | value_name = DisplayString | | 4 | ||
| REG | READ_VALUE | value_name = ProviderId | | 1 | ||
| REG | READ_VALUE | value_name = AddressFamily | | 1 | ||
| REG | READ_VALUE | value_name = SupportedNameSpace | | 1 | ||
| REG | READ_VALUE | value_name = Enabled | | 1 | ||
| REG | READ_VALUE | value_name = Version | | 1 | ||
| REG | READ_VALUE | value_name = StoresServiceClassInfo | | 1 | ||
| REG | READ_VALUE | value_name = ProviderInfo | | 1 | ||
| REG | READ_VALUE | reg_name = Catalog_Entries64, value_name = Serial_Access_Num | | 1 | ||
| REG | CREATE_KEY | reg_name = Catalog_Entries64\00000001 | | 1 | ||
| REG | CREATE_KEY | reg_name = Catalog_Entries64\Catalog_Entries64 | | 1 | ||
| REG | CREATE_KEY | reg_name = Catalog_Entries64\Catalog_Entries64\000000000001 | | 1 | ||
| REG | WRITE_VALUE | reg_name = Catalog_Entries64\Catalog_Entries64\000000000001, value_name = LibraryPath, data = X:\Windows\system32\mswsock.dll | | 1 | ||
| REG | WRITE_VALUE | reg_name = Catalog_Entries64\Catalog_Entries64\000000000001, value_name = DisplayString, data = Tcpip | | 1 | ||
| REG | WRITE_VALUE | reg_name = Catalog_Entries64\Catalog_Entries64\000000000001, value_name = ProviderId | | 1 | ||
| REG | WRITE_VALUE | reg_name = Catalog_Entries64\Catalog_Entries64\000000000001, value_name = SupportedNameSpace, data = 12 | | 1 | ||
| REG | WRITE_VALUE | reg_name = Catalog_Entries64\Catalog_Entries64\000000000001, value_name = Enabled, data = 1 | | 1 | ||
| REG | WRITE_VALUE | reg_name = Catalog_Entries64\Catalog_Entries64\000000000001, value_name = Version, data = 0 | | 1 | ||
| REG | WRITE_VALUE | reg_name = Catalog_Entries64\Catalog_Entries64\000000000001, value_name = StoresServiceClassInfo, data = 1 | | 1 | ||
| REG | WRITE_VALUE | reg_name = Catalog_Entries64\Catalog_Entries64\000000000001, value_name = ProviderInfo | | 1 | ||
| REG | WRITE_VALUE | reg_name = Catalog_Entries64, value_name = Num_Catalog_Entries64, data = 1 | | 1 | ||
| REG | WRITE_VALUE | reg_name = Catalog_Entries64, value_name = Serial_Access_Num, data = 2 | | 1 | ||
| REG | DELETE_KEY | reg_name = Catalog_Entries64\Catalog_Entries64 | | 1 | ||
| REG | READ_VALUE | reg_name = Catalog_Entries64, value_name = Serial_Access_Num | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| REG | READ_VALUE | value_name = Ws2_32NumHandleBuckets | | 1 | ||
| SCK | CREATE | | 1 | |||
| REG | READ_VALUE | value_name = Serial_Access_Num | | 1 | ||
| REG | READ_VALUE | value_name = Next_Catalog_Entry_ID | | 1 | ||
| REG | READ_VALUE | value_name = Num_Catalog_Entries64 | | 1 | ||
| REG | READ_VALUE | value_name = Serial_Access_Num | | 1 | ||
| REG | READ_VALUE | value_name = Next_Catalog_Entry_ID | | 1 | ||
| REG | READ_VALUE | value_name = Num_Catalog_Entries64 | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4, address = 0x6b29f00000 | | 1 | ||
| MOD | MAP | reg_name = Catalog_Entries64\00000001, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6b29f00000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4 | | 1 | ||
| INI | READ | file_name = Win.ini | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, size = 92 | | 1 | ||
| INI | READ | file_name = Win.ini | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, size = 92 | | 1 | ||
| INI | READ | file_name = Win.ini | | 1 | ||
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | ||
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\win.ini, size = 92 | | 1 | ||
| SCK | CREATE | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| MOD | LOAD | base_address = 0x7ffb70fd0000 | | 1 | ||
| MOD | LOAD | module_name = msv1_0, base_address = 0x0 | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = msv1_0.dll | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70ff78a0 | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = msv1_0.dll | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = msv1_0.dll | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4, address = 0x6b29f00000 | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6b29f00000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4 | | 1 | ||
| DBG | CHECK_FOR_PRESENCE | type = DEBUGGER, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Catalog_Entries64\Catalog_Entries64\000000000001, value_name = NtLmInfoLevel | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Hostname | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LmCompatibilityLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = UseMachineId | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ForceGuest | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisallowMsvChapv2 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LimitBlankPasswordUse | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DisableLoopbackCheck | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugBreakIfDebugged | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = OldPasswordAllowedPeriod | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = AllowLegacySrvCall | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SendNt2ResponseOnly | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = NtlmMinClientSec | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = NtlmMinServerSec | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = BackConnectionHostNames | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = RestrictSendingNTLMTraffic | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = RestrictReceivingNTLMTraffic | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = AuditReceivingNTLMTraffic | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ClientAllowedNTLMServers | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = NTLMInfoEvent | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = allownullsessionfallback | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = AllowS4UForDomainUsers | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = MappedDomain | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = PreferredDomain | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = IPAddressRefreshInterval | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Hostname | | 1 | ||
| FILE | CREATE | | 1 | |||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\debug\passwd.log, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_MAXIMUM_DISPOSITION, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| MOD | LOAD | base_address = 0x7ffb70ef0000 | | 1 | ||
| MOD | LOAD | module_name = netlogon | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SystemSetupInProgress | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb70d60000 | | 1 | ||
| MOD | LOAD | module_name = schannel, base_address = 0x0 | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = schannel.dll | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70d838c0 | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = schannel.dll | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4, address = 0x6b29f00000 | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6b29f00000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4 | | 1 | ||
| DBG | CHECK_FOR_PRESENCE | type = DEBUGGER, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LogLevel | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb70b40000 | | 1 | ||
| MOD | LOAD | module_name = wdigest, base_address = 0x0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b45480 | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = wdigest.dll | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = wdigest.dll | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4, address = 0x6b29f00000 | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6b29f00000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4 | | 1 | ||
| DBG | CHECK_FOR_PRESENCE | type = DEBUGGER, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debuglevel | | 1 | ||
| REG | CREATE_KEY | | 1 | |||
| REG | CREATE_KEY | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = Negotiate | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = UTF8HTTP | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = UTF8SASL | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = ServerCompat | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = ClientCompat | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = DigestEncryptionAlgorithms | | 1 | ||
| REG | WRITE_VALUE | | 1 | |||
| REG | WRITE_VALUE | value_name = DigestEncryptionAlgorithms, data = 3des,rc4 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = UseLogonCredential | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = DisableNameRealmValidation | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = Debuglevel | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Name | | 2 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Name | | 2 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Type | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Image Path | | 2 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Image Path | | 2 | ||
| MOD | LOAD | base_address = 0x7ffb70b00000 | | 1 | ||
| MOD | LOAD | module_name = X:\windows\system32\rsaenh.dll, base_address = 0x0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b01570 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b01080 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b06090 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b1e1d0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b02ce0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0af70 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03880 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03a30 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03260 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b06be0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b04ea0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b027d0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b02b00 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b1d8d0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b024f0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b06830 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03c50 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b01030 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b05bb0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0f290 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0f750 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03f50 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b02630 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0d330 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b1d6e0 | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| PROC | OPEN_TOKEN | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = MachineGuid | | 1 | ||
| REG | CREATE_KEY | | 1 | |||
| REG | CREATE_KEY | reg_name = Software\Microsoft\Cryptography | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Cryptography, value_name = MachineGuid | | 1 | ||
| REG | WRITE_VALUE | | 1 | |||
| REG | WRITE_VALUE | reg_name = Software\Microsoft\Cryptography, value_name = MachineGuid, data = 4510eeb9-2c9e-4e5e-bb64-8d8e190b646f | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 000602xx | | 1 | ||
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6b29f00000 | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids | | 1 | ||
| PROC | OPEN_TOKEN | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Name | | 2 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Name | | 2 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Type | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Image Path | | 2 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = Image Path | | 2 | ||
| MOD | LOAD | base_address = 0x7ffb70b00000 | | 1 | ||
| MOD | LOAD | module_name = X:\windows\system32\rsaenh.dll, base_address = 0x0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b01570 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b01080 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b06090 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b1e1d0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b02ce0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0af70 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03880 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03a30 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03260 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b06be0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b04ea0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b027d0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b02b00 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b1d8d0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b024f0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b06830 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03c50 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b01030 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b05bb0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0f290 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0f750 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03f50 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b02630 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0d330 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b1d6e0 | | 1 | ||
| PROC | OPEN_TOKEN | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = MachineGuid | | 2 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = MachineGuid | | 2 | ||
| REG | OPEN_KEY | | 1 | |||
| PROC | OPEN_TOKEN | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = Negotiate | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = UTF8HTTP | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = UTF8SASL | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = ServerCompat | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = ClientCompat | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = DigestEncryptionAlgorithms | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = DigestEncryptionAlgorithms | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = UseLogonCredential | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = DisableNameRealmValidation | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = Debuglevel | | 1 | ||
| MOD | LOAD | base_address = 0x0 | | 1 | ||
| MOD | LOAD | module_name = "", base_address = 0xc0000135 | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb70fd0000 | | 1 | ||
| MOD | LOAD | module_name = msv1_0, base_address = 0x0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70ff56c0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70fe8a90 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70fdb500 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70fdb9f0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70fed400 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70fd10b0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x0 | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb71580000 | | 1 | ||
| MOD | LOAD | module_name = X:\windows\system32\bcryptprimitives.dll, base_address = 0x0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb71595b30 | | 2 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb71584530 | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = MaxCredentialsSize | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = TargetInfoCacheSize | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = lsasrv.dll | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | ||
| PROC | OPEN_TOKEN | | 1 | |||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LsaLookupCacheRefreshTime | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LsaLookupCacheExpireTime | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LsaLookupCacheMaxSize | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | WRITE_VALUE | | 1 | |||
| REG | WRITE_VALUE | value_name = RNGAuxiliarySeed, data = 1477820023 | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb70ae0000 | | 1 | ||
| MOD | LOAD | module_name = efslsaext.dll, base_address = 0x0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70ae4980 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x0 | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Extension | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Extension | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Extension | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Extension | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb70aa0000 | | 1 | ||
| MOD | LOAD | module_name = dpapisrv.dll, base_address = 0x0 | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = dpapisrv.dll | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70aad6c0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70aadb40 | | 1 | ||
| PROC | OPEN_TOKEN | | 1 | |||
| REG | CREATE_KEY | | 1 | |||
| REG | CREATE_KEY | reg_name = System\CurrentControlSet\Control\Lsa\SspiCache | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SecurityProviders | | 1 | ||
| REG | CREATE_KEY | | 1 | |||
| REG | CREATE_KEY | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb | | 1 | ||
| REG | CREATE_KEY | reg_name = SOFTWARE | | 1 | ||
| REG | CREATE_KEY | reg_name = SOFTWARE\Microsoft | | 1 | ||
| REG | CREATE_KEY | reg_name = SOFTWARE\Microsoft\Cryptography | | 1 | ||
| REG | CREATE_KEY | reg_name = SOFTWARE\Microsoft\Cryptography\Protect | | 1 | ||
| REG | CREATE_KEY | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers | | 1 | ||
| REG | CREATE_KEY | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = MasterKeyIterationCount | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = MasterKeyLegacyCompliance | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = MasterKeyLegacyNt4Domain | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = DistributeBackupKey | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = ProtectionPolicy | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = Recovery Version | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = Encr Alg | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = Encr Alg Key Size | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = MAC Alg | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = MAC Alg Key Size | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb741801b0 | | 1 | ||
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ffb713f2d90, desired_access = THREAD_ALL_ACCESS | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = MiniSetupInProgress | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = LSASRV.DLL | | 1 | ||
| THREAD | CREATE_WORKITEM | | 1 | |||
| MOD | LOAD | base_address = 0x7ffb71500000 | | 1 | ||
| MOD | LOAD | module_name = sspicli.dll, base_address = 0x0 | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LookupLogLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LsaLookupReturnSidTypeDeleted | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LsaLookupRestrictIsolatedNameLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LsarpcServerAllowRemotedSecretOperations | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LsaLookupCacheRefreshTime | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LsaLookupCacheExpireTime | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LsaLookupCacheMaxSize | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LsaAllowReturningUnencryptedSecrets | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb741b0fa0 | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ffb713fa570, desired_access = THREAD_ALL_ACCESS | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = NoLmHash | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamReplicatePasswordsUrgently | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ForceGuest | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = LimitBlankPasswordUse | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamAccountLockoutTestMode | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamDisableListenOnTCP | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = IgnoreGCFailures | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamNoGcLogonEnforceKerberosIpCheck | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamNoGcLogonEnforceNTLMCheck | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamDisableSingleObjectRepl | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamDisableRSOOnPDCForward | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamDisableResetBadPwdCountForward | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamConnectedAccountsExist | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamDisableOutboundRSO | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = RestrictAnonymous | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = RestrictAnonymousSam | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ExtendedSidEmulationMode | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamLogSize | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamLogLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamRestrictOwfPasswordChange | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = MaxSamConnections | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = dsrmAdminLogonBehavior | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SamMaxQueueLengthForPDCForward | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = EnableClaimsTransformationEcho | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = EnumerationCachePurgeInterval | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = EnumerationCacheEntryLifetime | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = SAMSRV.DLL | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = SAMSRV.DLL | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Hostname | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | WRITE_VALUE | | 1 | |||
| REG | WRITE_VALUE | value_name = ProductType, data = 1 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb70a50000 | | 1 | ||
| MOD | LOAD | module_name = scecli, base_address = 0x0 | | 1 | ||
| THREAD | CREATE_WORKITEM | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ffb712c7c30, desired_access = THREAD_ALL_ACCESS | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | OPEN_KEY | | 4 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | OPEN_KEY | | 4 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb71290000 | | 1 | ||
| MOD | LOAD | module_name = SAMSRV.DLL, base_address = 0x0 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb741b0fa0 | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb71290000 | | 1 | ||
| MOD | LOAD | module_name = SAMSRV.DLL, base_address = 0x0 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb71290000 | | 1 | ||
| MOD | LOAD | module_name = SAMSRV.DLL, base_address = 0x0 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb71290000 | | 1 | ||
| MOD | LOAD | module_name = SAMSRV.DLL, base_address = 0x0 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb71290000 | | 1 | ||
| MOD | LOAD | module_name = SAMSRV.DLL, base_address = 0x0 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb71290000 | | 1 | ||
| MOD | LOAD | module_name = SAMSRV.DLL, base_address = 0x0 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = PolicyFilterOff | | 1 | ||
| THREAD | CREATE_WORKITEM | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb71290000 | | 1 | ||
| MOD | LOAD | module_name = SAMSRV.DLL, base_address = 0x0 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb71290000 | | 1 | ||
| MOD | LOAD | module_name = SAMSRV.DLL, base_address = 0x0 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb71290000 | | 1 | ||
| MOD | LOAD | module_name = SAMSRV.DLL, base_address = 0x0 | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| For performance reasons, the remaining 16 entries are omitted. Click to download all 1016 entries as text file (0.40 MB). | ||||||
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableRestrictedAdminOutboundCreds | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableRestrictedAdmin | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TokenLeakDetectDelaySecs | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = IdCacheEntryLifeSpan | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamWaitNoTimeout | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SuppressExtendedProtection | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LogToFile | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SendOptionalMechlistMIC | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AcceptUnsafeUnprotectedNegotiation | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CrashOnAuditFail | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NegEventMask | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SPMInfoLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableCredMan | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableDomainCreds | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = HourlyLogLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AuthenticateAnonymousOnlineIDs | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TurnOffAnonymousBlock | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EveryoneIncludesAnonymous | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableRestrictedAdminOutboundCreds | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableRestrictedAdmin | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TokenLeakDetectDelaySecs | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = IdCacheEntryLifeSpan | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamWaitNoTimeout | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SuppressExtendedProtection | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LogToFile | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SendOptionalMechlistMIC | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AcceptUnsafeUnprotectedNegotiation | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CrashOnAuditFail | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NegEventMask | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SPMInfoLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableCredMan | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableDomainCreds | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = HourlyLogLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AuthenticateAnonymousOnlineIDs | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TurnOffAnonymousBlock | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EveryoneIncludesAnonymous | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableAutomaticRestartSignOn | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableConnectedNTLMPassword | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NoConnectedUser | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ApplyPolicyToAnonymousLogon | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableLocalLogonSid | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableLinkedConnections | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = FilterAdministratorToken | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisplayLastLogonInfo | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = FilterNetworkAuthenticationTokens | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LocalAccountTokenFilterPolicy | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableRestrictionTraversal | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ScForceOption | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableVirtualization | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debuglevel | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableRestrictedAdminOutboundCreds | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableRestrictedAdmin | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TokenLeakDetectDelaySecs | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = IdCacheEntryLifeSpan | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamWaitNoTimeout | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SuppressExtendedProtection | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LogToFile | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SendOptionalMechlistMIC | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AcceptUnsafeUnprotectedNegotiation | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CrashOnAuditFail | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NegEventMask | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SPMInfoLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableCredMan | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableDomainCreds | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = HourlyLogLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AuthenticateAnonymousOnlineIDs | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TurnOffAnonymousBlock | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EveryoneIncludesAnonymous | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableRestrictedAdminOutboundCreds | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableRestrictedAdmin | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TokenLeakDetectDelaySecs | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = IdCacheEntryLifeSpan | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamWaitNoTimeout | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SuppressExtendedProtection | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LogToFile | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SendOptionalMechlistMIC | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AcceptUnsafeUnprotectedNegotiation | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CrashOnAuditFail | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NegEventMask | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SPMInfoLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableCredMan | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableDomainCreds | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = HourlyLogLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AuthenticateAnonymousOnlineIDs | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TurnOffAnonymousBlock | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EveryoneIncludesAnonymous | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LmCompatibilityLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UseMachineId | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ForceGuest | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisallowMsvChapv2 | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LimitBlankPasswordUse | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableLoopbackCheck | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugBreakIfDebugged | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = OldPasswordAllowedPeriod | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AllowLegacySrvCall | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SendNt2ResponseOnly | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NtlmMinClientSec | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NtlmMinServerSec | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = BackConnectionHostNames | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RestrictSendingNTLMTraffic | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RestrictReceivingNTLMTraffic | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AuditReceivingNTLMTraffic | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ClientAllowedNTLMServers | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NTLMInfoEvent | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = allownullsessionfallback | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AllowS4UForDomainUsers | | 1 | |
| REG | CREATE_KEY | | 1 | ||
| REG | CREATE_KEY | reg_name = System\CurrentControlSet\Control\Lsa\Audit | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\Lsa\Audit, value_name = SpecialGroups | | 1 | |
| REG | CREATE_KEY | | 1 | ||
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit, value_name = ProcessCreationIncludeCmdLine_Enabled | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = KerbDebugLevel | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = Catalog_Entries64\Catalog_Entries64\000000000001, value_name = NtLmInfoLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LogLevel | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = Negotiate | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = UTF8HTTP | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = UTF8SASL | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = ServerCompat | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = ClientCompat | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = DigestEncryptionAlgorithms | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = DigestEncryptionAlgorithms | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = UseLogonCredential | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = DisableNameRealmValidation | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\SecurityProviders\WDigest, value_name = Debuglevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LmCompatibilityLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UseMachineId | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ForceGuest | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisallowMsvChapv2 | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LimitBlankPasswordUse | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableLoopbackCheck | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugBreakIfDebugged | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = OldPasswordAllowedPeriod | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AllowLegacySrvCall | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SendNt2ResponseOnly | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NtlmMinClientSec | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NtlmMinServerSec | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = BackConnectionHostNames | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RestrictSendingNTLMTraffic | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RestrictReceivingNTLMTraffic | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AuditReceivingNTLMTraffic | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ClientAllowedNTLMServers | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NTLMInfoEvent | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = allownullsessionfallback | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AllowS4UForDomainUsers | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableRestrictedAdminOutboundCreds | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableRestrictedAdmin | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TokenLeakDetectDelaySecs | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = IdCacheEntryLifeSpan | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamWaitNoTimeout | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SuppressExtendedProtection | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LogToFile | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SendOptionalMechlistMIC | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AcceptUnsafeUnprotectedNegotiation | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CrashOnAuditFail | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NegEventMask | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SPMInfoLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableCredMan | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableDomainCreds | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = HourlyLogLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AuthenticateAnonymousOnlineIDs | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TurnOffAnonymousBlock | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EveryoneIncludesAnonymous | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = lspdbginfolevel | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = lspdbginfolevel | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = lspdbginfolevel | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = lspdbginfolevel | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Hostname | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ComputerName, value_name = ComputerName | | 1 | |
| MOD | LOAD | base_address = 0x7ffb70fd0000 | | 1 | |
| MOD | LOAD | module_name = msv1_0.dll, base_address = 0x0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70fe1120 | | 1 | |
| DRV | CONTROL | control_code = 0x110008 | | 2 | |
| FILE | READ | size = 1024 | | 1 | |
| DRV | CONTROL | control_code = 0x110024 | | 1 | |
| FILE | WRITE | size = 116, offset = 0 | | 1 | |
| FILE | READ | size = 1024 | | 1 | |
| DRV | CONTROL | control_code = 0x11001c | | 1 | |
| FILE | READ | size = 1024 | | 1 | |
| DRV | CONTROL | control_code = 0x11001c | | 4 | |
| FILE | WRITE | size = 92, offset = 0 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = lspdbginfolevel | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = KerbControlLevel | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SupportedEncryptionTypes | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxTokenSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DHDomainParameters | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 2 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LookupLogLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsaLookupReturnSidTypeDeleted | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsaLookupRestrictIsolatedNameLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsarpcServerAllowRemotedSecretOperations | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsaLookupCacheRefreshTime | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsaLookupCacheExpireTime | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsaLookupCacheMaxSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsaAllowReturningUnencryptedSecrets | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NoLmHash | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamReplicatePasswordsUrgently | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ForceGuest | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LimitBlankPasswordUse | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamAccountLockoutTestMode | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamDisableListenOnTCP | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = IgnoreGCFailures | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamNoGcLogonEnforceKerberosIpCheck | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamNoGcLogonEnforceNTLMCheck | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamDisableSingleObjectRepl | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamDisableRSOOnPDCForward | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamDisableResetBadPwdCountForward | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamConnectedAccountsExist | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamDisableOutboundRSO | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RestrictAnonymous | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RestrictAnonymousSam | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ExtendedSidEmulationMode | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamLogSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamLogLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamRestrictOwfPasswordChange | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxSamConnections | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = dsrmAdminLogonBehavior | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamMaxQueueLengthForPDCForward | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableClaimsTransformationEcho | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnumerationCachePurgeInterval | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnumerationCacheEntryLifetime | | 1 | |
| PROC | OPEN_TOKEN | | 2 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | |
| PROC | OPEN_TOKEN | | 4 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = lspdbginfolevel | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = KerbControlLevel | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SupportedEncryptionTypes | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxTokenSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DHDomainParameters | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 2 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = lspdbginfolevel | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = KerbControlLevel | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SupportedEncryptionTypes | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxTokenSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DHDomainParameters | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 2 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LookupLogLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsaLookupReturnSidTypeDeleted | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsaLookupRestrictIsolatedNameLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsarpcServerAllowRemotedSecretOperations | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsaLookupCacheRefreshTime | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsaLookupCacheExpireTime | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsaLookupCacheMaxSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LsaAllowReturningUnencryptedSecrets | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NoLmHash | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamReplicatePasswordsUrgently | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ForceGuest | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LimitBlankPasswordUse | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamAccountLockoutTestMode | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamDisableListenOnTCP | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = IgnoreGCFailures | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamNoGcLogonEnforceKerberosIpCheck | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamNoGcLogonEnforceNTLMCheck | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamDisableSingleObjectRepl | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamDisableRSOOnPDCForward | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamDisableResetBadPwdCountForward | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamConnectedAccountsExist | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamDisableOutboundRSO | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RestrictAnonymous | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RestrictAnonymousSam | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ExtendedSidEmulationMode | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamLogSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamLogLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamRestrictOwfPasswordChange | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxSamConnections | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = dsrmAdminLogonBehavior | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SamMaxQueueLengthForPDCForward | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableClaimsTransformationEcho | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnumerationCachePurgeInterval | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnumerationCacheEntryLifetime | | 1 | |
| SVC | OPEN_MGR | database_name = SERVICES_ACTIVE_DATABASE, host = Localhost | | 1 | |
| SVC | OPEN | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = SQMServiceList | | 1 | |
| SVC | GET_INFO | type = Config | | 1 | |
| SVC | GET_INFO | type = Config | | 1 | |
| SVC | GET_INFO | type = Status | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 460268828672 milliseconds (460268828.672 seconds) | | 1 | |
| SVC | GET_INFO | type = Status | | 1 | |
| DRV | CONTROL | control_code = 0x110004 | | 1 | |
| DRV | CONTROL | control_code = 0x110008 | | 1 | |
| REG | READ_VALUE | value_name = Serial_Access_Num | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | CREATE_KEY | | 1 | ||
| REG | CREATE_KEY | reg_name = System\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System | | 1 | |
| REG | CREATE_KEY | | 1 | ||
| REG | CREATE_KEY | reg_name = System\CurrentControlSet\Control\Lsa\Audit\AuditPolicy | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\Lsa\Audit\AuditPolicy, value_name = AuditPolicySD | | 1 | |
| PROC | OPEN_TOKEN | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb71595b30 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb715848b0 | | 2 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\microsoft\protect\s-1-5-18\user\preferred, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_ATTRIBUTE_SYSTEM, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\microsoft\protect\s-1-5-18\user\preferred, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_ATTRIBUTE_SYSTEM, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x390008 | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = MasterKeyIterationCount | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = MasterKeyLegacyCompliance | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = MasterKeyLegacyNt4Domain | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = DistributeBackupKey | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = ProtectionPolicy | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = Recovery Version | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = Encr Alg | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = Encr Alg Key Size | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = MAC Alg | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb, value_name = MAC Alg Key Size | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb715848b0 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\microsoft\protect\s-1-5-18\user\968b739e-d207-46ed-a53d-aed260dbc1d6, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_ATTRIBUTE_SYSTEM, create_disposition = FILE_OPEN_IF, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\microsoft\protect\s-1-5-18\user\968b739e-d207-46ed-a53d-aed260dbc1d6, size = 468 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\microsoft\protect\s-1-5-18\user\preferred, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_ATTRIBUTE_SYSTEM, create_disposition = FILE_OPEN_IF, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\microsoft\protect\s-1-5-18\user\preferred, size = 24 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb715848b0 | | 1 | |
| REG | WRITE_VALUE | | 1 | ||
| REG | WRITE_VALUE | reg_name = System\CurrentControlSet\Control\Lsa\Audit\AuditPolicy, value_name = AuditPolicySD | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| MOD | LOAD | base_address = 0x7ffb70a40000 | | 1 | |
| MOD | LOAD | module_name = dsrole.dll, base_address = 0x0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70a41550 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70a41530 | | 1 | |
| FILE | CREATE | file_name = \device\namedpipe\lsarpc, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | WRITE | file_name = \device\namedpipe\lsarpc, size = 160, offset = 0 | | 1 | |
| FILE | READ | file_name = \device\namedpipe\lsarpc, size = 1024 | | 1 | |
| DRV | CONTROL | file_name = \device\namedpipe\lsarpc, control_code = 0x11c017 | | 1 | |
| PROC | OPEN_TOKEN | | 2 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | |
| MOD | GET_HANDLE | module_name = lsasrv.dll | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DirectoryServiceExtPt | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | | 1 | |
| MOD | GET_HANDLE | module_name = samsrv.dll | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #12 / 0x210 |
| OS Parent PID | 0x1ac (c:\windows\system32\csrss.exe) |
| Initial Working Directory | X:\windows\system32 |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe |
| Command Line | X:\windows\system32\svchost.exe -k DcomLaunch |
| Monitor | Start Time: 00:01:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:20 |
| OS Thread IDs | #92 0x214 #93 0x218 #94 0x21C #95 0x220 #98 0x228 #99 0x22C #100 0x230 #101 0x234 #106 0x24C #109 0x258 #110 0x25C #117 0x280 #119 0x284 #120 0x288 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x000000aee6980000 | 0xaee6980000 | 0xaee699ffff | Private Memory | Readable, Writable | | |
| pagefile_0x000000aee6980000 | 0xaee6980000 | 0xaee698ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x000000aee6990000 | 0xaee6990000 | 0xaee6996fff | Private Memory | Readable, Writable | | |
| pagefile_0x000000aee69a0000 | 0xaee69a0000 | 0xaee69aefff | Pagefile Backed File | Readable | | |
| private_0x000000aee69b0000 | 0xaee69b0000 | 0xaee6a2ffff | Private Memory | Readable, Writable | | |
| pagefile_0x000000aee6a30000 | 0xaee6a30000 | 0xaee6a33fff | Pagefile Backed File | Readable | | |
| pagefile_0x000000aee6a40000 | 0xaee6a40000 | 0xaee6a40fff | Pagefile Backed File | Readable | | |
| private_0x000000aee6a50000 | 0xaee6a50000 | 0xaee6a51fff | Private Memory | Readable, Writable | | |
| locale.nls | 0xaee6a60000 | 0xaee6addfff | Memory Mapped File | Readable | | |
| private_0x000000aee6ae0000 | 0xaee6ae0000 | 0xaee6b5ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee6b60000 | 0xaee6b60000 | 0xaee6b66fff | Private Memory | Readable, Writable | | |
| private_0x000000aee6b70000 | 0xaee6b70000 | 0xaee6c6ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee6c70000 | 0xaee6c70000 | 0xaee6ceffff | Private Memory | Readable, Writable | | |
| pagefile_0x000000aee6c70000 | 0xaee6c70000 | 0xaee6c70fff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000000aee6c80000 | 0xaee6c80000 | 0xaee6c80fff | Pagefile Backed File | Readable | | |
| pagefile_0x000000aee6c90000 | 0xaee6c90000 | 0xaee6c90fff | Pagefile Backed File | Readable, Writable | | |
| private_0x000000aee6ca0000 | 0xaee6ca0000 | 0xaee6caffff | Private Memory | Readable, Writable | | |
| private_0x000000aee6cb0000 | 0xaee6cb0000 | 0xaee6cb0fff | Private Memory | Readable, Writable | | |
| sortdefault.nls | 0xaee6cf0000 | 0xaee6fc4fff | Memory Mapped File | Readable | | |
| private_0x000000aee6fd0000 | 0xaee6fd0000 | 0xaee704ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee6fd0000 | 0xaee6fd0000 | 0xaee704ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee6fd0000 | 0xaee6fd0000 | 0xaee704ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee7090000 | 0xaee7090000 | 0xaee709ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee70a0000 | 0xaee70a0000 | 0xaee711ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee7120000 | 0xaee7120000 | 0xaee719ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee71a0000 | 0xaee71a0000 | 0xaee721ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee7220000 | 0xaee7220000 | 0xaee729ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee72a0000 | 0xaee72a0000 | 0xaee731ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee72a0000 | 0xaee72a0000 | 0xaee731ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee7320000 | 0xaee7320000 | 0xaee741ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee7420000 | 0xaee7420000 | 0xaee749ffff | Private Memory | Readable, Writable | | |
| private_0x000000aee75c0000 | 0xaee75c0000 | 0xaee75cffff | Private Memory | Readable, Writable | | |
| pagefile_0x00007df5ffd40000 | 0x7df5ffd40000 | 0x7ff5ffd3ffff | Pagefile Backed File | - | | |
| private_0x00007ff7c9778000 | 0x7ff7c9778000 | 0x7ff7c9779fff | Private Memory | Readable, Writable | | |
| private_0x00007ff7c977a000 | 0x7ff7c977a000 | 0x7ff7c977bfff | Private Memory | Readable, Writable | | |
| private_0x00007ff7c977a000 | 0x7ff7c977a000 | 0x7ff7c977bfff | Private Memory | Readable, Writable | | |
| private_0x00007ff7c977c000 | 0x7ff7c977c000 | 0x7ff7c977dfff | Private Memory | Readable, Writable | | |
| private_0x00007ff7c977e000 | 0x7ff7c977e000 | 0x7ff7c977ffff | Private Memory | Readable, Writable | | |
| pagefile_0x00007ff7c9780000 | 0x7ff7c9780000 | 0x7ff7c987ffff | Pagefile Backed File | Readable | | |
| pagefile_0x00007ff7c9880000 | 0x7ff7c9880000 | 0x7ff7c98a2fff | Pagefile Backed File | Readable | | |
| private_0x00007ff7c98a4000 | 0x7ff7c98a4000 | 0x7ff7c98a5fff | Private Memory | Readable, Writable | | |
| private_0x00007ff7c98a6000 | 0x7ff7c98a6000 | 0x7ff7c98a6fff | Private Memory | Readable, Writable | | |
| private_0x00007ff7c98a8000 | 0x7ff7c98a8000 | 0x7ff7c98a9fff | Private Memory | Readable, Writable | | |
| private_0x00007ff7c98a8000 | 0x7ff7c98a8000 | 0x7ff7c98a9fff | Private Memory | Readable, Writable | | |
| private_0x00007ff7c98aa000 | 0x7ff7c98aa000 | 0x7ff7c98abfff | Private Memory | Readable, Writable | | |
| private_0x00007ff7c98aa000 | 0x7ff7c98aa000 | 0x7ff7c98abfff | Private Memory | Readable, Writable | | |
| private_0x00007ff7c98aa000 | 0x7ff7c98aa000 | 0x7ff7c98abfff | Private Memory | Readable, Writable | | |
| private_0x00007ff7c98ac000 | 0x7ff7c98ac000 | 0x7ff7c98adfff | Private Memory | Readable, Writable | | |
| private_0x00007ff7c98ae000 | 0x7ff7c98ae000 | 0x7ff7c98affff | Private Memory | Readable, Writable | | |
| svchost.exe | 0x7ff7ca810000 | 0x7ff7ca81cfff | Memory Mapped File | Readable, Writable, Executable | | |
| DAB.dll | 0x7ffb70190000 | 0x7ffb701abfff | Memory Mapped File | Readable, Writable, Executable | | |
| SystemEventsBrokerServer.dll | 0x7ffb70300000 | 0x7ffb7034bfff | Memory Mapped File | Readable, Writable, Executable | | |
| DEVOBJ.dll | 0x7ffb705b0000 | 0x7ffb705d7fff | Memory Mapped File | Readable, Writable, Executable | | |
| pcwum.dll | 0x7ffb70600000 | 0x7ffb7060dfff | Memory Mapped File | Readable, Writable, Executable | | |
| WMsgAPI.dll | 0x7ffb70610000 | 0x7ffb70618fff | Memory Mapped File | Readable, Writable, Executable | | |
| SYSNTFY.dll | 0x7ffb70620000 | 0x7ffb7062bfff | Memory Mapped File | Readable, Writable, Executable | | |
| lsm.dll | 0x7ffb70630000 | 0x7ffb706f5fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcss.dll | 0x7ffb70740000 | 0x7ffb7080bfff | Memory Mapped File | Readable, Writable, Executable | | |
| umpo.dll | 0x7ffb70810000 | 0x7ffb70827fff | Memory Mapped File | Readable, Writable, Executable | | |
| umpnpmgr.dll | 0x7ffb70830000 | 0x7ffb70851fff | Memory Mapped File | Readable, Writable, Executable | | |
| USERENV.dll | 0x7ffb70dd0000 | 0x7ffb70df0fff | Memory Mapped File | Readable, Writable, Executable | | |
| SspiCli.dll | 0x7ffb71500000 | 0x7ffb7152dfff | Memory Mapped File | Readable, Writable, Executable | | |
| powrprof.dll | 0x7ffb71530000 | 0x7ffb71575fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcryptPrimitives.dll | 0x7ffb71580000 | 0x7ffb715e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| CRYPTBASE.dll | 0x7ffb715f0000 | 0x7ffb715fafff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7ffb716b0000 | 0x7ffb716c4fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernelbase.dll | 0x7ffb71760000 | 0x7ffb71874fff | Memory Mapped File | Readable, Writable, Executable | | |
| CFGMGR32.dll | 0x7ffb71880000 | 0x7ffb718cefff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7ffb733c0000 | 0x7ffb73418fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x7ffb73480000 | 0x7ffb735bdfff | Memory Mapped File | Readable, Writable, Executable | | |
| combase.dll | 0x7ffb73740000 | 0x7ffb73950fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7ffb73a30000 | 0x7ffb73b70fff | Memory Mapped File | Readable, Writable, Executable | | |
| MSVCRT.dll | 0x7ffb74050000 | 0x7ffb740f9fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x7ffb74120000 | 0x7ffb742cbfff | Memory Mapped File | Readable, Writable, Executable | | |
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Amount | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | 0x1b0 | address = 0xaee6a50000, size = 4704 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | 0x1b0 | address = 0x7ff7c98a62d8, size = 8 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 2 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 751193748928 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DcomLaunch | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DcomLaunch | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| MOD | LOAD | module_name = rpcrt4.dll, base_address = 0x0 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| REG | READ_VALUE | value_name = MaxRpcSize | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = OOBEInProgress | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = SystemSetupInProgress | | 1 | |
| SYS | GET_INFO | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = IdleTimerWindow | | 1 | |
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS | | 2 | |
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS | | 1 | |
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS | | 1 | |
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS | | 1 |
| Category | Operation | Information | Success | Amount | Logfile | |
|---|---|---|---|---|---|---|
| SVC | OPEN | | 1 | |||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| SVC | GET_INFO | type = Status | | 1 | ||
| PROC | OPEN | | 1 | |||
| PROC | OPEN | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe, os_pid = 0x238, desired_access = PROCESS_ALL_ACCESS | | 1 | ||
| PROC | OPEN_TOKEN | | 1 | |||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Global\RotHintTable, module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe, maximum_size = 751194992064, protection = PAGE_READWRITE | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe, os_pid = 0x210, address = 0xaee6c90000 | | 1 | ||
| MOD | MAP | module_name = Global\RotHintTable, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xaee6c90000 | | 1 | ||
| MUTEX | CREATE | | 1 | |||
| MUTEX | CREATE | mutex_name = Global\{A3BD3259-3E4F-428a-84C8-F0463A9D3EB5}, initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Global\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9}, module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe, maximum_size = 751194992320, protection = PAGE_READWRITE | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe, os_pid = 0x210, address = 0xaee6cb0000 | | 1 | ||
| MOD | MAP | module_name = Global\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9}, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xaee6cb0000 | | 1 | ||
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe, os_pid = 0x210 | | 1 | ||
| PROC | OPEN | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION | | 1 | ||
| PROC | GET_INFO | | 1 | |||
| PROC | OPEN | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION | | 1 | ||
| PROC | GET_INFO | | 1 | |||
| PROC | OPEN | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION | | 1 | ||
| PROC | GET_INFO | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | WRITE_VALUE | | 1 | |||
| REG | WRITE_VALUE | value_name = GlassSessionId, data = 1 | | 1 | ||
| DRV | CONTROL | control_code = 0x110008 | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DelayConMgrTimeout | | 1 | ||
| FILE | CREATE | file_name = \device\deviceapi\cmapi, desired_access = GENERIC_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MUTEX | CREATE | | 1 | |||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | ||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470803 | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 42 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x47081b | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| MUTEX | RELEASE | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SystemSetupInProgress | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debuglsm | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebuglsmFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebuglsmLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebuglsmToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugtermsrv | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtermsrvFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtermsrvLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtermsrvToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugsdclient | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsdclientFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsdclientLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsdclientToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugwinsta | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugwinstaFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugwinstaLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugwinstaToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugtsrpc | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtsrpcFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtsrpcLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtsrpcToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugsessionenv | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionenvFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionenvLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionenvToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugsessionmsg | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionmsgFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionmsgLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionmsgToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPCli | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPCliFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPCliLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPCliToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPSrv | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPSrvFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPSrvLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPSrvToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| SVC | OPEN_MGR | database_name = SERVICES_ACTIVE_DATABASE, host = Localhost | | 1 | ||
| SVC | OPEN | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SystemSetupInProgress | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debuglsm | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebuglsmFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebuglsmLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebuglsmToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugtermsrv | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtermsrvFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtermsrvLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtermsrvToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugsdclient | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsdclientFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsdclientLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsdclientToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugwinsta | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugwinstaFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugwinstaLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugwinstaToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugtsrpc | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtsrpcFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtsrpcLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtsrpcToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugsessionenv | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionenvFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionenvLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionenvToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugsessionmsg | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionmsgFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionmsgLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionmsgToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPCli | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPCliFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPCliLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPCliToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPSrv | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPSrvFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPSrvLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPSrvToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| SVC | OPEN_MGR | database_name = SERVICES_ACTIVE_DATABASE, host = Localhost | | 1 | ||
| SVC | OPEN | | 1 | |||
| SYS | SLEEP | | 1 | |||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SystemSetupInProgress | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debuglsm | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebuglsmFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebuglsmLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebuglsmToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugtermsrv | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtermsrvFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtermsrvLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtermsrvToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugsdclient | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsdclientFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsdclientLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsdclientToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugwinsta | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugwinstaFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugwinstaLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugwinstaToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugtsrpc | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtsrpcFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtsrpcLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugtsrpcToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugsessionenv | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionenvFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionenvLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionenvToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debugsessionmsg | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionmsgFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionmsgLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugsessionmsgToDebugger | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPCli | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = Debug | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DebugTSVIPCliFlags | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| For performance reasons, the remaining 566 entries are omitted. Click to download all 1566 entries as text file (0.46 MB). | ||||||
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | OPEN_KEY | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International, value_name = sCurrencyOverride | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale, value_name = en-US | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale, value_name = en-US | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 000602xx | | 1 | |
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x0 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xaee6cf0000 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en-US | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceDll | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceManifest | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceMain | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceMain | | 1 | |
| MOD | LOAD | base_address = 0x7ffb70830000 | | 1 | |
| MOD | LOAD | module_name = x:\windows\system32\umpnpmgr.dll, base_address = 0x0 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb708390b0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb708310a0 | | 1 | |
| SVC | REGISTER_HANDLER | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceDllUnloadOnStop | | 1 |
| Category | Operation | Information | Success | Amount | Logfile | |
|---|---|---|---|---|---|---|
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | ||
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | ||
| REG | READ_VALUE | reg_name = Control Panel\International, value_name = sCurrencyOverride | | 1 | ||
| REG | OPEN_KEY | | 3 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ServiceDll | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ServiceManifest | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ServiceMain | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ServiceMain | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb70810000 | | 1 | ||
| MOD | LOAD | module_name = x:\windows\system32\umpo.dll, base_address = 0x0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb708170f0 | | 1 | ||
| MOD | GET_PROC_ADDRESS | address_out = 0x0 | | 1 | ||
| SVC | REGISTER_HANDLER | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | CREATE_KEY | | 1 | |||
| REG | CREATE_KEY | reg_name = System\CurrentControlSet\Control\Power\SecurityDescriptors | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ActivePowerScheme | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ActivePowerScheme | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| For performance reasons, the remaining 10935 entries are omitted. Click to download all 11935 entries as text file (3.18 MB). | ||||||
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International, value_name = sCurrencyOverride | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceDll | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceManifest | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceMain | | 1 | |
| MOD | LOAD | base_address = 0x7ffb70740000 | | 1 | |
| MOD | LOAD | module_name = x:\windows\system32\rpcss.dll | | 1 | |
| REG | READ_VALUE | value_name = PageAllocatorUseSystemHeap | | 1 | |
| REG | READ_VALUE | value_name = PageAllocatorSystemHeapIsPrivate | | 1 | |
| REG | READ_VALUE | value_name = AggressiveMTATesting | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | GET_HANDLE | module_name = rpcrt4.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7078a100 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x0 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| SVC | REGISTER_HANDLER | | 1 | ||
| SVC | OPEN_MGR | database_name = SERVICES_ACTIVE_DATABASE, host = Localhost | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ActivationFailureLoggingLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CallFailureLoggingLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = InvalidSecurityDescriptorLoggingLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableActivationSecurityCheck | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UseRunAsTokenCache | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = IssueActivationRpcAtIdentify | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ResumeTimeout | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DoNotAddAllApplicationPackagesToRestrictions | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DefaultLaunchPermission | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DefaultLaunchPermission | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineLaunchRestriction | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineLaunchRestriction | | 1 | |
| REG | READ_VALUE | value_name = MachineLaunchRestriction | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineAccessRestriction | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineAccessRestriction | | 1 | |
| REG | READ_VALUE | value_name = MachineAccessRestriction | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RemoteHandleCacheMaxSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RemoteHandleCacheMaxLifetime | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RemoteHandleCacheMaxIdleTimeout | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = StaleMidTimeout | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SRPRunningObjectChecks | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SRPActivateAsActivatorChecks | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableSystemDynamicIPTracking | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableEELogging | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LogEEInfoAsNative | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | LOAD | base_address = 0x7ffb71500000 | | 1 | |
| MOD | LOAD | module_name = sspicli.dll, base_address = 0x0 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SecurityProviders | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DCOM Security | | 1 | |
| REG | OPEN_KEY | | 4 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableDCOM | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = OleModalLoopBehavior | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DCOMSCMRemoteCallFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = BreakOnUnexpectedActivationErrors | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableDCOMHTTP | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = IgnoreServerExceptions | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = BreakOnSilencedServerExceptions | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacyAuthenticationService | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacyAuthenticationLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacyImpersonationLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacyMutualAuthentication | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacySecureReferences | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxActivationRetriesPerServer | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Global\__ComCatalogCache__, module_name = sspicli.dll, maximum_size = 751200171792, protection = PAGE_READWRITE | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe, os_pid = 0x210, address = 0xaee6c70000 | | 1 | |
| MOD | MAP | module_name = Global\__ComCatalogCache__, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xaee6c70000 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = REGDBVersion | | 1 | |
| REG | OPEN_KEY | | 5 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceDllUnloadOnStop | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableEELogging | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LogEEInfoAsNative | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ActivationFailureLoggingLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CallFailureLoggingLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = InvalidSecurityDescriptorLoggingLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableActivationSecurityCheck | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UseRunAsTokenCache | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = IssueActivationRpcAtIdentify | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ResumeTimeout | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DoNotAddAllApplicationPackagesToRestrictions | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DefaultLaunchPermission | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DefaultLaunchPermission | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineLaunchRestriction | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineLaunchRestriction | | 1 | |
| REG | READ_VALUE | value_name = MachineLaunchRestriction | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineAccessRestriction | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineAccessRestriction | | 1 | |
| REG | READ_VALUE | value_name = MachineAccessRestriction | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DCOM Security | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableDCOM | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = OleModalLoopBehavior | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DCOMSCMRemoteCallFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = BreakOnUnexpectedActivationErrors | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableDCOMHTTP | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = IgnoreServerExceptions | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = BreakOnSilencedServerExceptions | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacyAuthenticationService | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacyAuthenticationLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacyImpersonationLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacyMutualAuthentication | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacySecureReferences | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxActivationRetriesPerServer | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DefaultLaunchPermission | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DefaultLaunchPermission | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineLaunchRestriction | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineLaunchRestriction | | 1 | |
| REG | READ_VALUE | value_name = MachineLaunchRestriction | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineAccessRestriction | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineAccessRestriction | | 1 | |
| REG | READ_VALUE | value_name = MachineAccessRestriction | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = REGDBVersion | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| PROC | OPEN | process_name = c:\windows\system32\wermgr.exe, os_pid = 0x16c, desired_access = PROCESS_QUERY_INFORMATION | | 1 | |
| PROC | OPEN | process_name = c:\windows\system32\wermgr.exe, os_pid = 0x16c, desired_access = PROCESS_QUERY_LIMITED_INFORMATION | | 1 | |
| PROC | GET_INFO | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | CREATE_KEY | | 1 | ||
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\5c9a4cd7-ba75-45d2-9898-1773b3d1e5f1 | | 1 | |
| REG | CREATE_KEY | reg_name = Software | | 1 | |
| REG | CREATE_KEY | reg_name = Software\Microsoft | | 1 | |
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows | | 1 | |
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion | | 1 | |
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers | | 1 | |
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers | | 1 | |
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d | | 1 | |
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\5c9a4cd7-ba75-45d2-9898-1773b3d1e5f1 | | 1 | |
| REG | CREATE_KEY | | 1 | ||
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076 | | 1 | |
| REG | CREATE_KEY | | 1 | ||
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 | | 1 | |
| REG | CREATE_KEY | | 1 | ||
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\9B008953-F195-4BF9-BDE0-4471971E58ED | | 1 | |
| PROC | OPEN | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4, desired_access = PROCESS_QUERY_INFORMATION | | 1 | |
| PROC | GET_INFO | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d | | 1 | |
| PROC | OPEN | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe, os_pid = 0x1b4, desired_access = PROCESS_QUERY_INFORMATION | | 1 | |
| PROC | GET_INFO | | 1 | ||
| PROC | OPEN | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe, os_pid = 0x290, desired_access = PROCESS_QUERY_INFORMATION | | 1 | |
| PROC | GET_INFO | | 1 | ||
| PROC | OPEN | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe, os_pid = 0x290, desired_access = PROCESS_QUERY_INFORMATION | | 1 | |
| PROC | GET_INFO | | 1 |
| Category | Operation | Information | Success | Amount | Logfile | |
|---|---|---|---|---|---|---|
| PROC | OPEN | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, desired_access = PROCESS_QUERY_INFORMATION | | 1 | ||
| PROC | OPEN | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, desired_access = PROCESS_QUERY_LIMITED_INFORMATION | | 1 | ||
| PROC | GET_INFO | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ActivePowerScheme | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ActivePowerScheme | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\Power\SecurityDescriptors, value_name = ActivePowerScheme | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\Power\SecurityDescriptors, value_name = Default | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\Power\SecurityDescriptors, value_name = ActivePowerScheme | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\Power\SecurityDescriptors, value_name = Default | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\Power\SecurityDescriptors, value_name = Default | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Control\Power\SecurityDescriptors, value_name = Default | | 1 | ||
| REG | CREATE_KEY | | 1 | |||
| REG | CREATE_KEY | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | WRITE_VALUE | | 1 | |||
| REG | WRITE_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ActivePowerScheme, data = 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ActivePowerScheme | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ActivePowerScheme | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\2EB08E3E-639F-4fba-97B1-14F878961076\Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d\b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86\System\CurrentControlSet\Control\Power\User\PowerSchemes, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = SettingValue | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SettingValue | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = DCSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 1 | |||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | reg_name = Software\Microsoft\Windows\CurrentVersion\NetworkServiceTriggers\Triggers\bc90d167-9470-4139-a9ba-be0bbbf5b74d, value_name = ACSettingIndex | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMax | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueIncrement | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ValueMin | | 1 | ||
| For performance reasons, the remaining 10935 entries are omitted. Click to download all 11935 entries as text file (5.10 MB). | ||||||
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International, value_name = sCurrencyOverride | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceDll | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceManifest | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceMain | | 1 | |
| MOD | LOAD | base_address = 0x7ffb70630000 | | 1 | |
| MOD | LOAD | module_name = x:\windows\system32\lsm.dll, base_address = 0x0 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = PreferExternalManifest | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsm.dll, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debuglsm | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebuglsmFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebuglsmLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebuglsmToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debuglsm | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebuglsmFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebuglsmLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebuglsmToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debuglsm | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebuglsmFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebuglsmLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebuglsmToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugtermsrv | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtermsrvFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtermsrvLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtermsrvToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugsdclient | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsdclientFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsdclientLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsdclientToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugtermsrv | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtermsrvFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtermsrvLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtermsrvToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugsdclient | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsdclientFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsdclientLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsdclientToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugtermsrv | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtermsrvFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtermsrvLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtermsrvToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugsdclient | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsdclientFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsdclientLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsdclientToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugwinsta | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugwinstaFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugwinstaLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugwinstaToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugwinsta | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugwinstaFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugwinstaLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugwinstaToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugwinsta | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugwinstaFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugwinstaLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugwinstaToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugtsrpc | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtsrpcFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtsrpcLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtsrpcToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugtsrpc | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtsrpcFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtsrpcLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtsrpcToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugtsrpc | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtsrpcFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtsrpcLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugtsrpcToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugsessionenv | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionenvFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionenvLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionenvToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugsessionenv | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionenvFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionenvLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionenvToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugsessionenv | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionenvFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 2 | ||
| REG | READ_VALUE | value_name = DebugsessionenvLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionenvToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugsessionmsg | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionmsgFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionmsgLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionmsgToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugsessionmsg | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionmsgFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionmsgLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionmsgToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debugsessionmsg | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionmsgFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionmsgLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugsessionmsgToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPCli | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPCliFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPCliLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPCliToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPSrv | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPSrvFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPSrvLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPSrvToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPCli | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPCliFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPCliLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPCliToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPSrv | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPSrvFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPSrvLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPSrvToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPCli | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPCliFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPCliLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPCliToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPSrv | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Debug | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CaptureStackTrace | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPSrvFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPSrvLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTSVIPSrvToDebugger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugToDebugger | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe | | 1 | |
| MOD | GET_HANDLE | module_name = advapi32.dll | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe | | 1 | |
| MOD | GET_HANDLE | module_name = api-ms-win-eventing-provider-l1-1-0.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb741751c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7413b300 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7413c360 | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe | | 1 | |
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7413b300 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7413c360 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb74175650 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb741751c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70672ee0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x0 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TSAppCompat | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DebugTS | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LSMBreakOnStart | | 1 | |
| SVC | REGISTER_HANDLER | | 1 | ||
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x390008 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ConsoleSecurity | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ConsoleSecurity | | 1 | |
| REG | READ_VALUE | value_name = ConsoleSecurity | | 1 | |
| PROC | OPEN | | 1 | ||
| PROC | OPEN | process_name = c:\windows\system32\csrss.exe, os_pid = 0x164, desired_access = SYNCHRONIZE | | 1 | |
| PROC | OPEN | process_name = c:\windows\system32\csrss.exe, os_pid = 0x164, desired_access = PROCESS_QUERY_INFORMATION | | 1 | |
| PROC | GET_INFO | | 1 | ||
| PROC | OPEN | | 1 | ||
| PROC | OPEN | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, desired_access = PROCESS_QUERY_LIMITED_INFORMATION, SYNCHRONIZE | | 1 | |
| PROC | GET_INFO | | 2 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ConsoleSecurity | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ConsoleSecurity | | 1 | |
| REG | READ_VALUE | value_name = ConsoleSecurity | | 1 | |
| PROC | OPEN | | 1 | ||
| PROC | OPEN | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe, os_pid = 0x194, desired_access = SYNCHRONIZE | | 1 | |
| PROC | OPEN | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION | | 1 | |
| PROC | GET_INFO | | 1 | ||
| PROC | OPEN | | 1 | ||
| PROC | OPEN | process_name = c:\windows\system32\wermgr.exe, os_pid = 0x16c, desired_access = PROCESS_QUERY_LIMITED_INFORMATION, SYNCHRONIZE | | 1 | |
| PROC | GET_INFO | | 2 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LSMGlobalSetting | | 1 | |
| REG | WRITE_VALUE | | 1 | ||
| REG | WRITE_VALUE | value_name = InstanceID, data = 4b2993a7-bd9a-4070-9e94-6969c10 | | 1 | |
| REG | READ_VALUE | value_name = 9 | | 1 | |
| MOD | LOAD | module_name = sspicli.dll, base_address = 0x0 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DelayReadyEventTimeout | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| MOD | LOAD | base_address = 0x7ffb70dd0000 | | 1 | |
| MOD | LOAD | module_name = X:\windows\System32\Userenv.dll, base_address = 0x0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70dd1d60 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | WRITE_VALUE | | 1 | ||
| REG | WRITE_VALUE | value_name = WinStationsDisabled, data = 0 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TSServerDrainMode | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceDllUnloadOnStop | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International, value_name = sCurrencyOverride | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceDll | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceManifest | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceMain | | 1 | |
| MOD | LOAD | base_address = 0x7ffb70300000 | | 1 | |
| MOD | LOAD | module_name = x:\windows\system32\systemeventsbrokerserver.dll, base_address = 0x0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7030f080 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7030ed50 | | 1 | |
| SVC | REGISTER_HANDLER | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NoParamValidation | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RegisterPrivateEnabled | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_TIME_OF_DAY_INFORMATION | | 1 | |
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ffb701a1e00, desired_access = THREAD_ALL_ACCESS | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | DELETE_TREE | | 1 | ||
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceDllUnloadOnStop | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #13 / 0x238 |
| OS Parent PID | 0x1ac (c:\windows\system32\csrss.exe) |
| Initial Working Directory | X:\windows\system32 |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe |
| Command Line | X:\windows\system32\svchost.exe -k RPCSS |
| Monitor | Start Time: 00:01:52, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:15 |
| OS Thread IDs | #102 0x23C #103 0x240 #104 0x244 #105 0x248 #107 0x250 #108 0x254 #112 0x264 #129 0x2C0 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x000000f052000000 | 0xf052000000 | 0xf05201ffff | Private Memory | Readable, Writable | | |
| pagefile_0x000000f052000000 | 0xf052000000 | 0xf05200ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x000000f052010000 | 0xf052010000 | 0xf052016fff | Private Memory | Readable, Writable | | |
| pagefile_0x000000f052020000 | 0xf052020000 | 0xf05202efff | Pagefile Backed File | Readable | | |
| private_0x000000f052030000 | 0xf052030000 | 0xf0520affff | Private Memory | Readable, Writable | | |
| pagefile_0x000000f0520b0000 | 0xf0520b0000 | 0xf0520b3fff | Pagefile Backed File | Readable | | |
| pagefile_0x000000f0520c0000 | 0xf0520c0000 | 0xf0520c0fff | Pagefile Backed File | Readable | | |
| private_0x000000f0520d0000 | 0xf0520d0000 | 0xf0520d1fff | Private Memory | Readable, Writable | | |
| locale.nls | 0xf0520e0000 | 0xf05215dfff | Memory Mapped File | Readable | | |
| private_0x000000f052160000 | 0xf052160000 | 0xf05225ffff | Private Memory | Readable, Writable | | |
| private_0x000000f052260000 | 0xf052260000 | 0xf0522dffff | Private Memory | Readable, Writable | | |
| private_0x000000f0522e0000 | 0xf0522e0000 | 0xf05235ffff | Private Memory | Readable, Writable | | |
| private_0x000000f0522e0000 | 0xf0522e0000 | 0xf0522e6fff | Private Memory | Readable, Writable | | |
| sortdefault.nls | 0xf052360000 | 0xf052634fff | Memory Mapped File | Readable | | |
| private_0x000000f052640000 | 0xf052640000 | 0xf0526bffff | Private Memory | Readable, Writable | | |
| private_0x000000f0526c0000 | 0xf0526c0000 | 0xf05273ffff | Private Memory | Readable, Writable | | |
| private_0x000000f0527c0000 | 0xf0527c0000 | 0xf0527cffff | Private Memory | Readable, Writable | | |
| pagefile_0x00007df5ffd30000 | 0x7df5ffd30000 | 0x7ff5ffd2ffff | Pagefile Backed File | - | | |
| pagefile_0x00007ff7ca1e0000 | 0x7ff7ca1e0000 | 0x7ff7ca2dffff | Pagefile Backed File | Readable | | |
| pagefile_0x00007ff7ca2e0000 | 0x7ff7ca2e0000 | 0x7ff7ca302fff | Pagefile Backed File | Readable | | |
| private_0x00007ff7ca303000 | 0x7ff7ca303000 | 0x7ff7ca303fff | Private Memory | Readable, Writable | | |
| private_0x00007ff7ca308000 | 0x7ff7ca308000 | 0x7ff7ca309fff | Private Memory | Readable, Writable | | |
| private_0x00007ff7ca30a000 | 0x7ff7ca30a000 | 0x7ff7ca30bfff | Private Memory | Readable, Writable | | |
| private_0x00007ff7ca30a000 | 0x7ff7ca30a000 | 0x7ff7ca30bfff | Private Memory | Readable, Writable | | |
| private_0x00007ff7ca30c000 | 0x7ff7ca30c000 | 0x7ff7ca30dfff | Private Memory | Readable, Writable | | |
| private_0x00007ff7ca30e000 | 0x7ff7ca30e000 | 0x7ff7ca30ffff | Private Memory | Readable, Writable | | |
| svchost.exe | 0x7ff7ca810000 | 0x7ff7ca81cfff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7ffb70700000 | 0x7ffb70712fff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcEpMap.dll | 0x7ffb70720000 | 0x7ffb70735fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcss.dll | 0x7ffb70740000 | 0x7ffb7080bfff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7ffb70b00000 | 0x7ffb70b35fff | Memory Mapped File | Readable, Writable, Executable | | |
| CRYPTSP.dll | 0x7ffb71040000 | 0x7ffb7105ffff | Memory Mapped File | Readable, Writable, Executable | | |
| bcrypt.dll | 0x7ffb71260000 | 0x7ffb71285fff | Memory Mapped File | Readable, Writable, Executable | | |
| SspiCli.dll | 0x7ffb71500000 | 0x7ffb7152dfff | Memory Mapped File | Readable, Writable, Executable | | |
| powrprof.dll | 0x7ffb71530000 | 0x7ffb71575fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcryptPrimitives.dll | 0x7ffb71580000 | 0x7ffb715e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| CRYPTBASE.dll | 0x7ffb715f0000 | 0x7ffb715fafff | Memory Mapped File | Readable, Writable, Executable | | |
| kernelbase.dll | 0x7ffb71760000 | 0x7ffb71874fff | Memory Mapped File | Readable, Writable, Executable | | |
| WS2_32.dll | 0x7ffb73360000 | 0x7ffb733b9fff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7ffb733c0000 | 0x7ffb73418fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x7ffb73480000 | 0x7ffb735bdfff | Memory Mapped File | Readable, Writable, Executable | | |
| combase.dll | 0x7ffb73740000 | 0x7ffb73950fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7ffb73a30000 | 0x7ffb73b70fff | Memory Mapped File | Readable, Writable, Executable | | |
| NSI.dll | 0x7ffb73e80000 | 0x7ffb73e88fff | Memory Mapped File | Readable, Writable, Executable | | |
| MSVCRT.dll | 0x7ffb74050000 | 0x7ffb740f9fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x7ffb74120000 | 0x7ffb742cbfff | Memory Mapped File | Readable, Writable, Executable | | |
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Amount | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x188 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x188 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x188 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x188 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | 0x1b0 | address = 0xf0520d0000, size = 4704 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | 0x1b0 | address = 0x7ff7ca3032d8, size = 8 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1cc | No corresponding api call detected. Probably injected code via shellcode. | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 2 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 1032168601360 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RPCSS | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RPCSS | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| MOD | LOAD | module_name = rpcrt4.dll, base_address = 0x0 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| REG | READ_VALUE | value_name = MaxRpcSize | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = OOBEInProgress | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = SystemSetupInProgress | | 1 | |
| SYS | GET_INFO | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = IdleTimerWindow | | 1 | |
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS | | 1 | |
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| DRV | CONTROL | control_code = 0x110004 | | 1 | |
| DRV | CONTROL | control_code = 0x110008 | | 2 | |
| REG | OPEN_KEY | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | OPEN_KEY | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International, value_name = sCurrencyOverride | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale, value_name = en-US | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale, value_name = en-US | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 000602xx | | 1 | |
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x0 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xf052360000 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en-US | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceDll | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceManifest | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceMain | | 1 | |
| MOD | LOAD | base_address = 0x7ffb70720000 | | 1 | |
| MOD | LOAD | module_name = x:\windows\system32\rpcepmap.dll, base_address = 0x0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70727e90 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x0 | | 1 | |
| SVC | REGISTER_HANDLER | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ListenOnInternet | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ndis, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | file_name = \device\ndis, control_code = 0x170010 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | |
| SYS | GET_INFO | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = c:\, desired_access = SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_FREE_SPACE_QUERY | | 1 | |
| REG | READ_VALUE | value_name = 9 | | 1 | |
| MOD | LOAD | module_name = sspicli.dll, base_address = 0x0 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | LOAD | base_address = 0x7ffb71500000 | | 1 | |
| MOD | LOAD | module_name = sspicli.dll, base_address = 0x0 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SecurityProviders | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RemoteRpcDll | | 1 | |
| MOD | LOAD | base_address = 0x7ffb70700000 | | 1 | |
| MOD | LOAD | module_name = RpcRtRemote.dll, base_address = 0x0 | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe | | 1 | |
| MOD | GET_HANDLE | module_name = rpcrt4.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb73ab8f70 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb73ab9000 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb73b07230 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70701860 | | 1 | |
| REG | OPEN_KEY | | 4 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceDllUnloadOnStop | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International, value_name = sCurrencyOverride | | 1 | |
| REG | OPEN_KEY | | 3 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceDll | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceManifest | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServiceMain | | 1 | |
| MOD | LOAD | base_address = 0x7ffb70740000 | | 1 | |
| MOD | LOAD | module_name = x:\windows\system32\rpcss.dll, base_address = 0x0 | | 1 | |
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = PageAllocatorUseSystemHeap | | 1 | |
| REG | READ_VALUE | value_name = PageAllocatorSystemHeapIsPrivate | | 1 | |
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = AggressiveMTATesting | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | GET_HANDLE | module_name = rpcrt4.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7078a100 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x0 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| SVC | REGISTER_HANDLER | | 1 | ||
| SVC | OPEN_MGR | database_name = SERVICES_ACTIVE_DATABASE, host = Localhost | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ActivationFailureLoggingLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CallFailureLoggingLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = InvalidSecurityDescriptorLoggingLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableActivationSecurityCheck | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UseRunAsTokenCache | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = IssueActivationRpcAtIdentify | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ResumeTimeout | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DoNotAddAllApplicationPackagesToRestrictions | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DefaultLaunchPermission | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DefaultLaunchPermission | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineLaunchRestriction | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineLaunchRestriction | | 1 | |
| REG | READ_VALUE | value_name = MachineLaunchRestriction | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineAccessRestriction | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineAccessRestriction | | 1 | |
| REG | READ_VALUE | value_name = MachineAccessRestriction | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RemoteHandleCacheMaxSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RemoteHandleCacheMaxLifetime | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RemoteHandleCacheMaxIdleTimeout | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = StaleMidTimeout | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SRPRunningObjectChecks | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SRPActivateAsActivatorChecks | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableSystemDynamicIPTracking | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableEELogging | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LogEEInfoAsNative | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DCOM Security | | 1 | |
| REG | OPEN_KEY | | 4 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableDCOM | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = OleModalLoopBehavior | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DCOMSCMRemoteCallFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = BreakOnUnexpectedActivationErrors | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableDCOMHTTP | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = IgnoreServerExceptions | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = BreakOnSilencedServerExceptions | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacyAuthenticationService | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacyAuthenticationLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacyImpersonationLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacyMutualAuthentication | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LegacySecureReferences | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = PingInterval | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UserPingSetQuota | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxActivationRetriesPerServer | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Type | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Image Path | | 2 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Image Path | | 2 | |
| MOD | LOAD | base_address = 0x7ffb70b00000 | | 1 | |
| MOD | LOAD | module_name = X:\windows\system32\rsaenh.dll, base_address = 0x0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b01570 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b01080 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b06090 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b1e1d0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b02ce0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0af70 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03880 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03a30 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03260 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b06be0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b04ea0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b027d0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b02b00 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b1d8d0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b024f0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b06830 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03c50 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b01030 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b05bb0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0f290 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0f750 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b03f50 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b02630 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b0d330 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb70b1d6e0 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| PROC | OPEN_TOKEN | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineGuid | | 2 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MachineGuid | | 2 | |
| REG | OPEN_KEY | | 1 | ||
| PROC | OPEN_TOKEN | | 1 | ||
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x390008 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DCOM Protocols | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | |
| REG | READ_VALUE | value_name = WinSock_Registry_Version | | 2 | |
| REG | READ_VALUE | value_name = NameSpace_Callout | | 2 | |
| REG | READ_VALUE | value_name = Serial_Access_Num | | 2 | |
| REG | READ_VALUE | value_name = Next_Catalog_Entry_ID | | 1 | |
| REG | READ_VALUE | value_name = Num_Catalog_Entries64 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = Serial_Access_Num | | 2 | |
| REG | READ_VALUE | value_name = Num_Catalog_Entries64 | | 1 | |
| REG | READ_VALUE | value_name = LibraryPath | | 2 | |
| REG | READ_VALUE | value_name = DisplayString | | 4 | |
| REG | READ_VALUE | value_name = ProviderId | | 1 | |
| REG | READ_VALUE | value_name = AddressFamily | | 1 | |
| REG | READ_VALUE | value_name = SupportedNameSpace | | 1 | |
| REG | READ_VALUE | value_name = Enabled | | 1 | |
| REG | READ_VALUE | value_name = Version | | 1 | |
| REG | READ_VALUE | value_name = StoresServiceClassInfo | | 1 | |
| REG | READ_VALUE | value_name = ProviderInfo | | 2 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = Ws2_32NumHandleBuckets | | 1 | |
| PROC | OPEN_TOKEN | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | CREATE_KEY | reg_name = \REGISTRY\MACHINE\SOFTWARE\CLASSES | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #14 / 0x278 |
| OS Parent PID | 0x194 (\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe) |
| Initial Working Directory | X:\windows\system32 |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe |
| Command Line | winpeshl.exe |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:13 |
| OS Thread IDs | #116 0x27C #121 0x28C |
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Amount | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x1e8 | address = 0xd9cbf50000, size = 16384 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x1e8 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe | 0x198 | address = 0xa3b7d40000, size = 4704 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe | 0x198 | address = 0x7ff74d8ca2d8, size = 8 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x1e8 | address = 0xd9cbf60000, size = 8192 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x1e8 | No corresponding api call detected. Probably injected code via shellcode. | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 2 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = PreferExternalManifest | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\newdev.dll, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 703163720896 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| MOD | GET_HANDLE | module_name = X:\windows\system32\IMM32.DLL | | 2 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\ | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize, value_name = DisableMetaFiles | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = LoadAppInit_DLLs | | 1 | |
| REG | READ_VALUE | value_name = PageAllocatorUseSystemHeap | | 1 | |
| REG | READ_VALUE | value_name = PageAllocatorSystemHeapIsPrivate | | 1 | |
| REG | READ_VALUE | value_name = AggressiveMTATesting | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | GET_HANDLE | module_name = rpcrt4.dll | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| FILE | CREATE | file_name = \device\deviceapi\cmapi, desired_access = GENERIC_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = Disable | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = SourcePath | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = DevicePath | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale, value_name = en-US | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale, value_name = en-US | | 1 | |
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 2 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SystemSetupInProgress | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | GET_HANDLE | module_name = X:\windows\system32\oleaut32.dll | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | GET_HANDLE | module_name = ext-ms-win-ole32-oleautomation-l1-1-0.dll | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe | | 1 | |
| MOD | GET_HANDLE | module_name = advapi32.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb741751c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7413b300 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7413c360 | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe | | 1 | |
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7413b300 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7413c360 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb74175650 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb741751c0 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN_IF, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 2 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 50 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 20 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 72 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 4 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = InstRoot | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = InstRoot | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableExtraFonts | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 2 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CustomBackground | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CustomBackground | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CustomBackground | | 1 | |
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ff74e412780, desired_access = THREAD_ALL_ACCESS | | 1 | |
| PROC | CREATE | process_name = | | 1 | |
| PROC | CREATE | process_name = , desired_access = MAXIMUM_ALLOWED, creation_flags = CREATE_NEW_PROCESS_GROUP | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = 140717948767312 | | 1 | |
| PROC | GET_INFO | process_name = | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = PreferExternalManifest | | 1 | |
| MEM | ALLOC | address = 0xa3b7d2f2e8, process_name = , size = 703163724872, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE | | 1 | |
| MEM | WRITE | address = 0x6356410000, process_name = , size = 4704 | | 1 | |
| MEM | WRITE | address = 0x7ff618a9a2d8, process_name = , size = 8 | | 1 | |
| THREAD | RESUME | | 1 | ||
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 50 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 20 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 246 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 4 | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe | | 1 | |
| MOD | GET_HANDLE | module_name = kernel32.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb73483210 | | 1 | |
| MOD | LOAD | base_address = 0x7ffb73e90000 | | 1 | |
| MOD | LOAD | module_name = user32.dll, base_address = 0x0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb73e91700 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb73e91b00 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 50 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 20 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 44 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 4 | | 1 | |
| INI | READ | file_name = Win.ini | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.ini, desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | |
| FILE | READ | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.ini, size = 53 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 50 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 20 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 110 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 4 | | 1 | |
| PROC | CREATE | process_name = | | 1 | |
| PROC | CREATE | process_name = , desired_access = MAXIMUM_ALLOWED, creation_flags = CREATE_NEW_PROCESS_GROUP | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = ShimEnable | | 1 | |
| PROC | GET_INFO | process_name = | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = PreferExternalManifest | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xa3b9740000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, base_address = 0xa3b9740000 | | 1 | |
| MEM | ALLOC | address = 0xa3b7d2f2b8, process_name = , size = 703163724824, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE | | 1 | |
| MEM | WRITE | address = 0xe5e5420000, process_name = , size = 4704 | | 1 | |
| MEM | WRITE | address = 0x7ff72999c2d8, process_name = , size = 8 | | 1 | |
| THREAD | RESUME | | 1 | ||
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 50 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 20 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 170 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 4 | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 50 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 20 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 58 | | 1 | |
| FILE | WRITE | | 1 | ||
| FILE | WRITE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.log, size = 4 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableRemovableStorageInit | | 1 | |
| MOD | LOAD | base_address = 0x7ffb74120000 | | 1 | |
| MOD | LOAD | module_name = ntdll.dll, base_address = 0x0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb74190030 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb741e0720 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\MACHINE\System\Setup, value_name = SystemSetupInProgress | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup, value_name = MinimizeFootprint | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Microsoft\EmbeddedNT\Security | | 1 | |
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470803 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 2 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup, value_name = LogLevel | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup, value_name = LogMask | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup, value_name = LogMaxFileSize | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 000602xx | | 1 | |
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x0 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xa3b9880000 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en-US | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International, value_name = sCurrencyOverride | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x47086b | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\apps.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\apps.inf, maximum_size = 703191041456, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe, os_pid = 0x278, address = 0xa3b7f40000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xa3b7f40000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe, os_pid = 0x278 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x47086b | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\defltbase.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\defltbase.inf, maximum_size = 703191041456, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe, os_pid = 0x278, address = 0xa3b7f40000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xa3b7f40000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe, os_pid = 0x278 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #16 / 0x290 |
| OS Parent PID | 0x278 (\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe) |
| Initial Working Directory | X:\windows\system32 |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe |
| Command Line | X:\windows\system32\WallpaperHost.exe |
| Monitor | Start Time: 00:01:55, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:12 |
| OS Thread IDs | #122 0x294 #124 0x2A0 #125 0x2A4 |
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Amount | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x1e8 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x1e8 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x1e8 | address = 0xd9cbf60000, size = 12288 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x1e8 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe | 0x27c | address = 0x6356410000, size = 4704 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe | 0x27c | address = 0x7ff618a9a2d8, size = 8 | | 1 |
| Category | Operation | Information | Success | Amount | Logfile | |
|---|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 2 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 426648723168 | | 1 | ||
| REG | READ_VALUE | value_name = PageAllocatorUseSystemHeap | | 1 | ||
| REG | READ_VALUE | value_name = PageAllocatorSystemHeapIsPrivate | | 1 | ||
| REG | READ_VALUE | value_name = AggressiveMTATesting | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| MOD | GET_HANDLE | module_name = rpcrt4.dll | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| MOD | GET_HANDLE | module_name = X:\windows\system32\IMM32.DLL | | 1 | ||
| MOD | LOAD | module_name = X:\windows\system32\IMM32.DLL, base_address = 0x0 | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| MOD | GET_HANDLE | module_name = X:\windows\system32\IMM32.DLL | | 2 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\ | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize, value_name = DisableMetaFiles | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| REG | READ_VALUE | value_name = LoadAppInit_DLLs | | 1 | ||
| MOD | GET_HANDLE | module_name = X:\windows\system32\oleaut32.dll | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe | | 1 | ||
| MOD | GET_HANDLE | module_name = X:\windows\system32\rpcss.dll | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| DRV | CONTROL | | 1 | |||
| DRV | CONTROL | control_code = 0x390008 | | 1 | ||
| COM | CREATE | interface = None, | | 1 | ||
| MOD | GET_HANDLE | module_name = combase.dll | | 1 | ||
| REG | OPEN_KEY | reg_name = HKEY_USERS\S-1-5-18_Classes | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x63564e0000 | | 1 | ||
| REG | READ_VALUE | value_name = Com+Enabled | | 1 | ||
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Microsoft\WindowsRuntime\CLSID | | 1 | ||
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Microsoft\WindowsRuntime\CLSID\{75048700-EF1F-11D0-9888-006097DEACF9} | | 1 | ||
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Classes\ActivatableClasses\CLSID | | 1 | ||
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Classes\ActivatableClasses\CLSID\{75048700-EF1F-11D0-9888-006097DEACF9} | | 1 | ||
| REG | READ_VALUE | value_name = 426648726872 | | 2 | ||
| REG | READ_VALUE | value_name = InprocServer32 | | 1 | ||
| REG | READ_VALUE | value_name = 426648726760 | | 1 | ||
| REG | READ_VALUE | value_name = 426648726632 | | 1 | ||
| REG | READ_VALUE | value_name = 426648726760 | | 1 | ||
| REG | READ_VALUE | value_name = ThreadingModel | | 1 | ||
| REG | READ_VALUE | value_name = MaxSxSHashCount | | 1 | ||
| REG | OPEN_KEY | reg_name = HKEY_USERS\S-1-5-18_Classes | | 1 | ||
| MOD | LOAD | module_name = X:\windows\system32\shell32.dll, base_address = 0x0 | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale, value_name = en-US | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale, value_name = en-US | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale\Control Panel\International | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale\Control Panel\International | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale\Control Panel\International | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale\Control Panel\International, value_name = sCurrencyOverride | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = SystemSetupInProgress | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = OOBEInProgress | | 1 | ||
| MOD | LOAD | module_name = rpcrt4.dll, base_address = 0x0 | | 1 | ||
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | ||
| REG | READ_VALUE | value_name = MaxRpcSize | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = OOBEInProgress | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = SystemSetupInProgress | | 1 | ||
| SYS | GET_INFO | | 1 | |||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | ||
| REG | READ_VALUE | value_name = IdleTimerWindow | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | ||
| MOD | CREATE_MAPPING | module_name = windows_shell_global_counters, module_name = rpcrt4.dll, maximum_size = 426648726032, protection = PAGE_READWRITE | | 1 | ||
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe, os_pid = 0x290, address = 0x63564f0000 | | 1 | ||
| MOD | MAP | module_name = windows_shell_global_counters, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x63564f0000 | | 1 | ||
| REG | READ_VALUE | value_name = Category | | 1 | ||
| REG | READ_VALUE | value_name = Name | | 1 | ||
| REG | READ_VALUE | value_name = ParentFolder | | 1 | ||
| REG | READ_VALUE | value_name = Description | | 1 | ||
| REG | READ_VALUE | value_name = RelativePath | | 1 | ||
| REG | READ_VALUE | value_name = ParsingName | | 1 | ||
| REG | READ_VALUE | value_name = InfoTip | | 1 | ||
| REG | READ_VALUE | value_name = LocalizedName | | 1 | ||
| REG | READ_VALUE | value_name = Icon | | 1 | ||
| REG | READ_VALUE | value_name = Security | | 1 | ||
| REG | READ_VALUE | value_name = StreamResource | | 1 | ||
| REG | READ_VALUE | value_name = StreamResourceType | | 1 | ||
| REG | READ_VALUE | value_name = LocalRedirectOnly | | 1 | ||
| REG | READ_VALUE | value_name = Roamable | | 1 | ||
| REG | READ_VALUE | value_name = PreCreate | | 1 | ||
| REG | READ_VALUE | value_name = Stream | | 1 | ||
| REG | READ_VALUE | value_name = PublishExpandedPath | | 1 | ||
| REG | READ_VALUE | value_name = DefinitionFlags | | 1 | ||
| REG | READ_VALUE | value_name = Attributes | | 1 | ||
| REG | READ_VALUE | value_name = FolderTypeID | | 1 | ||
| REG | READ_VALUE | value_name = InitFolderHandler | | 1 | ||
| REG | READ_VALUE | value_name = AppData | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 000602xx | | 1 | ||
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | ||
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY | | 1 | ||
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x6357d80000 | | 1 | ||
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en-US | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en | | 1 | ||
| REG | OPEN_KEY | | 2 | |||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = Category | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = Name | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = ParentFolder | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = Description | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = RelativePath | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = ParsingName | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = InfoTip | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = LocalizedName | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = Icon | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = Security | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = StreamResource | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = StreamResourceType | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = LocalRedirectOnly | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = Roamable | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = PreCreate | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = Stream | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = PublishExpandedPath | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = DefinitionFlags | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = Attributes | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = FolderTypeID | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = InitFolderHandler | | 1 | ||
| REG | OPEN_KEY | | 1 | |||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ProfileImagePath | | 1 | ||
| REG | READ_VALUE | | 1 | |||
| REG | READ_VALUE | value_name = ProfileImagePath | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = LastUpdated | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCount | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_000 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_001 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_002 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_003 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_004 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_005 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_006 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_007 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_008 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_009 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_010 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_011 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_012 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_013 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_014 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_015 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_016 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_017 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_018 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_019 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_020 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_021 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_022 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_023 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_024 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_025 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_026 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_027 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_028 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_029 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_030 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_031 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_032 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_033 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_034 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_035 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_036 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_037 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_038 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_039 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_040 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_041 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_042 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_043 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_044 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_045 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_046 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_047 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_048 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_049 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_050 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_051 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_052 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_053 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_054 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_055 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_056 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_057 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_058 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_059 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_060 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_061 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_062 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_063 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_064 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_065 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_066 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_067 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_068 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_069 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_070 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_071 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_072 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_073 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_074 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_075 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_076 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_077 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_078 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_079 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_080 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_081 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_082 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_083 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_084 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_085 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_086 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_087 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_088 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_089 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_090 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_091 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_092 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_093 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_094 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_095 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_096 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_097 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_098 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_099 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_100 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_101 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_102 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_103 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_104 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_105 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_106 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_107 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_108 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_109 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_110 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_111 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_112 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_113 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_114 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_115 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_116 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_117 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_118 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_119 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_120 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_121 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_122 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_123 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_124 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_125 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_126 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_127 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_128 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_129 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_130 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_131 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_132 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_133 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_134 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_135 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_136 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_137 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_138 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_139 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_140 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_141 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_142 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_143 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_144 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_145 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_146 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_147 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_148 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_149 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_150 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_151 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_152 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_153 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_154 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_155 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_156 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_157 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_158 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_159 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_160 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_161 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_162 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_163 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_164 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_165 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_166 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_167 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_168 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_169 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_170 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_171 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_172 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_173 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_174 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_175 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_176 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_177 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_178 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_179 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_180 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_181 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_182 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_183 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_184 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_185 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_186 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_187 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_188 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_189 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_190 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_191 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_192 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_193 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_194 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_195 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_196 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_197 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_198 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_199 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_200 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_201 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_202 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_203 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_204 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_205 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_206 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_207 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_208 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_209 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_210 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_211 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_212 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_213 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\themes, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| REG | READ_VALUE | value_name = TranscodedImageCache_214 | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\config\systemprofile, desired_access = FILE_READ_DATA, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_CREATE, create_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, FILE_OPEN_REPARSE_POINT, ea_buffer = 0, ea_length = 0 | | 1 | ||
| For performance reasons, the remaining 840 entries are omitted. Click to download all 1840 entries as text file (2.56 MB). | ||||||
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| FILE | CREATE | file_name = \device\deviceapi\cmapi, desired_access = GENERIC_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = Disable | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = SourcePath | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = DevicePath | | 1 | |
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 2 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470807 | | 2 | |
| FILE | CREATE | file_name = \device\mountpointmanager, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0034 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0034 | | 1 | |
| FILE | CREATE | file_name = \device\mountpointmanager, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0034 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0034 | | 1 | |
| FILE | CREATE | file_name = \device\mountpointmanager, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0034 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0034 | | 1 | |
| FILE | CREATE | file_name = \device\mountpointmanager, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0034 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0034 | | 1 | |
| FILE | CREATE | file_name = \device\mountpointmanager, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0034 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0034 | | 1 | |
| FILE | CREATE | file_name = \device\mountpointmanager, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0034 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0034 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| FILE | OPEN | file_name = c:, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | |
| FILE | OPEN | file_name = c:, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, open_options = FILE_SYNCHRONOUS_IO_ALERT | | 1 | |
| DRV | CONTROL | file_name = c:, control_code = 0x4d0008 | | 1 | |
| FILE | CREATE | file_name = \device\mountpointmanager, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0008 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0008 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, open_options = FILE_SYNCHRONOUS_IO_ALERT | | 1 | |
| DRV | CONTROL | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}, control_code = 0x4d0008 | | 1 | |
| FILE | CREATE | file_name = \device\mountpointmanager, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0008 | | 1 | |
| DRV | CONTROL | file_name = \device\mountpointmanager, control_code = 0x6d0008 | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #17 / 0x298 |
| OS Parent PID | 0x278 (\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe) |
| Initial Working Directory | X:\windows\system32 |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe |
| Command Line | X:\sources\recovery\recenv.exe |
| Monitor | Start Time: 00:01:55, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:12 |
| OS Thread IDs | #123 0x29C #126 0x2A8 |
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Amount | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe | 0x27c | address = 0xe5e5420000, size = 4704 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe | 0x27c | address = 0x7ff72999c2d8, size = 8 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x1e8 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x1e8 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x1e8 | address = 0xd9cbf90000, size = 12288 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x1e8 | No corresponding api call detected. Probably injected code via shellcode. | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 2 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = PreferExternalManifest | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\reagent.dll, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = PreferExternalManifest | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\newdev.dll, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 987393678784 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| MOD | GET_HANDLE | module_name = X:\windows\system32\IMM32.DLL | | 2 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\ | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize | | 1 | |
| REG | READ_VALUE | file_name = STD_OUTPUT_HANDLE, value_name = DisableMetaFiles | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = LoadAppInit_DLLs | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\windowsshell.manifest, desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\windowsshell.manifest, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6d40000 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide, value_name = PreferExternalManifest | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, base_address = 0xe5e6d40000 | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe | | 1 | |
| MOD | GET_HANDLE | module_name = LPK.dll | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe | | 1 | |
| MOD | GET_HANDLE | module_name = GDI32.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb71bf7350 | | 1 | |
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = PageAllocatorUseSystemHeap | | 1 | |
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = PageAllocatorSystemHeapIsPrivate | | 1 | |
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = AggressiveMTATesting | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | GET_HANDLE | module_name = rpcrt4.dll | | 1 | |
| MOD | GET_HANDLE | module_name = X:\windows\system32\oleaut32.dll | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | GET_HANDLE | module_name = ext-ms-win-ole32-oleautomation-l1-1-0.dll | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| FILE | CREATE | file_name = \device\deviceapi\cmapi, desired_access = GENERIC_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = Disable | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = SourcePath | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR, value_name = DevicePath | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale, value_name = en-US | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale, value_name = en-US | | 1 | |
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 2 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SystemSetupInProgress | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe | | 1 | |
| MOD | GET_HANDLE | module_name = advapi32.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb741751c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7413b300 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7413c360 | | 1 | |
| MOD | GET_HANDLE | module_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe | | 1 | |
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7413b300 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb7413c360 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb74175650 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb741751c0 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| MOD | LOAD | module_name = rpcrt4.dll, base_address = 0x0 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| REG | READ_VALUE | value_name = MaxRpcSize | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = OOBEInProgress | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = SystemSetupInProgress | | 1 | |
| SYS | GET_INFO | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = IdleTimerWindow | | 1 | |
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ff729ece3c4, desired_access = THREAD_ALL_ACCESS | | 1 | |
| USER | SET_PRIVILEGE | server_name = Localhost, privilege = SeRestorePrivilege, enable_privilege = 1 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SetComputerName | | 1 | |
| REG | CREATE_KEY | | 1 | ||
| REG | CREATE_KEY | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = QueryAdapterName | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DisableAdapterDomainName | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UseDomainNameDevolution | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = UseDomainNameDevolution | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DomainNameDevolutionLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = PrioritizeRecordData | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = PrioritizeRecordData | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AllowUnqualifiedQuery | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = AllowUnqualifiedQuery | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AppendToMultiLabelName | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ScreenBadTlds | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ScreenUnreachableServers | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ScreenDefaultServers | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DynamicServerQueryOrder | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = FilterClusterIp | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = WaitForNameErrorOnAll | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UseEdns | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DnsSecureNameQueryFallback | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableDAForAllNetworks | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DirectAccessQueryOrder | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = QueryIpMatching | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UseHostsFile | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AddrConfigControl | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableSmartNameResolution | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = PreferLocalOverLowerBindingDNS | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = QueryNetBTFQDN | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableSmartProtocolReordering | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UdpRecvBufferSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableParallelAandAAAA | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableCoalescing | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = FilterVPNTrigger | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RegistrationEnabled | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DisableDynamicUpdate | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RegisterPrimaryName | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RegisterAdapterName | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = EnableAdapterDomainNameRegistration | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RegisterReverseLookup | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DisableReverseAddressRegistrations | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RegisterWanAdapters | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DisableWanDynamicUpdate | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RegistrationTtl | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DefaultRegistrationTTL | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RegistrationRefreshInterval | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DefaultRegistrationRefreshInterval | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RegistrationMaxAddressCount | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = MaxNumberOfAddressesToRegister | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UpdateSecurityLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = UpdateSecurityLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UpdateTopLevelDomainZones | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DowncaseSpnCauseApiOwnerIsTooLazy | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RegistrationOverwrite | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxCacheSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxCacheTtl | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxNegativeCacheTtl | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AdapterTimeoutLimit | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ServerPriorityTimeLimit | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxCachedSockets | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableServerUnreachability | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableMulticast | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MulticastResponderFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MulticastSenderFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MulticastSenderMaxTimeout | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DnsTest | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UseCompartments | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CacheAllCompartments | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = UseNewRegistration | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ResolverRegistration | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ResolverRegistrationOnly | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NewDhcpSrvRegistration | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DirectAccessPreferLocal | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DisableIdnEncoding | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = EnableIdnMapping | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TestMode_AdaptiveTimeoutHistoryLength | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = TestMode_AdaptiveTimeoutRecalculationInterval | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SystemSetupInProgress | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DnsQueryTimeouts | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DnsQueryTimeouts | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DnsQuickQueryTimeouts | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DnsQuickQueryTimeouts | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | mutex_name = WinPEProfilingMutex, initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SVC | OPEN_MGR | database_name = SERVICES_ACTIVE_DATABASE, host = Localhost | | 1 | |
| SVC | OPEN | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = SQMServiceList | | 1 | |
| SVC | SET_CONFIG | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| MOD | LOAD | module_name = ntdll.dll, base_address = 0x0 | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\MACHINE\System\Setup, value_name = SystemSetupInProgress | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup, value_name = MinimizeFootprint | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Microsoft\EmbeddedNT\Security | | 1 | |
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470803 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470843 | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470827 | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 2 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup, value_name = LogLevel | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup, value_name = LogMask | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup, value_name = LogMaxFileSize | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 000602xx | | 1 | |
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x0 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6e60000 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en-US | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall | | 1 | |
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | file_name = \device\deviceapi\cmapi, control_code = 0x470813 | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| REG | OPEN_KEY | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International, value_name = sCurrencyOverride | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x47086b | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\apps.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\apps.inf, maximum_size = 987420871104, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298, address = 0xe5e6df0000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x47086b | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\defltbase.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\defltbase.inf, maximum_size = 987420871104, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298, address = 0xe5e6df0000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x47086b | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\defltwk.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\defltwk.inf, maximum_size = 987420871104, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298, address = 0xe5e6df0000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x47086b | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\dwup.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\dwup.inf, maximum_size = 987420871104, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298, address = 0xe5e6df0000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x47086b | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errata.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\errata.inf, maximum_size = 987420871104, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298, address = 0xe5e6df0000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x47086b | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fontsetup.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\fontsetup.inf, maximum_size = 987420871104, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298, address = 0xe5e7240000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e7240000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x47086b | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netnb.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\netnb.inf, maximum_size = 987420871104, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298, address = 0xe5e6df0000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x47086b | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\puwk.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\puwk.inf, maximum_size = 987420871104, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298, address = 0xe5e6df0000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x47086b | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ramdisk.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\ramdisk.inf, maximum_size = 987420871104, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298, address = 0xe5e6df0000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x47086b | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sceregvl.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\sceregvl.inf, maximum_size = 987420871104, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298, address = 0xe5e6df0000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298 | | 1 | |
| MUTEX | CREATE | | 1 | ||
| MUTEX | CREATE | initial_owner = 0, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x470813 | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x47086b | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | OPEN | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\, desired_access = FILE_READ_DATA, SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_DIRECTORY_FILE, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| FILE | CREATE | | 1 | ||
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\secrecs.inf, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, create_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\inf\secrecs.inf, maximum_size = 987420871104, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298, address = 0xe5e6df0000 | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0xe5e6df0000 | | 1 | |
| MOD | UNMAP | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe, os_pid = 0x298 | | 1 | |
| MUTEX | CREATE | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #18 / 0x2b0 |
| OS Parent PID | 0x1ac (c:\windows\system32\csrss.exe) |
| Initial Working Directory | X:\windows\system32 |
| File Name | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe |
| Command Line | X:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:03 |
| OS Thread IDs | #127 0x2B4 #130 0x2C4 #131 0x2C8 #132 0x2CC #133 0x2D0 |
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Amount | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x188 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x188 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x188 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe | 0x188 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | 0x1b0 | address = 0x2060980000, size = 4704 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe | 0x1b0 | address = 0x7ff7c99e92d8, size = 8 | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1d0 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1d0 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1d0 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1d0 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1d0 | No corresponding api call detected. Probably injected code via shellcode. | | 1 | |
| Modify Memory | \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe | 0x1d0 | No corresponding api call detected. Probably injected code via shellcode. | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| SYS | GET_INFO | type = SYSTEM_CURRENT_TIME_ZONE_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 2 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 139059393024 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LocalServiceNetworkRestricted | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = LocalServiceNetworkRestricted | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CoInitializeSecurityParam | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CoInitializeSecurityAllowLowBox | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AuthenticationLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ImpersonationLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AuthenticationCapabilities | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CoInitializeSecurityAppID | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = DefaultRpcStackSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = RpcExceptionFilterMode | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SystemCritical | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = NoGuiAccess | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| PROC | OPEN_TOKEN | | 1 | ||
| REG | READ_VALUE | value_name = PageAllocatorUseSystemHeap | | 1 | |
| REG | READ_VALUE | value_name = PageAllocatorSystemHeapIsPrivate | | 1 | |
| REG | READ_VALUE | value_name = AggressiveMTATesting | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | GET_HANDLE | module_name = rpcrt4.dll | | 1 | |
| MOD | GET_HANDLE | module_name = X:\windows\system32\rpcss.dll | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| DRV | CONTROL | | 1 | ||
| DRV | CONTROL | control_code = 0x390008 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\ | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize, value_name = DisableMetaFiles | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = LoadAppInit_DLLs | | 1 | |
| MOD | LOAD | module_name = rpcrt4.dll, base_address = 0x0 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| REG | READ_VALUE | value_name = MaxRpcSize | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = OOBEInProgress | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = SystemSetupInProgress | | 1 | |
| SYS | GET_INFO | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | READ_VALUE | value_name = IdleTimerWindow | | 1 | |
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | |
| SYS | GET_INFO | | 1 | ||
| REG | OPEN_KEY | reg_name = HKEY_USERS\S-1-5-19_Classes | | 1 | |
| COM | CREATE | interface = None, | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Rpc\Extensions | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Rpc\Extensions, value_name = NdrOleExtDLL | | 1 | |
| MOD | GET_HANDLE | module_name = combase.dll | | 1 | |
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ffb733c7ef0, desired_access = THREAD_ALL_ACCESS | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| DRV | CONTROL | control_code = 0x110008 | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | OPEN_KEY | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International | | 1 | |
| REG | READ_VALUE | reg_name = Control Panel\International, value_name = sCurrencyOverride | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale, value_name = en-US | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale, value_name = en-US | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions, value_name = 000602xx | | 1 | |
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x0 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\globalization\sorting\sortdefault.nls, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x20610a0000 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en-US | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids, value_name = en | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = ServiceDll | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = ServiceManifest | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = ServiceMain | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | module_name = Nameless FileMapping, value_name = ServiceMain | | 1 | |
| MOD | LOAD | base_address = 0x7ffb6f8f0000 | | 1 | |
| MOD | LOAD | module_name = x:\windows\system32\wevtsvc.dll, base_address = 0x0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb6f947ee0 | | 1 | |
| MOD | GET_PROC_ADDRESS | address_out = 0x7ffb6f94efc0 | | 1 | |
| SVC | REGISTER_HANDLER | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CompatFlags | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Retention | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AutoBackupLogFiles | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CustomSD | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Retention | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AutoBackupLogFiles | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CustomSD | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CustomSD | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = WarningLevel | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Retention | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AutoBackupLogFiles | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CustomSD | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = MaxSize | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = Retention | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = AutoBackupLogFiles | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CustomSD | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SystemSetupInProgress | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = ProductName | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CurrentType | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = InstallDate | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = BuildLab | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Hostname | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| SYS | GET_INFO | | 1 | ||
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CurrentType | | 1 | |
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = CurrentType | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Hostname | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = OOBEInProgress | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\Setup | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\Setup, value_name = SystemSetupInProgress | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Hostname | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = SystemSetupInProgress | | 1 | |
| THREAD | CREATE | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, proc_address = 0x7ffb6f922a20, desired_access = THREAD_ALL_ACCESS | | 1 | |
| MOD | LOAD | base_address = 0x2061510002 | | 1 | |
| FILE | CREATE | file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wevtapi.dll, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = FILE_OPEN, ea_buffer = 0, ea_length = 0 | | 1 | |
| MOD | CREATE_MAPPING | module_name = Nameless FileMapping, file_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wevtapi.dll, maximum_size = 0, protection = PAGE_READONLY | | 1 | |
| MOD | MAP | module_name = Nameless FileMapping, process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134, address = 0x2061510000 | | 1 | |
| MOD | LOAD | base_address = 0x7ffb73480000 | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Hostname | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName | | 1 | |
| REG | OPEN_KEY | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = ComputerName | | 1 | |
| REG | READ_VALUE | reg_name = \Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName, value_name = 9 | | 1 | |
| MOD | LOAD | module_name = sspicli.dll, base_address = 0x0 | | 1 | |
| SYS | GET_INFO | type = SYSTEM_BASIC_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_PROCESSOR_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe, os_pid = 0x134 | | 1 | |
| MOD | LOAD | base_address = 0x7ffb71500000 | | 1 | |
| MOD | LOAD | module_name = sspicli.dll, base_address = 0x0 | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SecurityProviders | | 1 | |
| REG | OPEN_KEY | | 2 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = crashonauditfail | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| REG | OPEN_KEY | | 2 | ||
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SystemSetupInProgress | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 | |
| REG | OPEN_KEY | | 1 | ||
| REG | READ_VALUE | | 1 | ||
| REG | READ_VALUE | value_name = SystemSetupInProgress | | 1 | |
| SYS | SLEEP | | 1 | ||
| SYS | SLEEP | duration = 1 milliseconds (0.001 seconds) | | 1 |
