Advertisement
MalwareMustDie

#MalwareMustDie - BHEK 20130205 contact.exe PID

Feb 5th, 2013
1,394
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 168.53 KB | None | 0 0
  1. "22:47:05.6011960","Thread Create","","SUCCESS","Thread ID: 2176"
  2. "22:47:05.6034569","QueryNameInformationFile","D:\contacts.exe","SUCCESS","Name: \contacts.exe"
  3. "22:47:05.6037458","Load Image","D:\contacts.exe","SUCCESS","Image Base: 0x400000, Image Size: 0x2e000"
  4. "22:47:05.6039894","Load Image","C:\WINDOWS\System32\ntdll.dll","SUCCESS","Image Base: 0x7c940000, Image Size: 0x9c000"
  5. "22:47:05.6040151","QueryNameInformationFile","D:\contacts.exe","SUCCESS","Name: \contacts.exe"
  6. "22:47:05.6042651","CreateFile","C:\WINDOWS\Prefetch\CONTACTS.EXE-08D4C0A5.pf","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: None, AllocationSize: n/a"
  7. "22:47:05.6046473","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\contacts.exe","NAME NOT FOUND","Desired Access: Read"
  8. "22:47:05.6048526","CreateFile","D:\","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  9. "22:47:05.6084385","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  10. "22:47:05.6280243","CreateFile","D:\contacts.exe.Local","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  11. "22:47:05.6363443","Load Image","C:\WINDOWS\System32\KERNEL32.DLL","SUCCESS","Image Base: 0x7c800000, Image Size: 0x133000"
  12. "22:47:05.6367044","RegOpenKey","HKLM\System\CurrentControlSet\Control\Terminal Server","SUCCESS","Desired Access: Read"
  13. "22:47:05.6367575","RegQueryValue","HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  14. "22:47:05.6367949","RegCloseKey","HKLM\System\CurrentControlSet\Control\Terminal Server","SUCCESS",""
  15. "22:47:05.6372495","ReadFile","D:\contacts.exe","SUCCESS","Offset: 84,480, Length: 1,024, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  16. "22:47:05.7420692","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  17. "22:47:05.7828425","CreateFile","D:\WINSPOOL.DRV","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  18. "22:47:05.7865249","CreateFile","C:\WINDOWS\system32\winspool.drv","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  19. "22:47:05.7867528","QueryBasicInformationFile","C:\WINDOWS\system32\winspool.drv","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  20. "22:47:05.7869660","CloseFile","C:\WINDOWS\system32\winspool.drv","SUCCESS",""
  21. "22:47:05.7872691","CreateFile","C:\WINDOWS\system32\winspool.drv","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  22. "22:47:05.7874990","CreateFileMapping","C:\WINDOWS\system32\winspool.drv","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  23. "22:47:05.7875655","CreateFileMapping","C:\WINDOWS\SYSTEM32\WINSPOOL.DRV","SUCCESS","SyncType: SyncTypeOther"
  24. "22:47:05.7876077","RegOpenKey","HKLM\System\CurrentControlSet\Control\SafeBoot\Option","NAME NOT FOUND","Desired Access: Query Value, Set Value"
  25. "22:47:05.7876420","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS","Desired Access: Query Value"
  26. "22:47:05.7876837","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
  27. "22:47:05.7887296","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS",""
  28. "22:47:05.7887612","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","NAME NOT FOUND","Desired Access: Query Value"
  29. "22:47:05.7890067","CloseFile","C:\WINDOWS\system32\winspool.drv","SUCCESS",""
  30. "22:47:05.7893177","Load Image","C:\WINDOWS\System32\WINSPOOL.DRV","SUCCESS","Image Base: 0x72f50000, Image Size: 0x26000"
  31. "22:47:05.7896769","Load Image","C:\WINDOWS\System32\ADVAPI32.DLL","SUCCESS","Image Base: 0x77d80000, Image Size: 0xa9000"
  32. "22:47:05.7901019","Load Image","C:\WINDOWS\System32\RPCRT4.DLL","SUCCESS","Image Base: 0x77e30000, Image Size: 0x92000"
  33. "22:47:05.7904019","Load Image","C:\WINDOWS\System32\SECUR32.DLL","SUCCESS","Image Base: 0x77fa0000, Image Size: 0x11000"
  34. "22:47:05.7910939","Load Image","C:\WINDOWS\System32\GDI32.DLL","SUCCESS","Image Base: 0x77ed0000, Image Size: 0x49000"
  35. "22:47:05.7913908","Load Image","C:\WINDOWS\System32\USER32.DLL","SUCCESS","Image Base: 0x77cf0000, Image Size: 0x90000"
  36. "22:47:05.7916898","Load Image","C:\WINDOWS\System32\MSVCRT.DLL","SUCCESS","Image Base: 0x77bc0000, Image Size: 0x58000"
  37. "22:47:05.7928508","Load Image","C:\WINDOWS\System32\OLE32.DLL","SUCCESS","Image Base: 0x76970000, Image Size: 0x13d000"
  38. "22:47:05.7931827","RegOpenKey","HKLM\System\CurrentControlSet\Control\Terminal Server","SUCCESS","Desired Access: Read"
  39. "22:47:05.7932369","RegQueryValue","HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  40. "22:47:05.7932757","RegCloseKey","HKLM\System\CurrentControlSet\Control\Terminal Server","SUCCESS",""
  41. "22:47:05.7934199","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll","NAME NOT FOUND","Desired Access: Read"
  42. "22:47:05.7934771","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll","NAME NOT FOUND","Desired Access: Read"
  43. "22:47:05.7935171","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll","NAME NOT FOUND","Desired Access: Read"
  44. "22:47:05.7935545","RegOpenKey","HKLM\System\CurrentControlSet\Control\Terminal Server","SUCCESS","Desired Access: Read"
  45. "22:47:05.7935973","RegQueryValue","HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  46. "22:47:05.7936185","RegQueryValue","HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  47. "22:47:05.7936489","RegCloseKey","HKLM\System\CurrentControlSet\Control\Terminal Server","SUCCESS",""
  48. "22:47:05.7936660","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","SUCCESS","Desired Access: Read"
  49. "22:47:05.7937051","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LeakTrack","NAME NOT FOUND","Length: 144"
  50. "22:47:05.7937406","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","SUCCESS",""
  51. "22:47:05.7937543","RegOpenKey","HKLM","SUCCESS","Desired Access: Maximum Allowed"
  52. "22:47:05.7937833","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics","NAME NOT FOUND","Desired Access: Read"
  53. "22:47:05.7938344","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll","NAME NOT FOUND","Desired Access: Read"
  54. "22:47:05.7941753","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS","Desired Access: Query Value"
  55. "22:47:05.7942191","RegQueryValue","HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode","NAME NOT FOUND","Length: 16"
  56. "22:47:05.7942568","RegCloseKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS",""
  57. "22:47:05.7948262","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  58. "22:47:05.7950536","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  59. "22:47:05.7952645","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  60. "22:47:05.7955774","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  61. "22:47:05.7958056","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  62. "22:47:05.7958241","QueryStandardInformationFile","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,080, NumberOfLinks: 1, DeletePending: False, Directory: False"
  63. "22:47:05.7958548","CreateFileMapping","C:\WINDOWS\SYSTEM32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther"
  64. "22:47:05.7961470","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  65. "22:47:05.7970460","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  66. "22:47:05.7972651","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  67. "22:47:05.7974743","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  68. "22:47:05.7977727","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  69. "22:47:05.7981071","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  70. "22:47:05.7981244","QueryStandardInformationFile","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,080, NumberOfLinks: 1, DeletePending: False, Directory: False"
  71. "22:47:05.7981540","CreateFileMapping","C:\WINDOWS\SYSTEM32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther"
  72. "22:47:05.7983928","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  73. "22:47:05.7989558","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  74. "22:47:05.7994299","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  75. "22:47:05.7996397","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  76. "22:47:05.7999978","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  77. "22:47:05.8002230","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  78. "22:47:05.8002869","CreateFileMapping","C:\WINDOWS\SYSTEM32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther"
  79. "22:47:05.8005163","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  80. "22:47:05.8010331","Load Image","C:\WINDOWS\System32\IMM32.DLL","SUCCESS","Image Base: 0x762e0000, Image Size: 0x1d000"
  81. "22:47:05.8011762","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL","NAME NOT FOUND","Desired Access: Read"
  82. "22:47:05.8017598","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  83. "22:47:05.8021341","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  84. "22:47:05.8023442","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  85. "22:47:05.8024674","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll","NAME NOT FOUND","Desired Access: Read"
  86. "22:47:05.8024962","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll","NAME NOT FOUND","Desired Access: Read"
  87. "22:47:05.8025283","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll","NAME NOT FOUND","Desired Access: Read"
  88. "22:47:05.8025546","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll","NAME NOT FOUND","Desired Access: Read"
  89. "22:47:05.8025780","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSPOOL.DRV","NAME NOT FOUND","Desired Access: Read"
  90. "22:47:05.8026026","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll","NAME NOT FOUND","Desired Access: Read"
  91. "22:47:05.8031462","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  92. "22:47:05.8033655","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  93. "22:47:05.8035745","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  94. "22:47:05.8036349","RegOpenKey","HKLM\System\CurrentControlSet\Control\Error Message Instrument\","NAME NOT FOUND","Desired Access: Read"
  95. "22:47:05.8036784","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize","SUCCESS","Desired Access: Read"
  96. "22:47:05.8037175","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles","NAME NOT FOUND","Length: 20"
  97. "22:47:05.8037516","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize","SUCCESS",""
  98. "22:47:05.8040235","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32","SUCCESS","Desired Access: Read"
  99. "22:47:05.8040637","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32\contacts","NAME NOT FOUND","Length: 172"
  100. "22:47:05.8040925","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32","SUCCESS",""
  101. "22:47:05.8041047","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility","SUCCESS","Desired Access: Read"
  102. "22:47:05.8041363","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IME Compatibility\contacts","NAME NOT FOUND","Length: 172"
  103. "22:47:05.8041587","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IME Compatibility","SUCCESS",""
  104. "22:47:05.8042469","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  105. "22:47:05.8420277","CreateFile","D:\LPK.DLL","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  106. "22:47:05.8505637","CreateFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  107. "22:47:05.8508124","QueryBasicInformationFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  108. "22:47:05.8510495","CloseFile","C:\WINDOWS\system32\lpk.dll","SUCCESS",""
  109. "22:47:05.8513834","CreateFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  110. "22:47:05.8516379","CreateFileMapping","C:\WINDOWS\system32\lpk.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  111. "22:47:05.8517030","CreateFileMapping","C:\WINDOWS\SYSTEM32\LPK.DLL","SUCCESS","SyncType: SyncTypeOther"
  112. "22:47:05.8520228","CloseFile","C:\WINDOWS\system32\lpk.dll","SUCCESS",""
  113. "22:47:05.8523268","Load Image","C:\WINDOWS\System32\LPK.DLL","SUCCESS","Image Base: 0x60740000, Image Size: 0x9000"
  114. "22:47:05.8524506","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  115. "22:47:05.8900190","CreateFile","D:\USP10.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  116. "22:47:05.8986913","CreateFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  117. "22:47:05.8989688","QueryBasicInformationFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  118. "22:47:05.8992339","CloseFile","C:\WINDOWS\system32\usp10.dll","SUCCESS",""
  119. "22:47:05.8995878","CreateFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  120. "22:47:05.8999222","CreateFileMapping","C:\WINDOWS\system32\usp10.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  121. "22:47:05.8999896","CreateFileMapping","C:\WINDOWS\SYSTEM32\USP10.DLL","SUCCESS","SyncType: SyncTypeOther"
  122. "22:47:05.9002781","CloseFile","C:\WINDOWS\system32\usp10.dll","SUCCESS",""
  123. "22:47:05.9013252","Load Image","C:\WINDOWS\System32\USP10.DLL","SUCCESS","Image Base: 0x73f80000, Image Size: 0x6b000"
  124. "22:47:05.9015057","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USP10.dll","NAME NOT FOUND","Desired Access: Read"
  125. "22:47:05.9016487","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LPK.DLL","NAME NOT FOUND","Desired Access: Read"
  126. "22:47:05.9018415","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows","SUCCESS","Desired Access: Read"
  127. "22:47:05.9019996","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs","SUCCESS","Type: REG_SZ, Length: 2, Data: "
  128. "22:47:05.9020348","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows","SUCCESS",""
  129. "22:47:05.9035012","QueryNameInformationFile","D:\contacts.exe","BUFFER OVERFLOW","Name: \c"
  130. "22:47:05.9035294","QueryNameInformationFile","D:\contacts.exe","SUCCESS","Name: \contacts.exe"
  131. "22:47:05.9036886","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: 6E 66 45 30 5B 6B EB E7 AE 39 24 1B 3C 75 73 26"
  132. "22:47:05.9038233","RegOpenKey","HKLM\SYSTEM\CurrentControlSet\Control\Session Manager","SUCCESS","Desired Access: Read"
  133. "22:47:05.9039334","RegQueryValue","HKLM\System\CurrentControlSet\Control\Session Manager\CriticalSectionTimeout","SUCCESS","Type: REG_DWORD, Length: 4, Data: 2592000"
  134. "22:47:05.9039825","RegCloseKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS",""
  135. "22:47:05.9039976","RegOpenKey","HKLM\Software\Microsoft\Ole","SUCCESS","Desired Access: Read"
  136. "22:47:05.9040269","RegQueryValue","HKLM\SOFTWARE\Microsoft\Ole\RWLockResourceTimeOut","NAME NOT FOUND","Length: 144"
  137. "22:47:05.9040532","RegCloseKey","HKLM\SOFTWARE\Microsoft\Ole","SUCCESS",""
  138. "22:47:05.9040873","RegOpenKey","HKCR\Interface","SUCCESS","Desired Access: Read"
  139. "22:47:05.9041420","RegCloseKey","HKCR\Interface","SUCCESS",""
  140. "22:47:05.9041515","RegOpenKey","HKCR\Interface\{00020400-0000-0000-C000-000000000046}","SUCCESS","Desired Access: Read"
  141. "22:47:05.9042035","RegCloseKey","HKCR\Interface\{00020400-0000-0000-C000-000000000046}","SUCCESS",""
  142. "22:47:05.9042546","ReadFile","D:\contacts.exe","SUCCESS","Offset: 9,216, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  143. "22:47:05.9419787","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  144. "22:47:05.9660253","CreateFile","D:\„.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  145. "22:47:05.9743004","CreateFile","C:\WINDOWS\system32\„.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  146. "22:47:05.9748074","CreateFile","C:\WINDOWS\system\„.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  147. "22:47:05.9750513","CreateFile","C:\WINDOWS\„.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  148. "22:47:05.9751206","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  149. "22:47:06.0349673","CreateFile","D:\„.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  150. "22:47:06.0432863","CreateFile","C:\WINDOWS\system32\„.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  151. "22:47:06.0436975","CreateFile","C:\WINDOWS\„.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  152. "22:47:06.0441654","CreateFile","C:\WINDOWS\system32\wbem\„.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  153. "22:47:06.0442612","ReadFile","D:\contacts.exe","SUCCESS","Offset: 50,176, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  154. "22:47:06.0829346","ReadFile","D:\contacts.exe","SUCCESS","Offset: 41,984, Length: 8,192, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  155. "22:47:06.1009126","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  156. "22:47:06.1425497","CreateFile","D:\フ・.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  157. "22:47:06.1514330","CreateFile","C:\WINDOWS\system32\フ・.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  158. "22:47:06.1522834","CreateFile","C:\WINDOWS\system\フ・.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  159. "22:47:06.1527904","CreateFile","C:\WINDOWS\フ・.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  160. "22:47:06.1528818","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  161. "22:47:06.1900105","CreateFile","D:\フ・.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  162. "22:47:06.1989418","CreateFile","C:\WINDOWS\system32\フ・.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  163. "22:47:06.1996813","CreateFile","C:\WINDOWS\フ・.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  164. "22:47:06.2005188","CreateFile","C:\WINDOWS\system32\wbem\フ・.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  165. "22:47:06.2006529","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  166. "22:47:06.2678299","CreateFile","D:\FD43u.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  167. "22:47:06.2735773","CreateFile","C:\WINDOWS\system32\FD43u.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  168. "22:47:06.2743371","CreateFile","C:\WINDOWS\system\FD43u.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  169. "22:47:06.2748456","CreateFile","C:\WINDOWS\FD43u.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  170. "22:47:06.2749436","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  171. "22:47:06.2969663","CreateFile","D:\FD43u.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  172. "22:47:06.3027500","CreateFile","C:\WINDOWS\system32\FD43u.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  173. "22:47:06.3035115","CreateFile","C:\WINDOWS\FD43u.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  174. "22:47:06.3042725","CreateFile","C:\WINDOWS\system32\wbem\FD43u.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  175. "22:47:06.3054914","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  176. "22:47:06.3168998","CreateFile","D:\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  177. "22:47:06.3214912","CreateFile","C:\WINDOWS\system32\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  178. "22:47:06.3218543","CreateFile","C:\WINDOWS\system\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  179. "22:47:06.3220683","CreateFile","C:\WINDOWS\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  180. "22:47:06.3221522","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  181. "22:47:06.3339009","CreateFile","D:\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  182. "22:47:06.3388920","CreateFile","C:\WINDOWS\system32\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  183. "22:47:06.3393351","CreateFile","C:\WINDOWS\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  184. "22:47:06.3395750","CreateFile","C:\WINDOWS\System32\Wbem\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  185. "22:47:06.3396521","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  186. "22:47:06.3918876","CreateFile","D:\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  187. "22:47:06.3964624","CreateFile","C:\WINDOWS\system32\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  188. "22:47:06.3968253","CreateFile","C:\WINDOWS\system\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  189. "22:47:06.3970390","CreateFile","C:\WINDOWS\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  190. "22:47:06.3971248","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  191. "22:47:06.4088470","CreateFile","D:\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  192. "22:47:06.4131947","CreateFile","C:\WINDOWS\system32\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  193. "22:47:06.4134520","CreateFile","C:\WINDOWS\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  194. "22:47:06.4135939","CreateFile","C:\WINDOWS\System32\Wbem\^tdl\.dll","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  195. "22:47:06.4136738","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  196. "22:47:06.4268414","CreateFile","D:\_tdl].dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  197. "22:47:06.4311048","CreateFile","C:\WINDOWS\system32\_tdl].dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  198. "22:47:06.4314971","CreateFile","C:\WINDOWS\system\_tdl].dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  199. "22:47:06.4320220","CreateFile","C:\WINDOWS\_tdl].dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  200. "22:47:06.4334562","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  201. "22:47:06.4448398","CreateFile","D:\_tdl].dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  202. "22:47:06.4491457","CreateFile","C:\WINDOWS\system32\_tdl].dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  203. "22:47:06.4503408","CreateFile","C:\WINDOWS\_tdl].dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  204. "22:47:06.4507090","CreateFile","C:\WINDOWS\system32\wbem\_tdl].dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  205. "22:47:06.4508020","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  206. "22:47:06.4708691","CreateFile","D:\`tdl^.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  207. "22:47:06.4754269","CreateFile","C:\WINDOWS\system32\`tdl^.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  208. "22:47:06.4758966","CreateFile","C:\WINDOWS\system\`tdl^.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  209. "22:47:06.4762083","CreateFile","C:\WINDOWS\`tdl^.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  210. "22:47:06.4762768","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  211. "22:47:06.4958631","CreateFile","D:\`tdl^.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  212. "22:47:06.5004114","CreateFile","C:\WINDOWS\system32\`tdl^.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  213. "22:47:06.5008542","CreateFile","C:\WINDOWS\`tdl^.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  214. "22:47:06.5013213","CreateFile","C:\WINDOWS\system32\wbem\`tdl^.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  215. "22:47:06.5014001","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  216. "22:47:06.5208548","CreateFile","D:\atdl_.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  217. "22:47:06.5259392","CreateFile","C:\WINDOWS\system32\atdl_.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  218. "22:47:06.5264178","CreateFile","C:\WINDOWS\system\atdl_.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  219. "22:47:06.5267301","CreateFile","C:\WINDOWS\atdl_.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  220. "22:47:06.5267882","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  221. "22:47:06.5468503","CreateFile","D:\atdl_.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  222. "22:47:06.5514067","CreateFile","C:\WINDOWS\system32\atdl_.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  223. "22:47:06.5518498","CreateFile","C:\WINDOWS\atdl_.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  224. "22:47:06.5523141","CreateFile","C:\WINDOWS\system32\wbem\atdl_.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  225. "22:47:06.5523931","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  226. "22:47:06.5718479","CreateFile","D:\btdl`.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  227. "22:47:06.5763962","CreateFile","C:\WINDOWS\system32\btdl`.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  228. "22:47:06.5768594","CreateFile","C:\WINDOWS\system\btdl`.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  229. "22:47:06.5771706","CreateFile","C:\WINDOWS\btdl`.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  230. "22:47:06.5772251","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  231. "22:47:06.5968418","CreateFile","D:\btdl`.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  232. "22:47:06.6013932","CreateFile","C:\WINDOWS\system32\btdl`.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  233. "22:47:06.6018363","CreateFile","C:\WINDOWS\btdl`.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  234. "22:47:06.6023017","CreateFile","C:\WINDOWS\system32\wbem\btdl`.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  235. "22:47:06.6023693","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  236. "22:47:06.6218374","CreateFile","D:\ctdla.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  237. "22:47:06.6263880","CreateFile","C:\WINDOWS\system32\ctdla.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  238. "22:47:06.6268529","CreateFile","C:\WINDOWS\system\ctdla.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  239. "22:47:06.6271635","CreateFile","C:\WINDOWS\ctdla.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  240. "22:47:06.6272180","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  241. "22:47:06.6498494","CreateFile","D:\ctdla.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  242. "22:47:06.6594816","CreateFile","C:\WINDOWS\system32\ctdla.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  243. "22:47:06.7446735","CreateFile","C:\WINDOWS\ctdla.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  244. "22:47:06.7452040","CreateFile","C:\WINDOWS\system32\wbem\ctdla.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  245. "22:47:06.7453054","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  246. "22:47:06.7648165","CreateFile","D:\dtdlb.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  247. "22:47:06.7693663","CreateFile","C:\WINDOWS\system32\dtdlb.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  248. "22:47:06.7698350","CreateFile","C:\WINDOWS\system\dtdlb.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  249. "22:47:06.7701474","CreateFile","C:\WINDOWS\dtdlb.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  250. "22:47:06.7702027","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  251. "22:47:06.7898082","CreateFile","D:\dtdlb.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  252. "22:47:06.7943541","CreateFile","C:\WINDOWS\system32\dtdlb.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  253. "22:47:06.7947985","CreateFile","C:\WINDOWS\dtdlb.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  254. "22:47:06.7952642","CreateFile","C:\WINDOWS\system32\wbem\dtdlb.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  255. "22:47:06.7960912","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  256. "22:47:06.8168108","CreateFile","D:\etdlc.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  257. "22:47:06.8213553","CreateFile","C:\WINDOWS\system32\etdlc.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  258. "22:47:06.8218182","CreateFile","C:\WINDOWS\system\etdlc.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  259. "22:47:06.8224903","CreateFile","C:\WINDOWS\etdlc.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  260. "22:47:06.8225462","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  261. "22:47:06.8418000","CreateFile","D:\etdlc.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  262. "22:47:06.8463467","CreateFile","C:\WINDOWS\system32\etdlc.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  263. "22:47:06.8467884","CreateFile","C:\WINDOWS\etdlc.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  264. "22:47:06.8474647","CreateFile","C:\WINDOWS\system32\wbem\etdlc.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  265. "22:47:06.8475343","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  266. "22:47:06.8667982","CreateFile","D:\ftdld.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  267. "22:47:06.8713479","CreateFile","C:\WINDOWS\system32\ftdld.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  268. "22:47:06.8718122","CreateFile","C:\WINDOWS\system\ftdld.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  269. "22:47:06.8724581","CreateFile","C:\WINDOWS\ftdld.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  270. "22:47:06.8725140","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  271. "22:47:06.9508178","CreateFile","D:\ftdld.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  272. "22:47:06.9553932","CreateFile","C:\WINDOWS\system32\ftdld.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  273. "22:47:06.9785979","CreateFile","C:\WINDOWS\ftdld.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  274. "22:47:06.9790831","CreateFile","C:\WINDOWS\system32\wbem\ftdld.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  275. "22:47:06.9791748","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  276. "22:47:07.0027842","CreateFile","D:\gtdle.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  277. "22:47:07.0073716","CreateFile","C:\WINDOWS\system32\gtdle.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  278. "22:47:07.0078413","CreateFile","C:\WINDOWS\system\gtdle.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  279. "22:47:07.0081550","CreateFile","C:\WINDOWS\gtdle.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  280. "22:47:07.0082114","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  281. "22:47:07.0278089","CreateFile","D:\gtdle.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  282. "22:47:07.0325366","CreateFile","C:\WINDOWS\system32\gtdle.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  283. "22:47:07.0331204","CreateFile","C:\WINDOWS\gtdle.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  284. "22:47:07.0337172","CreateFile","C:\WINDOWS\system32\wbem\gtdle.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  285. "22:47:07.0419484","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  286. "22:47:07.0617964","CreateFile","D:\htdlf.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  287. "22:47:07.0665065","CreateFile","C:\WINDOWS\system32\htdlf.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  288. "22:47:07.0671033","CreateFile","C:\WINDOWS\system\htdlf.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  289. "22:47:07.0677508","CreateFile","C:\WINDOWS\htdlf.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  290. "22:47:07.0678257","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  291. "22:47:07.0877863","CreateFile","D:\htdlf.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  292. "22:47:07.0925151","CreateFile","C:\WINDOWS\system32\htdlf.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  293. "22:47:07.0930948","CreateFile","C:\WINDOWS\htdlf.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  294. "22:47:07.0939231","CreateFile","C:\WINDOWS\system32\wbem\htdlf.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  295. "22:47:07.0940190","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  296. "22:47:07.1137782","CreateFile","D:\itdlg.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  297. "22:47:07.1185078","CreateFile","C:\WINDOWS\system32\itdlg.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  298. "22:47:07.1194384","CreateFile","C:\WINDOWS\system\itdlg.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  299. "22:47:07.1198404","CreateFile","C:\WINDOWS\itdlg.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  300. "22:47:07.1199144","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  301. "22:47:07.1458881","CreateFile","D:\itdlg.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  302. "22:47:07.1515942","CreateFile","C:\WINDOWS\system32\itdlg.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  303. "22:47:07.1551161","CreateFile","C:\WINDOWS\itdlg.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  304. "22:47:07.1557229","CreateFile","C:\WINDOWS\system32\wbem\itdlg.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  305. "22:47:07.1558221","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  306. "22:47:07.1757799","CreateFile","D:\jtdlh.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  307. "22:47:07.1804917","CreateFile","C:\WINDOWS\system32\jtdlh.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  308. "22:47:07.1810904","CreateFile","C:\WINDOWS\system\jtdlh.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  309. "22:47:07.1814907","CreateFile","C:\WINDOWS\jtdlh.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  310. "22:47:07.1838424","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  311. "22:47:07.2037673","CreateFile","D:\jtdlh.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  312. "22:47:07.2094968","CreateFile","C:\WINDOWS\system32\jtdlh.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  313. "22:47:07.2100776","CreateFile","C:\WINDOWS\jtdlh.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  314. "22:47:07.2116993","CreateFile","C:\WINDOWS\system32\wbem\jtdlh.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  315. "22:47:07.2117971","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  316. "22:47:07.2357610","CreateFile","D:\ktdli.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  317. "22:47:07.2404853","CreateFile","C:\WINDOWS\system32\ktdli.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  318. "22:47:07.2410815","CreateFile","C:\WINDOWS\system\ktdli.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  319. "22:47:07.2414827","CreateFile","C:\WINDOWS\ktdli.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  320. "22:47:07.2415562","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  321. "22:47:07.2607561","CreateFile","D:\ktdli.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  322. "22:47:07.2666596","CreateFile","C:\WINDOWS\system32\ktdli.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  323. "22:47:07.2673430","CreateFile","C:\WINDOWS\ktdli.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  324. "22:47:07.2679433","CreateFile","C:\WINDOWS\system32\wbem\ktdli.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  325. "22:47:07.2680389","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  326. "22:47:07.2877520","CreateFile","D:\ltdlj.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  327. "22:47:07.2925101","CreateFile","C:\WINDOWS\system32\ltdlj.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  328. "22:47:07.2931094","CreateFile","C:\WINDOWS\system\ltdlj.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  329. "22:47:07.2935097","CreateFile","C:\WINDOWS\ltdlj.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  330. "22:47:07.2935826","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  331. "22:47:07.3127498","CreateFile","D:\ltdlj.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  332. "22:47:07.3174588","CreateFile","C:\WINDOWS\system32\ltdlj.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  333. "22:47:07.3180343","CreateFile","C:\WINDOWS\ltdlj.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  334. "22:47:07.3186268","CreateFile","C:\WINDOWS\system32\wbem\ltdlj.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  335. "22:47:07.3189755","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  336. "22:47:07.3387425","CreateFile","D:\mtdlk.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  337. "22:47:07.3434577","CreateFile","C:\WINDOWS\system32\mtdlk.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  338. "22:47:07.3440563","CreateFile","C:\WINDOWS\system\mtdlk.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  339. "22:47:07.3445801","CreateFile","C:\WINDOWS\mtdlk.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  340. "22:47:07.3446556","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  341. "22:47:07.3657381","CreateFile","D:\mtdlk.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  342. "22:47:07.3704982","CreateFile","C:\WINDOWS\system32\mtdlk.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  343. "22:47:07.3710807","CreateFile","C:\WINDOWS\mtdlk.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  344. "22:47:07.3721350","CreateFile","C:\WINDOWS\system32\wbem\mtdlk.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  345. "22:47:07.3724278","ReadFile","D:\contacts.exe","SUCCESS","Offset: 1,024, Length: 8,192, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  346. "22:47:07.5091156","ReadFile","D:\contacts.exe","SUCCESS","Offset: 82,944, Length: 1,536, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  347. "22:47:07.5183550","ReadFile","D:\contacts.exe","SUCCESS","Offset: 85,504, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  348. "22:47:07.5394345","ReadFile","D:\contacts.exe","SUCCESS","Offset: 101,888, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  349. "22:47:07.5597329","ReadFile","D:\contacts.exe","SUCCESS","Offset: 118,272, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  350. "22:47:07.5807543","ReadFile","D:\contacts.exe","SUCCESS","Offset: 134,656, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  351. "22:47:07.6017863","ReadFile","D:\contacts.exe","SUCCESS","Offset: 151,040, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  352. "22:47:07.6243646","ReadFile","D:\contacts.exe","SUCCESS","Offset: 167,424, Length: 8,192, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  353. "22:47:10.2438319","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  354. "22:47:10.2632279","CreateFile","D:\Cabinet.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  355. "22:47:10.2675958","CreateFile","C:\WINDOWS\system32\cabinet.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  356. "22:47:10.2677715","QueryBasicInformationFile","C:\WINDOWS\system32\cabinet.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  357. "22:47:10.2679369","CloseFile","C:\WINDOWS\system32\cabinet.dll","SUCCESS",""
  358. "22:47:10.2681685","CreateFile","C:\WINDOWS\system32\cabinet.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  359. "22:47:10.3109192","CreateFileMapping","C:\WINDOWS\system32\cabinet.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  360. "22:47:10.3109465","CreateFileMapping","C:\WINDOWS\SYSTEM32\CABINET.DLL","SUCCESS","SyncType: SyncTypeOther"
  361. "22:47:10.3111262","CloseFile","C:\WINDOWS\system32\cabinet.dll","SUCCESS",""
  362. "22:47:10.3114159","Load Image","C:\WINDOWS\System32\CABINET.DLL","SUCCESS","Image Base: 0x75090000, Image Size: 0x13000"
  363. "22:47:10.3131831","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cabinet.dll","NAME NOT FOUND","Desired Access: Read"
  364. "22:47:10.3133144","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  365. "22:47:10.3332186","CreateFile","D:\WS2_32.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  366. "22:47:10.3375946","CreateFile","C:\WINDOWS\system32\ws2_32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  367. "22:47:10.3377650","QueryBasicInformationFile","C:\WINDOWS\system32\ws2_32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  368. "22:47:10.3382369","CloseFile","C:\WINDOWS\system32\ws2_32.dll","SUCCESS",""
  369. "22:47:10.3384699","CreateFile","C:\WINDOWS\system32\ws2_32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  370. "22:47:10.3386442","CreateFileMapping","C:\WINDOWS\system32\ws2_32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  371. "22:47:10.3387001","CreateFileMapping","C:\WINDOWS\SYSTEM32\WS2_32.DLL","SUCCESS","SyncType: SyncTypeOther"
  372. "22:47:10.3388803","CloseFile","C:\WINDOWS\system32\ws2_32.dll","SUCCESS",""
  373. "22:47:10.3391459","Load Image","C:\WINDOWS\System32\WS2_32.DLL","SUCCESS","Image Base: 0x719e0000, Image Size: 0x17000"
  374. "22:47:10.3392837","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  375. "22:47:10.3592133","CreateFile","D:\WS2HELP.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  376. "22:47:10.3635742","CreateFile","C:\WINDOWS\system32\ws2help.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  377. "22:47:10.3637438","QueryBasicInformationFile","C:\WINDOWS\system32\ws2help.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  378. "22:47:10.3639063","CloseFile","C:\WINDOWS\system32\ws2help.dll","SUCCESS",""
  379. "22:47:10.3641365","CreateFile","C:\WINDOWS\system32\ws2help.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  380. "22:47:10.3643081","CreateFileMapping","C:\WINDOWS\system32\ws2help.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  381. "22:47:10.3643592","CreateFileMapping","C:\WINDOWS\SYSTEM32\WS2HELP.DLL","SUCCESS","SyncType: SyncTypeOther"
  382. "22:47:10.3647791","CloseFile","C:\WINDOWS\system32\ws2help.dll","SUCCESS",""
  383. "22:47:10.3650193","Load Image","C:\WINDOWS\System32\WS2HELP.DLL","SUCCESS","Image Base: 0x719d0000, Image Size: 0x8000"
  384. "22:47:10.3651713","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll","NAME NOT FOUND","Desired Access: Read"
  385. "22:47:10.3652009","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll","NAME NOT FOUND","Desired Access: Read"
  386. "22:47:10.3659002","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","SUCCESS","Desired Access: Maximum Allowed"
  387. "22:47:10.3659440","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\WinSock_Registry_Version","SUCCESS","Type: REG_SZ, Length: 8, Data: 2.0"
  388. "22:47:10.3659678","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\WinSock_Registry_Version","SUCCESS","Type: REG_SZ, Length: 8, Data: 2.0"
  389. "22:47:10.3660038","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9","SUCCESS","Desired Access: Maximum Allowed"
  390. "22:47:10.3660298","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num","SUCCESS","Type: REG_DWORD, Length: 4, Data: 9"
  391. "22:47:10.3660644","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num","SUCCESS","Type: REG_DWORD, Length: 4, Data: 9"
  392. "22:47:10.3660949","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000009","NAME NOT FOUND","Desired Access: Maximum Allowed"
  393. "22:47:10.3661136","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1025"
  394. "22:47:10.3661306","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries","SUCCESS","Type: REG_DWORD, Length: 4, Data: 14"
  395. "22:47:10.3661460","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries","SUCCESS","Desired Access: Maximum Allowed"
  396. "22:47:10.3661726","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001","SUCCESS","Desired Access: Read"
  397. "22:47:10.3661980","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  398. "22:47:10.3662167","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  399. "22:47:10.3662335","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  400. "22:47:10.3663136","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001","SUCCESS",""
  401. "22:47:10.3663298","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002","SUCCESS","Desired Access: Read"
  402. "22:47:10.3663539","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  403. "22:47:10.3663720","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  404. "22:47:10.3663913","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  405. "22:47:10.3666760","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002","SUCCESS",""
  406. "22:47:10.3666933","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003","SUCCESS","Desired Access: Read"
  407. "22:47:10.3667187","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  408. "22:47:10.3667366","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  409. "22:47:10.3667534","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  410. "22:47:10.3667813","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003","SUCCESS",""
  411. "22:47:10.3667964","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004","SUCCESS","Desired Access: Read"
  412. "22:47:10.3668265","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  413. "22:47:10.3668469","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  414. "22:47:10.3668634","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  415. "22:47:10.3668911","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004","SUCCESS",""
  416. "22:47:10.3669059","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005","SUCCESS","Desired Access: Read"
  417. "22:47:10.3669296","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  418. "22:47:10.3669475","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  419. "22:47:10.3669643","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  420. "22:47:10.3669908","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005","SUCCESS",""
  421. "22:47:10.3670053","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006","SUCCESS","Desired Access: Read"
  422. "22:47:10.3670291","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  423. "22:47:10.3670472","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  424. "22:47:10.3670662","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  425. "22:47:10.3670931","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006","SUCCESS",""
  426. "22:47:10.3671076","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007","SUCCESS","Desired Access: Read"
  427. "22:47:10.3671311","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  428. "22:47:10.3671489","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  429. "22:47:10.3671654","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  430. "22:47:10.3671920","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007","SUCCESS",""
  431. "22:47:10.3672065","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008","SUCCESS","Desired Access: Read"
  432. "22:47:10.3672294","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  433. "22:47:10.3672470","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  434. "22:47:10.3672638","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  435. "22:47:10.3674895","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008","SUCCESS",""
  436. "22:47:10.3675057","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009","SUCCESS","Desired Access: Read"
  437. "22:47:10.3675303","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  438. "22:47:10.3675484","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  439. "22:47:10.3675652","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  440. "22:47:10.3675928","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009","SUCCESS",""
  441. "22:47:10.3676074","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010","SUCCESS","Desired Access: Read"
  442. "22:47:10.3676306","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  443. "22:47:10.3676484","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  444. "22:47:10.3676674","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  445. "22:47:10.3676945","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010","SUCCESS",""
  446. "22:47:10.3677091","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011","SUCCESS","Desired Access: Read"
  447. "22:47:10.3677339","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  448. "22:47:10.3677521","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  449. "22:47:10.3677688","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  450. "22:47:10.3677962","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011","SUCCESS",""
  451. "22:47:10.3678107","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012","SUCCESS","Desired Access: Read"
  452. "22:47:10.3678348","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  453. "22:47:10.3678532","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  454. "22:47:10.3678700","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  455. "22:47:10.3678971","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012","SUCCESS",""
  456. "22:47:10.3679116","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013","SUCCESS","Desired Access: Read"
  457. "22:47:10.3679353","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  458. "22:47:10.3679535","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  459. "22:47:10.3679705","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  460. "22:47:10.3679974","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013","SUCCESS",""
  461. "22:47:10.3680116","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014","SUCCESS","Desired Access: Read"
  462. "22:47:10.3680351","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  463. "22:47:10.3680538","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem","BUFFER OVERFLOW","Length: 144"
  464. "22:47:10.3680700","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem","SUCCESS","Type: REG_BINARY, Length: 888, Data: 25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
  465. "22:47:10.3681005","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014","SUCCESS",""
  466. "22:47:10.3681208","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries","SUCCESS",""
  467. "22:47:10.3681410","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5","SUCCESS","Desired Access: Maximum Allowed"
  468. "22:47:10.3681661","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num","SUCCESS","Type: REG_DWORD, Length: 4, Data: 4"
  469. "22:47:10.3681898","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num","SUCCESS","Type: REG_DWORD, Length: 4, Data: 4"
  470. "22:47:10.3682077","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\00000004","NAME NOT FOUND","Desired Access: Maximum Allowed"
  471. "22:47:10.3682248","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries","SUCCESS","Type: REG_DWORD, Length: 4, Data: 3"
  472. "22:47:10.3682413","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries","SUCCESS","Desired Access: Maximum Allowed"
  473. "22:47:10.3682672","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001","SUCCESS","Desired Access: Read"
  474. "22:47:10.3682913","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath","SUCCESS","Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\mswsock.dll"
  475. "22:47:10.3683100","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath","SUCCESS","Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\mswsock.dll"
  476. "22:47:10.3683309","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString","SUCCESS","Type: REG_SZ, Length: 12, Data: Tcpip"
  477. "22:47:10.3683480","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString","SUCCESS","Type: REG_SZ, Length: 12, Data: Tcpip"
  478. "22:47:10.3683653","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString","SUCCESS","Type: REG_SZ, Length: 12, Data: Tcpip"
  479. "22:47:10.3683818","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString","SUCCESS","Type: REG_SZ, Length: 12, Data: Tcpip"
  480. "22:47:10.3684041","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId","SUCCESS","Type: REG_BINARY, Length: 16, Data: 40 9D 05 22 9E 7E CF 11 AE 5A 00 AA 00 A7 11 2B"
  481. "22:47:10.3684214","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily","NAME NOT FOUND","Length: 144"
  482. "22:47:10.3684388","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace","SUCCESS","Type: REG_DWORD, Length: 4, Data: 12"
  483. "22:47:10.3684564","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
  484. "22:47:10.3684734","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  485. "22:47:10.3684907","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  486. "22:47:10.3685164","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001","SUCCESS",""
  487. "22:47:10.3685421","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002","SUCCESS","Desired Access: Read"
  488. "22:47:10.3685662","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath","SUCCESS","Type: REG_SZ, Length: 66, Data: %SystemRoot%\System32\winrnr.dll"
  489. "22:47:10.3685835","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath","SUCCESS","Type: REG_SZ, Length: 66, Data: %SystemRoot%\System32\winrnr.dll"
  490. "22:47:10.3686022","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString","SUCCESS","Type: REG_SZ, Length: 10, Data: NTDS"
  491. "22:47:10.3686190","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString","SUCCESS","Type: REG_SZ, Length: 10, Data: NTDS"
  492. "22:47:10.3686360","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString","SUCCESS","Type: REG_SZ, Length: 10, Data: NTDS"
  493. "22:47:10.3686528","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString","SUCCESS","Type: REG_SZ, Length: 10, Data: NTDS"
  494. "22:47:10.3686704","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId","SUCCESS","Type: REG_BINARY, Length: 16, Data: EE 37 26 3B 80 E5 CF 11 A5 55 00 C0 4F D8 D4 AC"
  495. "22:47:10.3686877","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily","NAME NOT FOUND","Length: 144"
  496. "22:47:10.3687050","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace","SUCCESS","Type: REG_DWORD, Length: 4, Data: 32"
  497. "22:47:10.3687223","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
  498. "22:47:10.3687394","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  499. "22:47:10.3687567","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  500. "22:47:10.3687818","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002","SUCCESS",""
  501. "22:47:10.3687975","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003","SUCCESS","Desired Access: Read"
  502. "22:47:10.3688212","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath","SUCCESS","Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\mswsock.dll"
  503. "22:47:10.3688385","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath","SUCCESS","Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\mswsock.dll"
  504. "22:47:10.3688573","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString","SUCCESS","Type: REG_SZ, Length: 86, Data: Network Location Awareness (NLA) Namespace"
  505. "22:47:10.3688749","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString","SUCCESS","Type: REG_SZ, Length: 86, Data: Network Location Awareness (NLA) Namespace"
  506. "22:47:10.3688922","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString","SUCCESS","Type: REG_SZ, Length: 86, Data: Network Location Awareness (NLA) Namespace"
  507. "22:47:10.3689095","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString","SUCCESS","Type: REG_SZ, Length: 86, Data: Network Location Awareness (NLA) Namespace"
  508. "22:47:10.3689282","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId","SUCCESS","Type: REG_BINARY, Length: 16, Data: 3A 24 42 66 A8 3B A6 4A BA A5 2E 0B D7 1F DD 83"
  509. "22:47:10.3689455","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily","NAME NOT FOUND","Length: 144"
  510. "22:47:10.3689629","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace","SUCCESS","Type: REG_DWORD, Length: 4, Data: 15"
  511. "22:47:10.3689802","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
  512. "22:47:10.3689981","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  513. "22:47:10.3690151","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  514. "22:47:10.3698099","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003","SUCCESS",""
  515. "22:47:10.3698303","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries","SUCCESS",""
  516. "22:47:10.3698510","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","SUCCESS",""
  517. "22:47:10.3698663","RegOpenKey","HKLM\System\CurrentControlSet\Services\Winsock2\Parameters","SUCCESS","Desired Access: Query Value"
  518. "22:47:10.3698979","RegQueryValue","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Ws2_32NumHandleBuckets","NAME NOT FOUND","Length: 144"
  519. "22:47:10.3699205","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","SUCCESS",""
  520. "22:47:10.3704583","CreateFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  521. "22:47:10.3706388","QueryBasicInformationFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  522. "22:47:10.3708022","CloseFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS",""
  523. "22:47:10.3710371","CreateFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  524. "22:47:10.3712134","CreateFileMapping","C:\WINDOWS\system32\mswsock.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  525. "22:47:10.3712282","QueryStandardInformationFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS","AllocationSize: 245,760, EndOfFile: 243,200, NumberOfLinks: 1, DeletePending: False, Directory: False"
  526. "22:47:10.3712528","CreateFileMapping","C:\WINDOWS\system32\mswsock.dll","SUCCESS","SyncType: SyncTypeOther"
  527. "22:47:10.3714319","CloseFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS",""
  528. "22:47:10.3719188","CreateFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  529. "22:47:10.3720884","QueryBasicInformationFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  530. "22:47:10.3722510","CloseFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS",""
  531. "22:47:10.3724817","CreateFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  532. "22:47:10.3726552","CreateFileMapping","C:\WINDOWS\system32\mswsock.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  533. "22:47:10.3727089","CreateFileMapping","C:\WINDOWS\SYSTEM32\MSWSOCK.DLL","SUCCESS","SyncType: SyncTypeOther"
  534. "22:47:10.3728896","CloseFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS",""
  535. "22:47:10.3731332","Load Image","C:\WINDOWS\System32\MSWSOCK.DLL","SUCCESS","Image Base: 0x71980000, Image Size: 0x3f000"
  536. "22:47:10.3732883","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll","NAME NOT FOUND","Desired Access: Read"
  537. "22:47:10.3734087","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  538. "22:47:10.3932076","CreateFile","D:\hnetcfg.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  539. "22:47:10.3975913","CreateFile","C:\WINDOWS\system32\hnetcfg.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  540. "22:47:10.3977721","QueryBasicInformationFile","C:\WINDOWS\system32\hnetcfg.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  541. "22:47:10.3979408","CloseFile","C:\WINDOWS\system32\hnetcfg.dll","SUCCESS",""
  542. "22:47:10.3982987","CreateFile","C:\WINDOWS\system32\hnetcfg.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  543. "22:47:10.3984808","CreateFileMapping","C:\WINDOWS\system32\hnetcfg.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  544. "22:47:10.3985082","CreateFileMapping","C:\WINDOWS\SYSTEM32\HNETCFG.DLL","SUCCESS","SyncType: SyncTypeOther"
  545. "22:47:10.3986946","CloseFile","C:\WINDOWS\system32\hnetcfg.dll","SUCCESS",""
  546. "22:47:10.3989315","Load Image","C:\WINDOWS\System32\HNETCFG.DLL","SUCCESS","Image Base: 0x607c0000, Image Size: 0x56000"
  547. "22:47:10.3991184","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll","NAME NOT FOUND","Desired Access: Read"
  548. "22:47:10.3992505","RegOpenKey","HKLM\Software\Microsoft\Rpc\PagedBuffers","NAME NOT FOUND","Desired Access: Read"
  549. "22:47:10.3992717","RegOpenKey","HKLM\Software\Microsoft\Rpc","SUCCESS","Desired Access: Read"
  550. "22:47:10.3992988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Rpc\MaxRpcSize","NAME NOT FOUND","Length: 144"
  551. "22:47:10.3993243","RegCloseKey","HKLM\SOFTWARE\Microsoft\Rpc","SUCCESS",""
  552. "22:47:10.3993391","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\contacts.exe\RpcThreadPoolThrottle","NAME NOT FOUND","Desired Access: Read"
  553. "22:47:10.3993997","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows NT\Rpc","NAME NOT FOUND","Desired Access: Read"
  554. "22:47:10.3994871","RegOpenKey","HKLM\Software\Microsoft\Rpc\SecurityService","SUCCESS","Desired Access: Read"
  555. "22:47:10.3995204","RegQueryValue","HKLM\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel","NAME NOT FOUND","Length: 144"
  556. "22:47:10.3995472","RegCloseKey","HKLM\SOFTWARE\Microsoft\Rpc\SecurityService","SUCCESS",""
  557. "22:47:10.4000059","CreateFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  558. "22:47:10.4001780","QueryBasicInformationFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  559. "22:47:10.4007962","CloseFile","C:\WINDOWS\system32\mswsock.dll","SUCCESS",""
  560. "22:47:10.4009113","RegOpenKey","HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters","SUCCESS","Desired Access: Read"
  561. "22:47:10.4009622","RegQueryValue","HKLM\System\CurrentControlSet\Services\Winsock\Parameters\Transports","SUCCESS","Type: REG_MULTI_SZ, Length: 40, Data: irda, Tcpip, NetBIOS"
  562. "22:47:10.4009809","RegQueryValue","HKLM\System\CurrentControlSet\Services\Winsock\Parameters\Transports","SUCCESS","Type: REG_MULTI_SZ, Length: 40, Data: irda, Tcpip, NetBIOS"
  563. "22:47:10.4011957","RegCloseKey","HKLM\System\CurrentControlSet\Services\Winsock\Parameters","SUCCESS",""
  564. "22:47:10.4012362","RegOpenKey","HKLM\System\CurrentControlSet\Services\irda\Parameters\Winsock","SUCCESS","Desired Access: Read"
  565. "22:47:10.4012901","RegQueryValue","HKLM\System\CurrentControlSet\Services\irda\Parameters\Winsock\Mapping","SUCCESS","Type: REG_BINARY, Length: 44, Data: 03 00 00 00 03 00 00 00 1A 00 00 00 01 00 00 00"
  566. "22:47:10.4013077","RegQueryValue","HKLM\System\CurrentControlSet\Services\irda\Parameters\Winsock\Mapping","SUCCESS","Type: REG_BINARY, Length: 44, Data: 03 00 00 00 03 00 00 00 1A 00 00 00 01 00 00 00"
  567. "22:47:10.4013318","RegCloseKey","HKLM\System\CurrentControlSet\Services\irda\Parameters\Winsock","SUCCESS",""
  568. "22:47:10.4013896","RegOpenKey","HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock","SUCCESS","Desired Access: Read"
  569. "22:47:10.4014298","RegQueryValue","HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\Mapping","BUFFER OVERFLOW","Length: 144"
  570. "22:47:10.4014485","RegQueryValue","HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\Mapping","BUFFER OVERFLOW","Length: 144"
  571. "22:47:10.4014636","RegQueryValue","HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\Mapping","SUCCESS","Type: REG_BINARY, Length: 140, Data: 0B 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00"
  572. "22:47:10.4014874","RegCloseKey","HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock","SUCCESS",""
  573. "22:47:10.4015013","RegOpenKey","HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock","SUCCESS","Desired Access: Read"
  574. "22:47:10.4015315","RegQueryValue","HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\MinSockaddrLength","SUCCESS","Type: REG_DWORD, Length: 4, Data: 16"
  575. "22:47:10.4015477","RegQueryValue","HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\MaxSockaddrLength","SUCCESS","Type: REG_DWORD, Length: 4, Data: 16"
  576. "22:47:10.4015628","RegQueryValue","HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\UseDelayedAcceptance","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  577. "22:47:10.4015776","RegQueryValue","HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\HelperDllName","SUCCESS","Type: REG_EXPAND_SZ, Length: 70, Data: %SystemRoot%\System32\wshtcpip.dll"
  578. "22:47:10.4020092","CreateFile","C:\WINDOWS\system32\wshtcpip.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  579. "22:47:10.4021914","QueryBasicInformationFile","C:\WINDOWS\system32\wshtcpip.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  580. "22:47:10.4023565","CloseFile","C:\WINDOWS\system32\wshtcpip.dll","SUCCESS",""
  581. "22:47:10.4024376","UDP Unknown","%USER%-1379cf37c25:1094 -> google-public-dns-a.google.com:domain","SUCCESS","Length: 31"
  582. "22:47:10.4025900","CreateFile","C:\WINDOWS\system32\wshtcpip.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  583. "22:47:10.4029554","CreateFileMapping","C:\WINDOWS\system32\wshtcpip.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  584. "22:47:10.4029700","QueryStandardInformationFile","C:\WINDOWS\System32\wshtcpip.dll","SUCCESS","AllocationSize: 32,768, EndOfFile: 19,456, NumberOfLinks: 1, DeletePending: False, Directory: False"
  585. "22:47:10.4029943","CreateFileMapping","C:\WINDOWS\System32\wshtcpip.dll","SUCCESS","SyncType: SyncTypeOther"
  586. "22:47:10.4031745","CloseFile","C:\WINDOWS\system32\wshtcpip.dll","SUCCESS",""
  587. "22:47:10.4036578","CreateFile","C:\WINDOWS\system32\wshtcpip.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  588. "22:47:10.4038287","QueryBasicInformationFile","C:\WINDOWS\system32\wshtcpip.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  589. "22:47:10.4039972","CloseFile","C:\WINDOWS\system32\wshtcpip.dll","SUCCESS",""
  590. "22:47:10.4042285","CreateFile","C:\WINDOWS\system32\wshtcpip.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  591. "22:47:10.4044037","CreateFileMapping","C:\WINDOWS\system32\wshtcpip.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  592. "22:47:10.4044548","CreateFileMapping","C:\WINDOWS\SYSTEM32\WSHTCPIP.DLL","SUCCESS","SyncType: SyncTypeOther"
  593. "22:47:10.4046369","CloseFile","C:\WINDOWS\system32\wshtcpip.dll","SUCCESS",""
  594. "22:47:10.4048828","Load Image","C:\WINDOWS\System32\WSHTCPIP.DLL","SUCCESS","Image Base: 0x719c0000, Image Size: 0x8000"
  595. "22:47:10.4049850","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll","NAME NOT FOUND","Desired Access: Read"
  596. "22:47:10.4050308","RegCloseKey","HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock","SUCCESS",""
  597. "22:47:10.4051406","Thread Create","","SUCCESS","Thread ID: 2496"
  598. "22:47:10.4054569","Thread Create","","SUCCESS","Thread ID: 2500"
  599. "22:47:10.4060354","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: 3F 52 00 66 5F 52 95 8E 7B 64 A5 A2 C5 A0 02 7C"
  600. "22:47:10.4062559","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: 93 3D AB 28 F1 FE D9 66 03 AC 53 C3 CA 35 96 19"
  601. "22:47:10.4064215","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: EA C5 14 A1 8E 42 B4 DF DD 7E 0D 26 C5 5B 86 D1"
  602. "22:47:10.4065886","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: A7 73 61 D7 88 B1 61 79 2B B7 D5 FC AC BD B0 EC"
  603. "22:47:10.4067523","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: BD EB B6 AB C7 34 4B 67 22 51 ED 01 47 9C 5E 5A"
  604. "22:47:10.4069154","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: AF CA F8 8A 96 A3 5E 07 F7 5D CA 9B 54 25 AA 8E"
  605. "22:47:10.4070786","RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: 3B A0 CB 71 B7 37 94 02 E4 3C D7 8D 08 95 80 E4"
  606. "22:47:10.4075904","RegOpenKey","HKLM\System\CurrentControlSet\Control\ComputerName","SUCCESS","Desired Access: Read"
  607. "22:47:10.4076289","RegOpenKey","HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName","SUCCESS","Desired Access: Read"
  608. "22:47:10.4076521","RegQueryValue","HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName","SUCCESS","Type: REG_SZ, Length: 32, Data: %USER%-1379CF37C25"
  609. "22:47:10.4076798","RegCloseKey","HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName","SUCCESS",""
  610. "22:47:10.4077144","RegCloseKey","HKLM\System\CurrentControlSet\Control\ComputerName","SUCCESS",""
  611. "22:47:10.4106218","RegOpenKey","HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0","SUCCESS","Desired Access: Read"
  612. "22:47:10.4106830","RegQueryValue","HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Type","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
  613. "22:47:10.4107017","RegQueryValue","HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Image Path","SUCCESS","Type: REG_SZ, Length: 22, Data: rsaenh.dll"
  614. "22:47:10.4107196","RegQueryValue","HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Image Path","SUCCESS","Type: REG_SZ, Length: 22, Data: rsaenh.dll"
  615. "22:47:10.4107369","RegQueryValue","HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Image Path","SUCCESS","Type: REG_SZ, Length: 22, Data: rsaenh.dll"
  616. "22:47:10.4107534","RegQueryValue","HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Image Path","SUCCESS","Type: REG_SZ, Length: 22, Data: rsaenh.dll"
  617. "22:47:10.4107919","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS","Desired Access: Query Value"
  618. "22:47:10.4108257","RegQueryValue","HKLM\System\CurrentControlSet\Control\Session Manager\SafeProcessSearchMode","NAME NOT FOUND","Length: 16"
  619. "22:47:10.4108514","RegCloseKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS",""
  620. "22:47:10.4109165","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  621. "22:47:10.4177024","UDP Unknown","google-public-dns-a.google.com:domain -> %USER%-1379cf37c25:1094","SUCCESS","Length: 47"
  622. "22:47:10.4302081","CreateFile","D:\rsaenh.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  623. "22:47:10.4341851","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  624. "22:47:10.4541971","CreateFile","D:\rsaenh.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  625. "22:47:10.4585865","CreateFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  626. "22:47:10.4587648","QueryBasicInformationFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  627. "22:47:10.4589282","CloseFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS",""
  628. "22:47:10.4591645","CreateFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  629. "22:47:10.4593389","QueryStandardInformationFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","AllocationSize: 212,992, EndOfFile: 208,384, NumberOfLinks: 1, DeletePending: False, Directory: False"
  630. "22:47:10.4595068","CreateFileMapping","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  631. "22:47:10.4595213","QueryStandardInformationFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","AllocationSize: 212,992, EndOfFile: 208,384, NumberOfLinks: 1, DeletePending: False, Directory: False"
  632. "22:47:10.4595462","CreateFileMapping","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","SyncType: SyncTypeOther"
  633. "22:47:10.4597392","CloseFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS",""
  634. "22:47:10.4602189","CreateFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  635. "22:47:10.4603896","QueryNetworkOpenInformationFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1980/01/01 0:00:00, AllocationSize: 1601/01/01 9:00:00, EndOfFile: 1601/01/01 9:00:00, FileAttributes: A"
  636. "22:47:10.4605524","CloseFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS",""
  637. "22:47:10.4632715","CreateFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  638. "22:47:10.4635732","CreateFileMapping","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  639. "22:47:10.4635880","QueryStandardInformationFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","AllocationSize: 212,992, EndOfFile: 208,384, NumberOfLinks: 1, DeletePending: False, Directory: False"
  640. "22:47:10.4636118","CreateFileMapping","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","SyncType: SyncTypeOther"
  641. "22:47:10.4636721","RegOpenKey","HKCU","SUCCESS","Desired Access: Maximum Allowed"
  642. "22:47:10.4637042","RegOpenKey","HKCU\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND","Desired Access: Read"
  643. "22:47:10.4637221","RegOpenKey","HKCU\Control Panel\Desktop","SUCCESS","Desired Access: Read"
  644. "22:47:10.4637461","RegQueryValue","HKCU\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
  645. "22:47:10.4637743","RegCloseKey","HKCU\Control Panel\Desktop","SUCCESS",""
  646. "22:47:10.4637889","RegCloseKey","HKCU","SUCCESS",""
  647. "22:47:10.4640369","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 0, Length: 336"
  648. "22:47:10.4642339","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 340, Length: 4,096"
  649. "22:47:10.4644336","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 4,436, Length: 4,096"
  650. "22:47:10.4646286","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 8,532, Length: 4,096"
  651. "22:47:10.4648236","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 12,628, Length: 4,096"
  652. "22:47:10.4650200","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 16,724, Length: 4,096"
  653. "22:47:10.4652156","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 20,820, Length: 4,096"
  654. "22:47:10.4654109","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 24,916, Length: 4,096"
  655. "22:47:10.4661741","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 29,012, Length: 4,096"
  656. "22:47:10.4663727","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 33,108, Length: 4,096"
  657. "22:47:10.4665697","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 37,204, Length: 4,096"
  658. "22:47:10.4667652","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 41,300, Length: 4,096"
  659. "22:47:10.4669616","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 45,396, Length: 4,096"
  660. "22:47:10.4671572","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 49,492, Length: 4,096"
  661. "22:47:10.4719924","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 53,588, Length: 4,096"
  662. "22:47:10.4722019","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 57,684, Length: 4,096"
  663. "22:47:10.4724000","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 61,780, Length: 4,096"
  664. "22:47:10.4725970","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 65,876, Length: 4,096"
  665. "22:47:10.4727931","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 69,972, Length: 4,096"
  666. "22:47:10.4729895","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 74,068, Length: 4,096"
  667. "22:47:10.4739790","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 78,164, Length: 4,096"
  668. "22:47:10.4741782","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 82,260, Length: 4,096"
  669. "22:47:10.4743743","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 86,356, Length: 4,096"
  670. "22:47:10.4745701","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 90,452, Length: 4,096"
  671. "22:47:10.4747671","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 94,548, Length: 4,096"
  672. "22:47:10.4749624","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 98,644, Length: 4,096"
  673. "22:47:10.4779465","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 102,740, Length: 4,096"
  674. "22:47:10.4781480","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 106,836, Length: 4,096"
  675. "22:47:10.4783449","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 110,932, Length: 4,096"
  676. "22:47:10.4837598","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 115,028, Length: 4,096"
  677. "22:47:10.4839741","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 119,124, Length: 4,096"
  678. "22:47:10.4842124","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 123,220, Length: 4,096"
  679. "22:47:10.4844096","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 127,316, Length: 4,096"
  680. "22:47:10.4846077","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 131,412, Length: 4,096"
  681. "22:47:10.4848024","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 135,508, Length: 4,096"
  682. "22:47:10.4868320","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 139,604, Length: 4,096"
  683. "22:47:10.4870374","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 143,700, Length: 4,096"
  684. "22:47:10.4872343","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 147,796, Length: 4,096"
  685. "22:47:10.4874307","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 151,892, Length: 4,096"
  686. "22:47:10.4876268","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 155,988, Length: 4,096"
  687. "22:47:10.4878232","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 160,084, Length: 4,096"
  688. "22:47:10.4881584","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 164,180, Length: 4,096"
  689. "22:47:10.4883562","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 168,276, Length: 4,096"
  690. "22:47:10.4885518","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 172,372, Length: 4,096"
  691. "22:47:10.4887471","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 176,468, Length: 4,096"
  692. "22:47:10.4889435","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 180,564, Length: 4,096"
  693. "22:47:10.4891387","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 184,660, Length: 4,096"
  694. "22:47:10.4894413","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 188,756, Length: 4,096"
  695. "22:47:10.4896396","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 192,852, Length: 4,096"
  696. "22:47:10.4898372","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 196,948, Length: 3,964"
  697. "22:47:10.4900389","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 201,056, Length: 4,096"
  698. "22:47:10.4902358","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 205,152, Length: 3,232"
  699. "22:47:10.4904487","CloseFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS",""
  700. "22:47:10.4910177","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  701. "22:47:10.5212006","CreateFile","D:\rsaenh.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  702. "22:47:10.5263865","CreateFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  703. "22:47:10.5265603","QueryBasicInformationFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  704. "22:47:10.5267245","CloseFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS",""
  705. "22:47:10.5269595","CreateFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  706. "22:47:10.5271357","CreateFileMapping","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  707. "22:47:10.5271899","CreateFileMapping","C:\WINDOWS\SYSTEM32\RSAENH.DLL","SUCCESS","SyncType: SyncTypeOther"
  708. "22:47:10.5273763","CloseFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS",""
  709. "22:47:10.5276637","Load Image","C:\WINDOWS\System32\RSAENH.DLL","SUCCESS","Image Base: 0x68000000, Image Size: 0x36000"
  710. "22:47:10.5279096","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsaenh.dll","NAME NOT FOUND","Desired Access: Read"
  711. "22:47:10.5280079","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  712. "22:47:10.5480728","CreateFile","D:\crypt32.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  713. "22:47:10.5525856","CreateFile","C:\WINDOWS\system32\crypt32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  714. "22:47:10.5527597","QueryBasicInformationFile","C:\WINDOWS\system32\crypt32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  715. "22:47:10.5529203","CloseFile","C:\WINDOWS\system32\crypt32.dll","SUCCESS",""
  716. "22:47:10.5531527","CreateFile","C:\WINDOWS\system32\crypt32.dll","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  717. "22:47:10.5533265","CreateFileMapping","C:\WINDOWS\system32\crypt32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  718. "22:47:10.5533405","QueryStandardInformationFile","C:\WINDOWS\system32\crypt32.dll","SUCCESS","AllocationSize: 606,208, EndOfFile: 593,920, NumberOfLinks: 1, DeletePending: False, Directory: False"
  719. "22:47:10.5533648","CreateFileMapping","C:\WINDOWS\system32\crypt32.dll","SUCCESS","SyncType: SyncTypeOther"
  720. "22:47:10.5535419","CloseFile","C:\WINDOWS\system32\crypt32.dll","SUCCESS",""
  721. "22:47:10.5559115","CreateFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  722. "22:47:10.5560819","QueryBasicInformationFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  723. "22:47:10.5562453","CloseFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS",""
  724. "22:47:10.5564791","CreateFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  725. "22:47:10.5569583","QueryBasicInformationFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  726. "22:47:10.5571239","QueryStandardInformationFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","AllocationSize: 212,992, EndOfFile: 208,384, NumberOfLinks: 1, DeletePending: False, Directory: False"
  727. "22:47:10.5572963","CloseFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS",""
  728. "22:47:10.5577237","CreateFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  729. "22:47:10.5578927","QueryBasicInformationFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  730. "22:47:10.5580550","CloseFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS",""
  731. "22:47:10.5582866","CreateFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  732. "22:47:10.5584607","QueryBasicInformationFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  733. "22:47:10.5586255","CreateFileMapping","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  734. "22:47:10.5586392","QueryStandardInformationFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","AllocationSize: 212,992, EndOfFile: 208,384, NumberOfLinks: 1, DeletePending: False, Directory: False"
  735. "22:47:10.5586629","CreateFileMapping","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","SyncType: SyncTypeOther"
  736. "22:47:10.5589809","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 0, Length: 336"
  737. "22:47:10.5592373","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 340, Length: 4,096"
  738. "22:47:10.5599466","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 4,436, Length: 4,096"
  739. "22:47:10.5606531","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 8,532, Length: 4,096"
  740. "22:47:10.5613638","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 12,628, Length: 4,096"
  741. "22:47:10.5620718","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 16,724, Length: 4,096"
  742. "22:47:10.5628051","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 20,820, Length: 4,096"
  743. "22:47:10.5635150","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 24,916, Length: 4,096"
  744. "22:47:10.5642209","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 29,012, Length: 4,096"
  745. "22:47:10.5649266","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 33,108, Length: 4,096"
  746. "22:47:10.5656320","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 37,204, Length: 4,096"
  747. "22:47:10.5663851","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 41,300, Length: 4,096"
  748. "22:47:10.5670919","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 45,396, Length: 4,096"
  749. "22:47:10.5680426","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 49,492, Length: 4,096"
  750. "22:47:10.5687497","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 53,588, Length: 4,096"
  751. "22:47:10.5694562","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 57,684, Length: 4,096"
  752. "22:47:10.5701627","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 61,780, Length: 4,096"
  753. "22:47:10.5708740","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 65,876, Length: 4,096"
  754. "22:47:10.5715799","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 69,972, Length: 4,096"
  755. "22:47:10.5725876","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 74,068, Length: 4,096"
  756. "22:47:10.5732955","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 78,164, Length: 4,096"
  757. "22:47:10.5740258","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 82,260, Length: 4,096"
  758. "22:47:10.5747720","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 86,356, Length: 4,096"
  759. "22:47:10.5754776","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 90,452, Length: 4,096"
  760. "22:47:10.5761842","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 94,548, Length: 4,096"
  761. "22:47:10.5776600","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 98,644, Length: 4,096"
  762. "22:47:10.5783694","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 102,740, Length: 4,096"
  763. "22:47:10.5790770","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 106,836, Length: 4,096"
  764. "22:47:10.5797829","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 110,932, Length: 4,096"
  765. "22:47:10.5804889","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 115,028, Length: 4,096"
  766. "22:47:10.5811957","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 119,124, Length: 4,096"
  767. "22:47:10.5824271","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 123,220, Length: 4,096"
  768. "22:47:10.5831395","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 127,316, Length: 4,096"
  769. "22:47:10.5838494","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 131,412, Length: 4,096"
  770. "22:47:10.5851127","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 135,508, Length: 4,096"
  771. "22:47:10.5859879","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 139,604, Length: 4,096"
  772. "22:47:10.5867682","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 143,700, Length: 4,096"
  773. "22:47:10.5896342","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 147,796, Length: 4,096"
  774. "22:47:10.5903427","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 151,892, Length: 4,096"
  775. "22:47:10.5910486","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 155,988, Length: 4,096"
  776. "22:47:10.5917543","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 160,084, Length: 4,096"
  777. "22:47:10.5924603","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 164,180, Length: 4,096"
  778. "22:47:10.5931659","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 168,276, Length: 4,096"
  779. "22:47:10.6180649","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 172,372, Length: 4,096"
  780. "22:47:10.6187918","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 176,468, Length: 4,096"
  781. "22:47:10.6198129","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 180,564, Length: 4,096"
  782. "22:47:10.6398883","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 184,660, Length: 4,096"
  783. "22:47:10.6406099","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 188,756, Length: 4,096"
  784. "22:47:10.6413237","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 192,852, Length: 4,096"
  785. "22:47:10.6420314","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 196,948, Length: 3,964"
  786. "22:47:10.6427524","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 201,072, Length: 4,096"
  787. "22:47:10.6434597","ReadFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS","Offset: 205,168, Length: 3,216"
  788. "22:47:10.6462512","CloseFile","C:\WINDOWS\system32\rsaenh.dll","SUCCESS",""
  789. "22:47:10.9626345","TCP Unknown","%USER%-1379cf37c25:1095 -> 50.22.196.70-static.reverse.softlayer.com:http","SUCCESS","Length: 0"
  790. "22:47:11.0168801","RegOpenKey","HKLM\Software\Policies\Microsoft\Cryptography","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
  791. "22:47:11.0169664","RegOpenKey","HKLM\Software\Microsoft\Cryptography","SUCCESS","Desired Access: Read, WOW64_64Key"
  792. "22:47:11.0170019","RegQueryValue","HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid","SUCCESS","Type: REG_SZ, Length: 74, Data: fabb7371-da7f-4c60-bfcb-8b500c577deb"
  793. "22:47:11.0170209","RegQueryValue","HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid","SUCCESS","Type: REG_SZ, Length: 74, Data: fabb7371-da7f-4c60-bfcb-8b500c577deb"
  794. "22:47:11.0170377","RegQueryValue","HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid","SUCCESS","Type: REG_SZ, Length: 74, Data: fabb7371-da7f-4c60-bfcb-8b500c577deb"
  795. "22:47:11.0170522","RegQueryValue","HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid","SUCCESS","Type: REG_SZ, Length: 74, Data: fabb7371-da7f-4c60-bfcb-8b500c577deb"
  796. "22:47:11.0179534","RegCloseKey","HKLM\SOFTWARE\Microsoft\Cryptography","SUCCESS",""
  797. "22:47:11.0179783","RegOpenKey","HKLM\Software\Microsoft\Cryptography\Offload","NAME NOT FOUND","Desired Access: Read"
  798. "22:47:11.0180319","RegOpenKey","HKLM\Software\Microsoft\Cryptography\DESHashSessionKeyBackward","NAME NOT FOUND","Desired Access: Read"
  799. "22:47:11.0180674","RegCloseKey","HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0","SUCCESS",""
  800. "22:47:11.0181909","CreateFile","C:\WINDOWS","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  801. "22:47:11.0182619","QueryAttributeInformationVolume","C:\WINDOWS","BUFFER OVERFLOW","FileSystemAttributes: Case Preserved, Unicode, MaximumComponentNameLength: 255, FileSystemName: FA"
  802. "22:47:11.0183337","CloseFile","C:\WINDOWS","SUCCESS",""
  803. "22:47:11.1002265","UDP Unknown","%USER%-1379cf37c25:1097 -> 194.165.17.3:domain","SUCCESS","Length: 20"
  804. "22:47:11.1002914","UDP Unknown","%USER%-1379cf37c25:1097 -> alertstoday.com:domain","SUCCESS","Length: 20"
  805. "22:47:11.1097928","UDP Unknown","%USER%-1379cf37c25:1099 -> 194.165.17.3:domain","SUCCESS","Length: 20"
  806. "22:47:11.1098504","UDP Unknown","%USER%-1379cf37c25:1099 -> alertstoday.com:domain","SUCCESS","Length: 20"
  807. "22:47:11.1234319","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9","SUCCESS",""
  808. "22:47:11.3286035","RegCloseKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5","SUCCESS",""
  809. "22:47:11.3288717","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  810. "22:47:11.3290550","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  811. "22:47:11.3291167","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  812. "22:47:11.3291410","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls","NAME NOT FOUND","Desired Access: Query Value"
  813. "22:47:11.3291681","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility","SUCCESS","Desired Access: Query Value"
  814. "22:47:11.3292030","RegQueryValue","HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility\DisableAppCompat","NAME NOT FOUND","Length: 20"
  815. "22:47:11.3292268","RegCloseKey","HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility","SUCCESS",""
  816. "22:47:11.4202272","CreateFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  817. "22:47:11.4203982","QueryBasicInformationFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  818. "22:47:11.4205588","CloseFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS",""
  819. "22:47:11.5121263","CreateFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  820. "22:47:11.5123068","CreateFileMapping","C:\WINDOWS\system32\apphelp.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  821. "22:47:11.5123216","QueryStandardInformationFile","C:\WINDOWS\system32\Apphelp.dll","SUCCESS","AllocationSize: 131,072, EndOfFile: 125,952, NumberOfLinks: 1, DeletePending: False, Directory: False"
  822. "22:47:11.5123462","CreateFileMapping","C:\WINDOWS\system32\Apphelp.dll","SUCCESS","SyncType: SyncTypeOther"
  823. "22:47:11.5125222","CloseFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS",""
  824. "22:47:11.5374309","CreateFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  825. "22:47:11.5375988","QueryBasicInformationFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  826. "22:47:11.5519448","CloseFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS",""
  827. "22:47:11.5521875","CreateFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  828. "22:47:11.5523633","CreateFileMapping","C:\WINDOWS\system32\apphelp.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  829. "22:47:11.5524222","CreateFileMapping","C:\WINDOWS\SYSTEM32\APPHELP.DLL","SUCCESS","SyncType: SyncTypeOther"
  830. "22:47:11.5537562","CloseFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS",""
  831. "22:47:11.5540677","Load Image","C:\WINDOWS\System32\APPHELP.DLL","SUCCESS","Image Base: 0x76d90000, Image Size: 0x22000"
  832. "22:47:11.5541504","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll","NAME NOT FOUND","Desired Access: Read"
  833. "22:47:11.5543903","CreateFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  834. "22:47:11.5568739","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False"
  835. "22:47:11.5570102","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  836. "22:47:11.5570250","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False"
  837. "22:47:11.5570490","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeOther"
  838. "22:47:11.5620100","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False"
  839. "22:47:11.5622410","CreateFile","C:\WINDOWS\AppPatch\systest.sdb","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a"
  840. "22:47:11.5622802","RegOpenKey","HKLM\System\WPA\TabletPC","NAME NOT FOUND","Desired Access: Query Value, WOW64_64Key"
  841. "22:47:11.5622983","RegOpenKey","HKLM\SYSTEM\WPA\MediaCenter","SUCCESS","Desired Access: Query Value, WOW64_64Key"
  842. "22:47:11.5623268","RegQueryValue","HKLM\SYSTEM\WPA\MediaCenter\Installed","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  843. "22:47:11.5623547","RegCloseKey","HKLM\SYSTEM\WPA\MediaCenter","SUCCESS",""
  844. "22:47:11.5625171","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  845. "22:47:11.5641854","QueryDirectory","C:\WINDOWS\system32\cmd.exe","SUCCESS","Filter: cmd.exe, 1: cmd.exe"
  846. "22:47:11.5643435","CloseFile","C:\WINDOWS\system32","SUCCESS",""
  847. "22:47:11.5716484","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  848. "22:47:11.5718258","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  849. "22:47:11.5719917","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  850. "22:47:11.5720526","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  851. "22:47:11.5737699","QueryDirectory","C:\WINDOWS","SUCCESS","Filter: WINDOWS, 1: WINDOWS"
  852. "22:47:11.5738168","CloseFile","C:\","SUCCESS",""
  853. "22:47:11.5753117","CreateFile","C:\WINDOWS","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  854. "22:47:11.5753768","QueryDirectory","C:\WINDOWS\system32","SUCCESS","Filter: system32, 1: system32"
  855. "22:47:11.5754564","CloseFile","C:\WINDOWS","SUCCESS",""
  856. "22:47:11.5784020","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  857. "22:47:11.5785046","QueryDirectory","C:\WINDOWS\system32\cmd.exe","SUCCESS","Filter: cmd.exe, 1: cmd.exe"
  858. "22:47:11.5786596","CloseFile","C:\WINDOWS\system32","SUCCESS",""
  859. "22:47:11.5929648","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
  860. "22:47:11.5929997","RegOpenKey","HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
  861. "22:47:11.5930232","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\cmd.exe","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
  862. "22:47:11.5936403","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  863. "22:47:11.5938143","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  864. "22:47:11.5959752","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  865. "22:47:11.5963228","Load Image","C:\WINDOWS\System32\VERSION.DLL","SUCCESS","Image Base: 0x77bb0000, Image Size: 0x8000"
  866. "22:47:11.5964331","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll","NAME NOT FOUND","Desired Access: Read"
  867. "22:47:11.6038402","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  868. "22:47:11.6040151","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  869. "22:47:11.6041805","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  870. "22:47:11.6050322","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  871. "22:47:11.6052138","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  872. "22:47:11.6052292","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  873. "22:47:11.6052546","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  874. "22:47:11.6054362","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  875. "22:47:11.6064034","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  876. "22:47:11.6065755","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  877. "22:47:11.6067408","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  878. "22:47:11.6077220","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  879. "22:47:11.6079008","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  880. "22:47:11.6079142","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  881. "22:47:11.6079379","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  882. "22:47:11.6081195","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  883. "22:47:11.6092833","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  884. "22:47:11.6094613","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  885. "22:47:11.6096261","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  886. "22:47:11.6104994","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  887. "22:47:11.6106760","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  888. "22:47:11.6106894","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  889. "22:47:11.6107131","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  890. "22:47:11.6108939","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  891. "22:47:11.6119245","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  892. "22:47:11.6120960","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  893. "22:47:11.6128975","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  894. "22:47:11.6131322","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  895. "22:47:11.6133098","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  896. "22:47:11.6133235","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  897. "22:47:11.6133467","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  898. "22:47:11.6141203","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  899. "22:47:11.6144784","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
  900. "22:47:11.6145122","RegOpenKey","HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
  901. "22:47:11.6150257","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  902. "22:47:11.6156043","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  903. "22:47:11.6157685","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  904. "22:47:11.6158196","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  905. "22:47:11.6158456","QueryDirectory","C:\WINDOWS","SUCCESS","Filter: WINDOWS, 1: WINDOWS"
  906. "22:47:11.6166114","CloseFile","C:\","SUCCESS",""
  907. "22:47:11.6167323","CreateFile","C:\WINDOWS","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  908. "22:47:11.6173545","QueryDirectory","C:\WINDOWS\system32","SUCCESS","Filter: system32, 1: system32"
  909. "22:47:11.6174347","CloseFile","C:\WINDOWS","SUCCESS",""
  910. "22:47:11.6175931","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  911. "22:47:11.6183683","QueryDirectory","C:\WINDOWS\system32\cmd.exe","SUCCESS","Filter: cmd.exe, 1: cmd.exe"
  912. "22:47:11.6185200","CloseFile","C:\WINDOWS\system32","SUCCESS",""
  913. "22:47:11.6196612","CloseFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS",""
  914. "22:47:11.6197146","RegOpenKey","HKLM\System\CurrentControlSet\Control\SafeBoot\Option","NAME NOT FOUND","Desired Access: Query Value, Set Value"
  915. "22:47:11.6197422","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS","Desired Access: Query Value"
  916. "22:47:11.6197743","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
  917. "22:47:11.6197914","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  918. "22:47:11.6198190","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS",""
  919. "22:47:11.6198559","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\LevelObjects","NAME NOT FOUND","Desired Access: Read"
  920. "22:47:11.6198741","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS","Desired Access: Query Value"
  921. "22:47:11.6198989","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Levels","NAME NOT FOUND","Length: 536"
  922. "22:47:11.6199216","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS",""
  923. "22:47:11.6199956","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths","SUCCESS","Desired Access: Read"
  924. "22:47:11.6200403","RegEnumKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths","SUCCESS","Index: 0, Name: {dda3f824-d8cb-441b-834d-be2efd2c1a33}"
  925. "22:47:11.6200604","RegOpenKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}","SUCCESS","Desired Access: Read"
  926. "22:47:11.6201026","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\ItemData","SUCCESS","Type: REG_EXPAND_SZ, Length: 190, Data: %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*"
  927. "22:47:11.6201258","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\SaferFlags","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  928. "22:47:11.6208345","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}","SUCCESS",""
  929. "22:47:11.6208491","RegEnumKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths","NO MORE ENTRIES","Index: 1, Length: 280"
  930. "22:47:11.6208728","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths","SUCCESS",""
  931. "22:47:11.6208829","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes","SUCCESS","Desired Access: Read"
  932. "22:47:11.6209169","RegEnumKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes","SUCCESS","Index: 0, Name: {349d35ab-37b5-462f-9b89-edd5fbde1328}"
  933. "22:47:11.6209357","RegOpenKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}","SUCCESS","Desired Access: Read"
  934. "22:47:11.6209737","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\ItemData","SUCCESS","Type: REG_BINARY, Length: 16, Data: 5E AB 30 4F 95 7A 49 89 6A 00 6C 1C 31 15 40 15"
  935. "22:47:11.6209957","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\HashAlg","SUCCESS","Type: REG_DWORD, Length: 4, Data: 32771"
  936. "22:47:11.6210139","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\ItemSize","SUCCESS","Type: REG_QWORD, Length: 8, Data: "
  937. "22:47:11.6210348","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\SaferFlags","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  938. "22:47:11.6210625","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}","SUCCESS",""
  939. "22:47:11.6210776","RegEnumKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes","SUCCESS","Index: 1, Name: {7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"
  940. "22:47:11.6210952","RegOpenKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}","SUCCESS","Desired Access: Read"
  941. "22:47:11.6211343","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ItemData","SUCCESS","Type: REG_BINARY, Length: 16, Data: 67 B0 D4 8B 34 3A 3F D3 BC E9 DC 64 67 04 F3 94"
  942. "22:47:11.6211561","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\HashAlg","SUCCESS","Type: REG_DWORD, Length: 4, Data: 32771"
  943. "22:47:11.6211740","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ItemSize","SUCCESS","Type: REG_QWORD, Length: 8, Data: "
  944. "22:47:11.6211938","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\SaferFlags","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  945. "22:47:11.6212217","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}","SUCCESS",""
  946. "22:47:11.6212374","RegEnumKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes","SUCCESS","Index: 2, Name: {81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"
  947. "22:47:11.6212555","RegOpenKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}","SUCCESS","Desired Access: Read"
  948. "22:47:11.6212938","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ItemData","SUCCESS","Type: REG_BINARY, Length: 16, Data: 32 78 02 DC FE F8 C8 93 DC 8A B0 06 DD 84 7D 1D"
  949. "22:47:11.6213170","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\HashAlg","SUCCESS","Type: REG_DWORD, Length: 4, Data: 32771"
  950. "22:47:11.6213354","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ItemSize","SUCCESS","Type: REG_QWORD, Length: 8, Data: "
  951. "22:47:11.6213553","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\SaferFlags","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  952. "22:47:11.6213829","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}","SUCCESS",""
  953. "22:47:11.6213972","RegEnumKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes","SUCCESS","Index: 3, Name: {94e3e076-8f53-42a5-8411-085bcc18a68d}"
  954. "22:47:11.6214150","RegOpenKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}","SUCCESS","Desired Access: Read"
  955. "22:47:11.6214522","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\ItemData","SUCCESS","Type: REG_BINARY, Length: 16, Data: BD 9A 2A DB 42 EB D8 56 0E 25 0E 4D F8 16 2F 67"
  956. "22:47:11.6214737","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\HashAlg","SUCCESS","Type: REG_DWORD, Length: 4, Data: 32771"
  957. "22:47:11.6214919","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\ItemSize","SUCCESS","Type: REG_QWORD, Length: 8, Data: "
  958. "22:47:11.6215131","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\SaferFlags","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  959. "22:47:11.6215408","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}","SUCCESS",""
  960. "22:47:11.6215570","RegEnumKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes","SUCCESS","Index: 4, Name: {dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"
  961. "22:47:11.6215743","RegOpenKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}","SUCCESS","Desired Access: Read"
  962. "22:47:11.6216126","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ItemData","SUCCESS","Type: REG_BINARY, Length: 16, Data: 38 6B 08 5F 84 EC F6 69 D3 6B 95 6A 22 C0 1E 80"
  963. "22:47:11.6216338","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\HashAlg","SUCCESS","Type: REG_DWORD, Length: 4, Data: 32771"
  964. "22:47:11.6216517","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ItemSize","SUCCESS","Type: REG_QWORD, Length: 8, Data: "
  965. "22:47:11.6216712","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\SaferFlags","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  966. "22:47:11.6224945","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}","SUCCESS",""
  967. "22:47:11.6225110","RegEnumKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes","NO MORE ENTRIES","Index: 5, Length: 280"
  968. "22:47:11.6225345","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes","SUCCESS",""
  969. "22:47:11.6225448","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones","NAME NOT FOUND","Desired Access: Read"
  970. "22:47:11.6225646","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths","NAME NOT FOUND","Desired Access: Read"
  971. "22:47:11.6225834","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes","NAME NOT FOUND","Desired Access: Read"
  972. "22:47:11.6226001","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones","NAME NOT FOUND","Desired Access: Read"
  973. "22:47:11.6226166","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths","NAME NOT FOUND","Desired Access: Read"
  974. "22:47:11.6226336","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes","NAME NOT FOUND","Desired Access: Read"
  975. "22:47:11.6226507","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones","NAME NOT FOUND","Desired Access: Read"
  976. "22:47:11.6226669","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths","NAME NOT FOUND","Desired Access: Read"
  977. "22:47:11.6226845","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes","NAME NOT FOUND","Desired Access: Read"
  978. "22:47:11.6227004","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones","NAME NOT FOUND","Desired Access: Read"
  979. "22:47:11.6227163","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths","NAME NOT FOUND","Desired Access: Read"
  980. "22:47:11.6227328","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes","NAME NOT FOUND","Desired Access: Read"
  981. "22:47:11.6227493","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones","NAME NOT FOUND","Desired Access: Read"
  982. "22:47:11.6227797","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths","NAME NOT FOUND","Desired Access: Read"
  983. "22:47:11.6228116","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes","NAME NOT FOUND","Desired Access: Read"
  984. "22:47:11.6228412","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones","NAME NOT FOUND","Desired Access: Read"
  985. "22:47:11.6228703","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths","NAME NOT FOUND","Desired Access: Read"
  986. "22:47:11.6228999","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes","NAME NOT FOUND","Desired Access: Read"
  987. "22:47:11.6229295","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones","NAME NOT FOUND","Desired Access: Read"
  988. "22:47:11.6229605","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths","NAME NOT FOUND","Desired Access: Read"
  989. "22:47:11.6229907","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes","NAME NOT FOUND","Desired Access: Read"
  990. "22:47:11.6230206","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones","NAME NOT FOUND","Desired Access: Read"
  991. "22:47:11.6230507","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths","NAME NOT FOUND","Desired Access: Read"
  992. "22:47:11.6230803","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes","NAME NOT FOUND","Desired Access: Read"
  993. "22:47:11.6231091","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones","NAME NOT FOUND","Desired Access: Read"
  994. "22:47:11.6231385","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths","NAME NOT FOUND","Desired Access: Read"
  995. "22:47:11.6231683","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes","NAME NOT FOUND","Desired Access: Read"
  996. "22:47:11.6231974","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones","NAME NOT FOUND","Desired Access: Read"
  997. "22:47:11.6232164","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS","Desired Access: Read"
  998. "22:47:11.6232413","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel","SUCCESS","Type: REG_DWORD, Length: 4, Data: 262144"
  999. "22:47:11.6232664","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS",""
  1000. "22:47:11.6232865","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","NAME NOT FOUND","Desired Access: Read"
  1001. "22:47:11.6233415","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS","Desired Access: Query Value"
  1002. "22:47:11.6233656","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
  1003. "22:47:11.6233893","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS",""
  1004. "22:47:11.6236131","QueryNameInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Name: \WINDOWS\System32\cmd.exe"
  1005. "22:47:11.6245993","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  1006. "22:47:11.6247713","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/02/05 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  1007. "22:47:11.6249378","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  1008. "22:47:11.6257924","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  1009. "22:47:11.6258187","QueryDirectory","C:\WINDOWS","SUCCESS","Filter: WINDOWS, 1: WINDOWS"
  1010. "22:47:11.6258581","CloseFile","C:\","SUCCESS",""
  1011. "22:47:11.6264411","CreateFile","C:\WINDOWS","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  1012. "22:47:11.6265062","QueryDirectory","C:\WINDOWS\System32","SUCCESS","Filter: System32, 1: system32"
  1013. "22:47:11.6265844","CloseFile","C:\WINDOWS","SUCCESS",""
  1014. "22:47:11.6273485","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  1015. "22:47:11.6274488","QueryDirectory","C:\WINDOWS\system32\cmd.exe","SUCCESS","Filter: cmd.exe, 1: cmd.exe"
  1016. "22:47:11.6281905","CloseFile","C:\WINDOWS\system32","SUCCESS",""
  1017. "22:47:11.6283844","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  1018. "22:47:11.6285517","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  1019. "22:47:11.6285654","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  1020. "22:47:11.6285891","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  1021. "22:47:11.6286375","RegOpenKey","HKCU","SUCCESS","Desired Access: Read"
  1022. "22:47:11.6286646","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders","SUCCESS","Desired Access: Read"
  1023. "22:47:11.6286975","RegCloseKey","HKCU","SUCCESS",""
  1024. "22:47:11.6287154","RegQueryValue","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache","BUFFER OVERFLOW","Length: 144"
  1025. "22:47:11.6287389","RegQueryValue","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache","SUCCESS","Type: REG_SZ, Length: 140, Data: C:\Documents and Settings\%USER%\Local Settings\Temporary Internet Files"
  1026. "22:47:11.6293608","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders","SUCCESS",""
  1027. "22:47:11.6293940","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS","Desired Access: Query Value"
  1028. "22:47:11.6294217","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\LogFileName","NAME NOT FOUND","Length: 536"
  1029. "22:47:11.6294448","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS",""
  1030. "22:47:11.6294527","RegOpenKey","HKLM\System\CurrentControlSet\Control\SafeBoot\Option","NAME NOT FOUND","Desired Access: Query Value, Set Value"
  1031. "22:47:11.6295247","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe","NAME NOT FOUND","Desired Access: Read"
  1032. "22:47:11.6297868","CreateFile","C:\WINDOWS\system32\cmd.exe.Manifest","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a"
  1033. "22:47:11.6301209","Process Create","C:\WINDOWS\system32\cmd.exe","SUCCESS","PID: 252, Command line: ""C:\WINDOWS\system32\cmd.exe"""
  1034. "22:47:11.6309861","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  1035. "22:47:11.6310358","FileSystemControl","D:\","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  1036. "22:47:11.6430119","CreateFile","D:\contacts.exe","SUCCESS","Desired Access: Delete, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  1037. "22:47:11.6480478","Thread Exit","","SUCCESS","Thread ID: 2496, User Time: 0.0000000, Kernel Time: 0.0000000"
  1038. "22:47:11.6481028","Thread Exit","","SUCCESS","Thread ID: 2500, User Time: 0.0000000, Kernel Time: 0.0000000"
  1039. "22:47:11.6482595","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize","SUCCESS","Desired Access: Read"
  1040. "22:47:11.6482997","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles","NAME NOT FOUND","Length: 20"
  1041. "22:47:11.6483294","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize","SUCCESS",""
  1042. "22:47:11.6484665","Thread Exit","","SUCCESS","Thread ID: 2176, User Time: 2.0781250, Kernel Time: 0.2500000"
  1043. "22:47:11.6490219","Process Exit","","SUCCESS","Exit Status: 0, User Time: 2.0937500 seconds, Kernel Time: 0.2343750 seconds, Private Bytes: 1,044,480, Peak Private Bytes: 1,077,248, Working Set: 2,723,840, Peak Working Set: 2,732,032"
  1044. "22:47:11.6490417","CloseFile","D:\","SUCCESS",""
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement