Advertisement
MalwareMustDie

PID 2152 - cmd.exe #MalwareMustDie 20130126

Jan 26th, 2013
1,440
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 126.93 KB | None | 0 0
  1. ==============================
  2. Process PID: 2152 - cmd.exe
  3. ==============================
  4.  
  5. 20:39:06.9806463","cmd.exe","2152","QueryNameInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Name: \WINDOWS\System32\cmd.exe"
  6. 20:39:06.9810768","cmd.exe","2152","QueryNameInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Name: \WINDOWS\System32\cmd.exe"
  7. 20:39:06.9812720","cmd.exe","2152","CreateFile","C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: None, AllocationSize: n/a, OpenResult: Opened"
  8. 20:39:06.9845850","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf","SUCCESS","AllocationSize: 16,384, EndOfFile: 12,436, NumberOfLinks: 1, DeletePending: False, Directory: False"
  9. 20:39:06.9846046","cmd.exe","2152","ReadFile","C:","SUCCESS","Offset: 1,122,304, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  10. 20:39:07.0178339","cmd.exe","2152","ReadFile","C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf","SUCCESS","Offset: 0, Length: 12,436"
  11. 20:39:07.0178627","cmd.exe","2152","ReadFile","C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf","SUCCESS","Offset: 0, Length: 12,436, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  12. 20:39:07.1293626","cmd.exe","2152","CloseFile","C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf","SUCCESS",""
  13. 20:39:07.1294378","cmd.exe","2152","CreateFile","C:","SUCCESS","Desired Access: Read Attributes, Write Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  14. 20:39:07.1294629","cmd.exe","2152","QueryInformationVolume","C:","SUCCESS","VolumeCreationTime: 1601/01/01 9:00:00, VolumeSerialNumber: 9455-E50D, SupportsObjects: False, VolumeLabel: "
  15. 20:39:07.1309355","cmd.exe","2152","FileSystemControl","C:","INVALID DEVICE REQUEST","Control: FSCTL_FILE_PREFETCH"
  16. 20:39:07.1309637","cmd.exe","2152","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  17. 20:39:07.1309975","cmd.exe","2152","QueryDirectory","C:\","SUCCESS","0: PAGEFILE.SYS, 1: WINDOWS, 2: bootfont.bin, 3: ntldr, 4: NTDETECT.COM, 5: boot.ini, 6: Documents and Settings, 7: Program Files, 8: CONFIG.SYS, 9: AUTOEXEC.BAT, 10: IO.SYS, 11: MSDOS.SYS, 12: System Volume Information, 13: Drivers, 14: swtools, 15: Recycled, 16: a"
  18. 20:39:07.1310813","cmd.exe","2152","QueryDirectory","C:\","NO MORE FILES",""
  19. 20:39:07.1329424","cmd.exe","2152","CloseFile","C:\","SUCCESS",""
  20. 20:39:07.1330296","cmd.exe","2152","CreateFile","C:\DOCUMENTS AND SETTINGS","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  21. 20:39:07.1342976","cmd.exe","2152","QueryDirectory","C:\Documents and Settings","SUCCESS","0: ., 1: .., 2: Default User, 3: All Users, 4: NetworkService, 5: LocalService, 6: rik"
  22. 20:39:07.1343717","cmd.exe","2152","QueryDirectory","C:\Documents and Settings","NO MORE FILES",""
  23. 20:39:07.1344032","cmd.exe","2152","CloseFile","C:\Documents and Settings","SUCCESS",""
  24. 20:39:07.1380679","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  25. 20:39:07.1381462","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik","SUCCESS","0: ., 1: .., 2: NTUSER.DAT, 3: Local Settings, 4: Templates, 5: 繧ケ繧ソ繝シ繝・繝。繝九Η繝シ, 6: SendTo, 7: Recent, 8: PrintHood, 9: My Documents, 10: NetHood, 11: Favorites, 12: 繝・せ繧ッ繝医ャ繝・ 13: Cookies, 14: Application Data, 15: ntuser.dat.LOG, 16: ntuser.ini, 17: moonsols.DMP"
  26. 20:39:07.1382747","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik","NO MORE FILES",""
  27. 20:39:07.1405185","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik","SUCCESS",""
  28. 20:39:07.1406445","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\MY DOCUMENTS","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  29. 20:39:07.1422355","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik\My Documents","SUCCESS","0: ., 1: .., 2: desktop.ini, 3: My Pictures, 4: My Music, 5: odbg110, 6: bintext.exe, 7: BZ.EXE, 8: moonsols, 9: ProcessMonitor, 10: base-regshot.hiv"
  30. 20:39:07.1423629","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik\My Documents","NO MORE FILES",""
  31. 20:39:07.1424378","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\My Documents","SUCCESS",""
  32. 20:39:07.1446274","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\My Documents\moonsols","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  33. 20:39:07.1447654","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik\My Documents\moonsols","SUCCESS","0: ., 1: .., 2: bin2dmp.exe, 3: dmp2bin.exe, 4: hibr2bin.exe, 5: hibr2dmp.exe, 6: README.txt, 7: win32dd.exe, 8: win32dd.sys, 9: win64dd.exe, 10: win64dd.sys"
  34. 20:39:07.1448171","cmd.exe","2152","ReadFile","C:","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  35. 20:39:07.1906995","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik\My Documents\moonsols","NO MORE FILES",""
  36. 20:39:07.1908138","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\My Documents\moonsols","SUCCESS",""
  37. 20:39:07.1926143","cmd.exe","2152","CreateFile","C:\WINDOWS","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  38. 20:39:07.1926897","cmd.exe","2152","QueryDirectory","C:\WINDOWS","SUCCESS","0: ., 1: .., 2: system32, 3: system, 4: repair, 5: inf, 6: Help, 7: Fonts, 8: Config, 9: msagent, 10: Cursors, 11: Media, 12: java, 13: Web, 14: addins, 15: Connection Wizard, 16: Driver Cache, 17: security, 18: Temp, 19: twain_32, 20: msapps, 21: AppPatch, 22: Debug, 23: Resources, 24: Provisioning, 25: mui, 26: WinSxS, 27: ime, 28: pchealth, 29: PeerNet, 30: ehome, 31: Network Diagnostic, 32: L2Schemas, 33: system.ini, 34: win.ini, 35: _default.pif, 36: explorer.scf, 37: msdfmap.ini, 38: twain.dll, 39: twunk_16.exe, 40: twunk_32.exe, 41: winhelp.exe, 42: wmprfJPN.prx, 43: clock.avi, 44: vmmreg32.dll, 45: explorer.exe, 46: regedit.exe, 47: hh.exe, 48: twain_32.dll, 49: winhlp32.exe, 50: setuplog.txt, 51: setupact.log, 52: setuperr.log, 53: setupapi.log, 54: SET3.tmp, 55: SET4.tmp, 56: SET8.tmp, 57: NOTEPAD.EXE, 58: TASKMAN.EXE, 59: regopt.log, 60: ODBCINST.INI, 61: Installer, 62: ocgen.log, 63: FaxSetup.log, 64: iis6.log, 65: comsetup.log, 66: ntdtcsetup.log, 67: tsoc.log, 68: msmqinst.log, 69: imsins.log, 70: msgsocm.log, 71: tabletoc.log, 72: MedCtrOC.log, 73: netfxocm.log, 74: ocmsn.log, 75: Sti_Trace.log, 76: wiaservc.log, 77: wiadebug.log, 78: cmsetacl.log, 79: 髱偵>繝ャ繝シ繧ケ邱ィ縺ソ 16.bmp, 80: 繧キ繝」繝懊Φ.bmp, 81: 迴育栖繧ォ繝・・.bmp, 82: 鄒ス豈・bmp, 83: 繝輔ぅ繝・す繝ウ繧ー.bmp, 84: 繧ー繝ェ繝シ繝ウ 繧ケ繝医・繝ウ.bmp, 85: 螟ァ闕牙次縺ョ鬚ィ.bmp, 86: 縺励c縺上↑縺・bmp, 87: 髫・伐蟾・bmp, 88: 繧オ繝ウ繧ソ繝輔ぉ.bmp, 89: 繧オ繝昴ユ繝・け郢斐j.bmp, 90: wmsetup.log, 91: DtcInstall.log, 92: Registration, 93: vb.ini, 94: vbaddin.ini, 95: sessmgr.setup.log, 96: srchasst, 97: Tasks, 98: desktop.ini, 99: winnt.bmp, 100: winnt256.bmp, 101: WindowsUpdate.log, 102: WindowsShell.Manifest, 103: Downloaded Program Files, 104: Offline Web Pages, 105: OEWABLog.txt, 106: WMSysPr9.prx, 107: control.ini, 108: bootstat.dat, 109: REGLOCS.OLD, 110: 0.log, 111: SchedLgU.Txt, 112: Prefetch, 113: SoftwareDistribution, 114: SetupIcon.ico, 115: Thumbs.db, 116: Micros
  39. 20:39:07.1928657","cmd.exe","2152","QueryDirectory","C:\WINDOWS","NO MORE FILES",""
  40. 20:39:07.1943712","cmd.exe","2152","CloseFile","C:\WINDOWS","SUCCESS",""
  41. 20:39:07.1945285","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  42. 20:39:07.1946444","cmd.exe","2152","QueryDirectory","C:\WINDOWS\AppPatch","SUCCESS","0: ., 1: .., 2: AcGenral.dll, 3: AcAdProc.dll, 4: AcLayers.dll, 5: AcLua.dll, 6: AcSpecfc.dll, 7: AcXtrnal.dll, 8: apph_sp.sdb, 9: apphelp.sdb, 10: drvmain.sdb, 11: msimain.sdb, 12: sysmain.sdb"
  43. 20:39:07.1961728","cmd.exe","2152","QueryDirectory","C:\WINDOWS\AppPatch","NO MORE FILES",""
  44. 20:39:07.1962818","cmd.exe","2152","CloseFile","C:\WINDOWS\AppPatch","SUCCESS",""
  45. 20:39:07.1985231","cmd.exe","2152","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  46. 20:39:07.1986326","cmd.exe","2152","QueryDirectory","C:\WINDOWS\system32","SUCCESS","0: ., 1: .., 2: config, 3: drivers, 4: ras, 5: spool, 6: wins, 7: dhcp, 8: ShellExt, 9: Setup, 10: wbem, 11: npp, 12: ias, 13: dllcache, 14: export, 15: icsxml, 16: mui, 17: oobe, 18: 1025, 19: 1028, 20: 1031, 21: 1033, 22: 1037, 23: 1041, 24: 1042, 25: 1054, 26: 2052, 27: 3076, 28: usmt, 29: inetsrv, 30: IME, 31: 3com_dmi, 32: ja, 33: ja-jp, 34: bootvid.dll, 35: kdcom.dll, 36: c_1252.nls, 37: c_437.nls, 38: l_intl.nls, 39: lz32.dll, 40: olesvr32.dll, 41: olethk32.dll, 42: unicode.nls, 43: vga.dll, 44: ctype.nls, 45: kbdus.dll, 46: netevent.dll, 47: msacm32.drv, 48: netmsg.dll, 49: wpa.dbl, 50: clb.dll, 51: msxmlr.dll, 52: crtdll.dll, 53: msidntld.dll, 54: mprui.dll, 55: netui2.dll, 56: dfrgres.dll, 57: net.hlp, 58: perfc009.dat, 59: perfh009.dat, 60: console.dll, 61: 12520437.cpx, 62: 12520850.cpx, 63: aaaamon.dll, 64: acledit.dll, 65: activeds.tlb, 66: adptif.dll, 67: adsnds.dll, 68: ansi.sys, 69: apcups.dll, 70: append.exe, 71: arp.exe, 72: asr_ldm.exe, 73: atkctrs.dll, 74: atmpvcno.dll, 75: autodisc.dll, 76: avicap.dll, 77: avicap32.dll, 78: avifile.dll, 79: bios1.rom, 80: bios4.rom, 81: bootok.exe, 82: bootvrfy.exe, 83: c_037.nls, 84: c_10000.nls, 85: c_10079.nls, 86: c_1026.nls, 87: c_1250.nls, 88: c_1251.nls, 89: c_1253.nls, 90: c_1254.nls, 91: c_1255.nls, 92: c_1256.nls, 93: c_1257.nls, 94: c_1258.nls, 95: c_20261.nls, 96: c_20866.nls, 97: c_20905.nls, 98: c_21866.nls, 99: c_28591.nls, 100: c_28592.nls, 101: c_28593.nls, 102: c_28598.nls, 103: c_28605.nls, 104: c_500.nls, 105: c_775.nls, 106: c_850.nls, 107: c_860.nls, 108: c_861.nls, 109: c_863.nls, 110: c_865.nls, 111: c_874.nls, 112: c_932.nls, 113: c_936.nls, 114: c_949.nls, 115: c_950.nls, 116: cards.dll, 117: ccfgnt.dll, 118: certmgr.msc, 119: skdll.dll, 120: 繝√Ε繝ウ繝阪Ν縺ョ陦ィ遉コ.scf, 121: chcp.com, 122: chkdsk.exe, 123: chkntfs.exe, 124: ciadmin.dll, 125: ciadv.msc, 126: cidaemon.exe, 127: ckcnv.exe, 128: slbrccsp.dll, 129: shellstyle.dll, 130: cliconf.chm, 1
  47. Procmon002.CSV.txt(7207): "20:39:07.1990511","cmd.exe","2152","QueryDirectory","C:\WINDOWS\system32","SUCCESS","0: rnr20.dll, 1: route.exe, 2: routemon.exe, 3: routetab.dll, 4: rpcns4.dll, 5: rsaci.rat, 6: rsfsaps.dll, 7: rsm.exe, 8: rsmsink.exe, 9: rsmui.exe, 10: rsop.msc, 11: rsopprov.exe, 12: rsvp.exe, 13: rsvp.ini, 14: rsvpcnts.h, 15: rsvpmsg.dll, 16: rsvpperf.dll, 17: rtm.dll, 18: runas.exe, 19: sc.exe, 20: scardssp.dll, 21: scredir.dll, 22: scriptpw.dll, 23: sdpblb.dll, 24: secpol.msc, 25: senscfg.dll, 26: serialui.dll, 27: services.msc, 28: serwvdrv.dll, 29: setup.bmp, 30: setupdll.dll, 31: setver.exe, 32: sfc.exe, 33: sfmapi.dll, 34: share.exe, 35: shell.dll, 36: sisbkup.dll, 37: spnike.dll, 38: sprestrt.exe, 39: sprio600.dll, 40: sprio800.dll, 41: sqlsodbc.chm, 42: sqlwid.dll, 43: sqlwoa.dll, 44: storage.dll, 45: streamci.dll, 46: subst.exe, 47: svcpack.dll, 48: swprv.dll, 49: syncapp.exe, 50: sysedit.exe, 51: sysinv.dll, 52: syskey.exe, 53: sysprint.sep, 54: sysprtj.sep, 55: system.drv, 56: systray.exe, 57: tapi.dll, 58: tapiperf.dll, 59: tapiui.dll, 60: taskman.exe, 61: tcmsetup.exe, 62: tcpsvcs.exe, 63: telephon.cpl, 64: tftp.exe, 65: timer.drv, 66: toolhelp.dll, 67: tracert6.exe, 68: traffic.dll, 69: tsappcmp.dll, 70: tsbyuv.dll, 71: tsd32.dll, 72: tssoft32.acm, 73: typelib.dll, 74: typeperf.exe, 75: ufat.dll, 76: umdmxfrm.dll, 77: unlodctr.exe, 78: ureg.dll, 79: user.exe, 80: utildll.dll, 81: v7vga.rom, 82: vcdex.dll, 83: ver.dll, 84: verifier.exe, 85: vfpodbc.dll, 86: vga.drv, 87: vjoy.dll, 88: vssadmin.exe, 89: vss_ps.dll, 90: vwipxspx.dll, 91: vwipxspx.exe, 92: w32tm.exe, 93: w32topl.dll, 94: wbcache.deu, 95: wbcache.enu, 96: wbcache.esn, 97: wbcache.fra, 98: wbcache.ita, 99: wbcache.nld, 100: wbcache.sve, 101: wbdbase.deu, 102: wbdbase.enu, 103: wbdbase.esn, 104: wbdbase.fra, 105: wbdbase.ita, 106: wbdbase.nld, 107: wbdbase.sve, 108: wdl.trm, 109: webhits.dll, 110: wfwnet.drv, 111: wiasf.ax, 112: wiavusd.dll, 113: wifeman.dll, 114: win.com, 115: win87em.dll, 116: winfax.dll, 117: winhelp.hlp, 118: winhlp32.exe, 119: win
  48. Procmon002.CSV.txt(7209): "20:39:07.2003169","cmd.exe","2152","QueryDirectory","C:\WINDOWS\system32","SUCCESS","0: shgina.dll, 1: appwiz.cpl, 2: browselc.dll, 3: d3d8.dll, 4: mshtml.dll, 5: mydocs.dll, 6: duser.dll, 7: 6to4svc.dll, 8: actmovie.exe, 9: admparse.dll, 10: adsldp.dll, 11: adsmsext.dll, 12: adsnt.dll, 13: adsnw.dll, 14: alg.exe, 15: alrsvc.dll, 16: amstream.dll, 17: appmgmts.dll, 18: appmgr.dll, 19: asctrls.ocx, 20: asr_fmt.exe, 21: asr_pfu.exe, 22: asycfilt.dll, 23: at.exe, 24: atmadm.exe, 25: atmfd.dll, 26: atmlib.dll, 27: attrib.exe, 28: auditusr.exe, 29: autoconv.exe, 30: autofmt.exe, 31: autolfn.exe, 32: azroles.dll, 33: bidispl.dll, 34: bootcfg.exe, 35: browsewm.dll, 36: bthci.dll, 37: bthprops.cpl, 38: bthserv.dll, 39: btpanui.dll, 40: cabview.dll, 41: cacls.exe, 42: camocx.dll, 43: capesnpn.dll, 44: cdfview.dll, 45: cdm.dll, 46: cdosys.dll, 47: certmgr.dll, 48: cic.dll, 49: ciodm.dll, 50: cipher.exe, 51: cisvc.exe, 52: cleanmgr.exe, 53: cliconfg.dll, 54: cliconfg.exe, 55: cliconfg.rll, 56: clipsrv.exe, 57: clusapi.dll, 58: cmcfg32.dll, 59: cmdial32.dll, 60: cmdl32.exe, 61: cmmon32.exe, 62: dfrgui.dll, 63: cmsetACL.dll, 64: cmstp.exe, 65: cmutil.dll, 66: dgnet.dll, 67: compatUI.dll, 68: compstui.dll, 69: comres.dll, 70: confmsp.dll, 71: conime.exe, 72: corpol.dll, 73: credssp.dll, 74: cryptdlg.dll, 75: cryptext.dll, 76: cscript.exe, 77: d3d8thk.dll, 78: d3d9.dll, 79: d3dim700.dll, 80: danim.dll, 81: dataclen.dll, 82: datime.dll, 83: daxctle.ocx, 84: dbmsrpcn.dll, 85: dbnetlib.dll, 86: dbnmpntw.dll, 87: dhcpmon.dll, 88: Dcache.bin, 89: dciman32.dll, 90: ddeshare.exe, 91: ddraw.dll, 92: ddrawex.dll, 93: devenum.dll, 94: devmgr.dll, 95: dfsshlex.dll, 96: dhcpqec.dll, 97: diantz.exe, 98: digest.dll, 99: dimsntfy.dll, 100: dimsroam.dll, 101: dinput.dll, 102: dinput8.dll, 103: diskcopy.dll, 104: diskpart.exe, 105: dispex.dll, 106: dllhost.exe, 107: dmadmin.exe, 108: dmband.dll, 109: dmcompos.dll, 110: dmdlgs.dll, 111: dmdskmgr.dll, 112: dmime.dll, 113: dmloader.dll, 114: dmremote.exe, 115: dmscript.dll, 116: dmstyle.dll, 117
  49. Procmon002.CSV.txt(7210): "20:39:07.2007253","cmd.exe","2152","QueryDirectory","C:\WINDOWS\system32","SUCCESS","0: nwwks.dll, 1: objsel.dll, 2: occache.dll, 3: ocmanage.dll, 4: odbc16gt.dll, 5: odbc32gt.dll, 6: odbcad32.exe, 7: odbcbcp.dll, 8: odbcconf.exe, 9: odbcconf.dll, 10: odbcconf.rsp, 11: odbccp32.cpl, 12: odbccp32.dll, 13: odbccr32.dll, 14: odbccu32.dll, 15: odbcji32.dll, 16: odbcjt32.dll, 17: odbcp32r.dll, 18: odbctrac.dll, 19: offfilt.dll, 20: oledlg.dll, 21: oleprn.dll, 22: olepro32.dll, 23: onex.dll, 24: syncui.dll, 25: openfiles.exe, 26: opengl32.dll, 27: osk.exe, 28: p2p.dll, 29: p2pgasvc.dll, 30: p2pgraph.dll, 31: p2pnetsh.dll, 32: p2psvc.dll, 33: packager.exe, 34: pdh.dll, 35: perfctrs.dll, 36: perfdisk.dll, 37: perfmon.exe, 38: perfnet.dll, 39: perfos.dll, 40: perfproc.dll, 41: sysdm.cpl, 42: photometadatahandler.dll, 43: photowiz.dll, 44: pid.dll, 45: pid.inf, 46: pidgen.dll, 47: ping.exe, 48: pngfilt.dll, 49: pnrpnsp.dll, 50: polstore.dll, 51: powercfg.cpl, 52: powercfg.exe, 53: progman.exe, 54: proquota.exe, 55: proxycfg.exe, 56: qagent.dll, 57: qagentrt.dll, 58: qasf.dll, 59: qcap.dll, 60: qcliprov.dll, 61: qdv.dll, 62: qdvd.dll, 63: qedit.dll, 64: qedwipes.dll, 65: query.dll, 66: qutil.dll, 67: rasauto.dll, 68: rasdlg.dll, 69: rasmans.dll, 70: rasphone.exe, 71: rasppp.dll, 72: rasqec.dll, 73: rassapi.dll, 74: rastapi.dll, 75: rcbdyctl.dll, 76: rcimlby.exe, 77: rcp.exe, 78: redir.exe, 79: reg.exe, 80: regwizc.dll, 81: remotesp.tsp, 82: resutils.dll, 83: rexec.exe, 84: msftedit.dll, 85: rsh.exe, 86: rshx32.dll, 87: rsmps.dll, 88: rsnotify.exe, 89: rsvpsp.dll, 90: rtcshare.exe, 91: rtipxmib.dll, 92: runonce.exe, 93: savedump.exe, 94: sbe.dll, 95: sbeio.dll, 96: scarddlg.dll, 97: scardsvr.exe, 98: sccbase.dll, 99: sccsccp.dll, 100: scrnsave.scr, 101: scrobj.dll, 102: scrrun.dll, 103: schtasks.exe, 104: sdbinst.exe, 105: sdhcinst.dll, 106: secedit.exe, 107: secupd.dat, 108: secupd.sig, 109: security.dll, 110: sendcmsg.dll, 111: sendmail.dll, 112: sethc.exe, 113: setup.exe, 114: setupn.exe, 115: sfc_os.dll, 116: shdoclc.d
  50. Procmon002.CSV.txt(7211): "20:39:07.2011355","cmd.exe","2152","QueryDirectory","C:\WINDOWS\system32","SUCCESS","0: korwbrkr.dll, 1: korwbrkr.lex, 2: noise.kor, 3: chtbrkr.dll, 4: chsbrkr.dll, 5: c_20127.nls, 6: c_852.nls, 7: c_10010.nls, 8: c_10029.nls, 9: c_10082.nls, 10: kbdycl.dll, 11: KBDAL.DLL, 12: kbdcr.dll, 13: kbdcz.dll, 14: kbdcz1.dll, 15: kbdcz2.dll, 16: kbdhu.dll, 17: kbdhu1.dll, 18: kbdpl1.dll, 19: kbdpl.dll, 20: kbdro.dll, 21: kbdsl.dll, 22: kbdsl1.dll, 23: c_855.nls, 24: c_866.nls, 25: C_28594.NLS, 26: kbdest.dll, 27: kbdlv.dll, 28: kbdlv1.dll, 29: kbdlt.dll, 30: kbdlt1.dll, 31: c_737.nls, 32: c_869.nls, 33: c_875.nls, 34: c_10006.nls, 35: C_28597.NLS, 36: kbdhe.dll, 37: kbdgkl.dll, 38: kbdhe220.dll, 39: kbdhe319.dll, 40: kbdhela2.dll, 41: kbdhela3.dll, 42: kbdhept.dll, 43: c_10007.nls, 44: c_10017.nls, 45: C_28595.NLS, 46: kbdblr.dll, 47: kbdbu.dll, 48: kbdru.dll, 49: kbdru1.dll, 50: kbdycc.dll, 51: kbdur.dll, 52: kbdkaz.dll, 53: kbduzb.dll, 54: kbdaze.dll, 55: kbdtat.dll, 56: PerfStringBackup.INI, 57: usbui.dll, 58: wshirda.dll, 59: irftp.exe, 60: irmon.dll, 61: tp4mon.exe, 62: tp4.dll, 63: tp4.hlp, 64: tp4res.dll, 65: pid.PNF, 66: h323log.txt, 67: cmprops.dll, 68: licwmi.dll, 69: mmfutil.dll, 70: servdeps.dll, 71: clbcatq.dll, 72: comsnap.dll, 73: comuid.dll, 74: comsvcs.dll, 75: catsrv.dll, 76: catsrvut.dll, 77: clbcatex.dll, 78: catsrvps.dll, 79: stclient.dll, 80: comrepl.dll, 81: comaddin.dll, 82: colbact.dll, 83: Com, 84: mtxdm.dll, 85: mtxex.dll, 86: mtxlegih.dll, 87: dcomcnfg.exe, 88: msdtc.exe, 89: msdtclog.dll, 90: xolehlp.dll, 91: msdtctm.dll, 92: msdtcprx.dll, 93: mtxoci.dll, 94: msdtcuiu.dll, 95: MsDtc, 96: cfgbkend.dll, 97: icaapi.dll, 98: qprocess.exe, 99: rdpclip.exe, 100: rdpsnd.dll, 101: rdpwsx.dll, 102: termsrv.dll, 103: rdchost.dll, 104: sessmgr.exe, 105: rdshost.exe, 106: rdsaddin.exe, 107: remotepg.dll, 108: mstsc.exe, 109: mstscax.dll, 110: aaclient.dll, 111: rhttpaa.dll, 112: tsgqec.dll, 113: tscfgwmi.dll, 114: spider.exe, 115: clipbrd.exe, 116: mspaint.exe, 117: hypertrm.dll, 118: mplay32.exe, 119:
  51. 20:39:07.2041618","cmd.exe","2152","QueryDirectory","C:\WINDOWS\system32","NO MORE FILES",""
  52. 20:39:07.2042660","cmd.exe","2152","CloseFile","C:\WINDOWS\system32","SUCCESS",""
  53. 20:39:07.2044255","cmd.exe","2152","CreateFile","C:\WINDOWS\WinSxS","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  54. 20:39:07.2057246","cmd.exe","2152","QueryDirectory","C:\WINDOWS\WinSxS","SUCCESS","0: ., 1: .., 2: Manifests, 3: InstallTemp, 4: x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c, 5: Policies, 6: x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13, 7: x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7, 8: x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95, 9: x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_ja_25380412, 10: x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83, 11: x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7, 12: x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries.Resources_6595b64144ccf1df_6.0.0.0_ja-JP_8a84acaa, 13: x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a, 14: x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63, 15: x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a, 16: x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2"
  55. 20:39:07.2058905","cmd.exe","2152","QueryDirectory","C:\WINDOWS\WinSxS","NO MORE FILES",""
  56. 20:39:07.2059967","cmd.exe","2152","CloseFile","C:\WINDOWS\WinSxS","SUCCESS",""
  57. 20:39:07.2083892","cmd.exe","2152","CreateFile","C:\WINDOWS\WinSxS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  58. 20:39:07.2085121","cmd.exe","2152","QueryDirectory","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS","0: ., 1: .., 2: comctl32.dll"
  59. 20:39:07.2100268","cmd.exe","2152","QueryDirectory","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","NO MORE FILES",""
  60. 20:39:07.2101383","cmd.exe","2152","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS",""
  61. 20:39:07.2103699","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\ntdll.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  62. 20:39:07.2135750","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\ntdll.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  63. 20:39:07.2135904","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\NTDLL.DLL","SUCCESS","AllocationSize: 638,976, EndOfFile: 627,712, NumberOfLinks: 1, DeletePending: False, Directory: False"
  64. 20:39:07.2137672","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\ntdll.dll","SUCCESS","SyncType: SyncTypeOther"
  65. 20:39:07.2139969","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\kernel32.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  66. 20:39:07.2141782","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\kernel32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  67. 20:39:07.2141913","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\KERNEL32.DLL","SUCCESS","AllocationSize: 1,245,184, EndOfFile: 1,235,968, NumberOfLinks: 1, DeletePending: False, Directory: False"
  68. 20:39:07.2163352","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\kernel32.dll","SUCCESS","SyncType: SyncTypeOther"
  69. 20:39:07.2165793","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\unicode.nls","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  70. 20:39:07.2184388","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\unicode.nls","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  71. 20:39:07.2184550","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\UNICODE.NLS","SUCCESS","AllocationSize: 98,304, EndOfFile: 89,588, NumberOfLinks: 1, DeletePending: False, Directory: False"
  72. 20:39:07.2184832","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\UNICODE.NLS","SUCCESS","SyncType: SyncTypeOther"
  73. 20:39:07.2187600","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\locale.nls","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  74. 20:39:07.2189872","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\locale.nls","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  75. 20:39:07.2190031","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\LOCALE.NLS","SUCCESS","AllocationSize: 278,528, EndOfFile: 265,948, NumberOfLinks: 1, DeletePending: False, Directory: False"
  76. 20:39:07.2190316","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\LOCALE.NLS","SUCCESS","SyncType: SyncTypeOther"
  77. 20:39:07.2193087","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\sorttbls.nls","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  78. 20:39:07.2477327","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\sorttbls.nls","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  79. 20:39:07.2477523","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\SORTTBLS.NLS","SUCCESS","AllocationSize: 32,768, EndOfFile: 23,044, NumberOfLinks: 1, DeletePending: False, Directory: False"
  80. 20:39:07.2477830","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\SORTTBLS.NLS","SUCCESS","SyncType: SyncTypeOther"
  81. 20:39:07.2480652","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\msvcrt.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  82. 20:39:07.2482923","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\msvcrt.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  83. 20:39:07.2483088","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\MSVCRT.DLL","SUCCESS","AllocationSize: 344,064, EndOfFile: 343,040, NumberOfLinks: 1, DeletePending: False, Directory: False"
  84. 20:39:07.2485297","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\msvcrt.dll","SUCCESS","SyncType: SyncTypeOther"
  85. 20:39:07.2488155","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  86. 20:39:07.2507130","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  87. 20:39:07.2507292","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\CMD.EXE","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  88. 20:39:07.2507588","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  89. 20:39:07.2510348","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\user32.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  90. 20:39:07.2512594","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\user32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  91. 20:39:07.2512751","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\USER32.DLL","SUCCESS","AllocationSize: 589,824, EndOfFile: 576,000, NumberOfLinks: 1, DeletePending: False, Directory: False"
  92. 20:39:07.2514963","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\user32.dll","SUCCESS","SyncType: SyncTypeOther"
  93. 20:39:07.2535066","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\gdi32.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  94. 20:39:07.2537315","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\gdi32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  95. 20:39:07.2537474","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\GDI32.DLL","SUCCESS","AllocationSize: 294,912, EndOfFile: 285,184, NumberOfLinks: 1, DeletePending: False, Directory: False"
  96. 20:39:07.2539668","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\gdi32.dll","SUCCESS","SyncType: SyncTypeOther"
  97. 20:39:07.2542998","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\shimeng.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  98. 20:39:07.2560947","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\shimeng.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  99. 20:39:07.2561112","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\SHIMENG.DLL","SUCCESS","AllocationSize: 65,536, EndOfFile: 65,024, NumberOfLinks: 1, DeletePending: False, Directory: False"
  100. 20:39:07.2561397","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\ShimEng.dll","SUCCESS","SyncType: SyncTypeOther"
  101. 20:39:07.2563824","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  102. 20:39:07.2565696","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  103. 20:39:07.2565852","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\APPPATCH\SYSMAIN.SDB","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False"
  104. 20:39:07.2566149","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeOther"
  105. 20:39:07.2568506","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  106. 20:39:07.2590118","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  107. 20:39:07.2590283","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\APPPATCH\ACGENRAL.DLL","SUCCESS","AllocationSize: 1,867,776, EndOfFile: 1,852,928, NumberOfLinks: 1, DeletePending: False, Directory: False"
  108. 20:39:07.2590579","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\AcGenral.DLL","SUCCESS","SyncType: SyncTypeOther"
  109. 20:39:07.2593373","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\advapi32.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  110. 20:39:07.2595638","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\advapi32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  111. 20:39:07.2595798","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\ADVAPI32.DLL","SUCCESS","AllocationSize: 688,128, EndOfFile: 674,304, NumberOfLinks: 1, DeletePending: False, Directory: False"
  112. 20:39:07.2598019","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\advapi32.dll","SUCCESS","SyncType: SyncTypeOther"
  113. 20:39:07.2600784","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\rpcrt4.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  114. 20:39:07.2622935","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\rpcrt4.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  115. 20:39:07.2623103","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\RPCRT4.DLL","SUCCESS","AllocationSize: 589,824, EndOfFile: 584,704, NumberOfLinks: 1, DeletePending: False, Directory: False"
  116. 20:39:07.2625315","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\rpcrt4.dll","SUCCESS","SyncType: SyncTypeOther"
  117. 20:39:07.2653587","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\secur32.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  118. 20:39:07.2655895","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\secur32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  119. 20:39:07.2656062","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\SECUR32.DLL","SUCCESS","AllocationSize: 65,536, EndOfFile: 56,320, NumberOfLinks: 1, DeletePending: False, Directory: False"
  120. 20:39:07.2658289","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\secur32.dll","SUCCESS","SyncType: SyncTypeOther"
  121. 20:39:07.2661110","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\winmm.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  122. 20:39:07.2679967","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\winmm.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  123. 20:39:07.2680141","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\WINMM.DLL","SUCCESS","AllocationSize: 180,224, EndOfFile: 167,936, NumberOfLinks: 1, DeletePending: False, Directory: False"
  124. 20:39:07.2680445","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\WINMM.dll","SUCCESS","SyncType: SyncTypeOther"
  125. 20:39:07.2683242","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\ole32.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  126. 20:39:07.2685504","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\ole32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  127. 20:39:07.2685664","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\OLE32.DLL","SUCCESS","AllocationSize: 1,294,336, EndOfFile: 1,287,168, NumberOfLinks: 1, DeletePending: False, Directory: False"
  128. 20:39:07.2687871","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\ole32.dll","SUCCESS","SyncType: SyncTypeOther"
  129. 20:39:07.2690684","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\oleaut32.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  130. 20:39:07.2724023","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\oleaut32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  131. 20:39:07.2724194","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\OLEAUT32.DLL","SUCCESS","AllocationSize: 557,056, EndOfFile: 551,936, NumberOfLinks: 1, DeletePending: False, Directory: False"
  132. 20:39:07.2726429","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\oleaut32.dll","SUCCESS","SyncType: SyncTypeOther"
  133. 20:39:07.2729270","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\msacm32.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  134. 20:39:07.2731589","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\msacm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  135. 20:39:07.2731748","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\MSACM32.DLL","SUCCESS","AllocationSize: 81,920, EndOfFile: 71,168, NumberOfLinks: 1, DeletePending: False, Directory: False"
  136. 20:39:07.2732044","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\MSACM32.dll","SUCCESS","SyncType: SyncTypeOther"
  137. 20:39:07.2752306","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\version.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  138. 20:39:07.2754561","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\version.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  139. 20:39:07.2754723","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\VERSION.DLL","SUCCESS","AllocationSize: 32,768, EndOfFile: 18,944, NumberOfLinks: 1, DeletePending: False, Directory: False"
  140. 20:39:07.2756947","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\version.dll","SUCCESS","SyncType: SyncTypeOther"
  141. 20:39:07.2759729","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\shell32.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  142. 20:39:07.2792820","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\shell32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  143. 20:39:07.2793013","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\SHELL32.DLL","SUCCESS","AllocationSize: 8,372,224, EndOfFile: 8,367,104, NumberOfLinks: 1, DeletePending: False, Directory: False"
  144. 20:39:07.2793314","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\shell32.dll","SUCCESS","SyncType: SyncTypeOther"
  145. 20:39:07.2796111","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\shlwapi.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  146. 20:39:07.2798385","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\shlwapi.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  147. 20:39:07.2798544","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\SHLWAPI.DLL","SUCCESS","AllocationSize: 475,136, EndOfFile: 473,600, NumberOfLinks: 1, DeletePending: False, Directory: False"
  148. 20:39:07.2800759","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\shlwapi.dll","SUCCESS","SyncType: SyncTypeOther"
  149. 20:39:07.2803517","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\userenv.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  150. 20:39:07.2831149","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\userenv.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  151. 20:39:07.2831316","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\USERENV.DLL","SUCCESS","AllocationSize: 720,896, EndOfFile: 713,728, NumberOfLinks: 1, DeletePending: False, Directory: False"
  152. 20:39:07.2831607","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\USERENV.dll","SUCCESS","SyncType: SyncTypeOther"
  153. 20:39:07.2834412","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\uxtheme.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  154. 20:39:07.2836702","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\uxtheme.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  155. 20:39:07.2836862","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\UXTHEME.DLL","SUCCESS","AllocationSize: 229,376, EndOfFile: 217,600, NumberOfLinks: 1, DeletePending: False, Directory: False"
  156. 20:39:07.2839119","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\uxtheme.dll","SUCCESS","SyncType: SyncTypeOther"
  157. 20:39:07.2858920","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\ctype.nls","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  158. 20:39:07.2860770","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\ctype.nls","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  159. 20:39:07.2860932","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\CTYPE.NLS","SUCCESS","AllocationSize: 16,384, EndOfFile: 8,386, NumberOfLinks: 1, DeletePending: False, Directory: False"
  160. 20:39:07.2861214","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\CTYPE.NLS","SUCCESS","SyncType: SyncTypeOther"
  161. 20:39:07.2863996","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  162. 20:39:07.2866265","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  163. 20:39:07.2866421","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\IMM32.DLL","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,080, NumberOfLinks: 1, DeletePending: False, Directory: False"
  164. 20:39:07.2866709","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther"
  165. 20:39:07.3045693","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  166. 20:39:07.3048349","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\lpk.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  167. 20:39:07.3048525","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\LPK.DLL","SUCCESS","AllocationSize: 32,768, EndOfFile: 22,016, NumberOfLinks: 1, DeletePending: False, Directory: False"
  168. 20:39:07.3051082","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\lpk.dll","SUCCESS","SyncType: SyncTypeOther"
  169. 20:39:07.3054523","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  170. 20:39:07.3077278","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\usp10.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  171. 20:39:07.3077448","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\USP10.DLL","SUCCESS","AllocationSize: 409,600, EndOfFile: 406,016, NumberOfLinks: 1, DeletePending: False, Directory: False"
  172. 20:39:07.3080278","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\usp10.dll","SUCCESS","SyncType: SyncTypeOther"
  173. 20:39:07.3082943","cmd.exe","2152","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  174. 20:39:07.3084991","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  175. 20:39:07.3085164","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\COMCTL32.DLL","SUCCESS","AllocationSize: 1,064,960, EndOfFile: 1,054,208, NumberOfLinks: 1, DeletePending: False, Directory: False"
  176. 20:39:07.3085472","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","SyncType: SyncTypeOther"
  177. 20:39:07.3086880","cmd.exe","2152","CreateFile","C:\WINDOWS\WINDOWSSHELL.MANIFEST","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  178. 20:39:07.3101605","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  179. 20:39:07.3101775","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\WINDOWSSHELL.MANIFEST","SUCCESS","AllocationSize: 16,384, EndOfFile: 749, NumberOfLinks: 1, DeletePending: False, Directory: False"
  180. 20:39:07.3102071","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeOther"
  181. 20:39:07.3104932","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\comctl32.dll","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  182. 20:39:07.3107189","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\comctl32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  183. 20:39:07.3107349","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\SYSTEM32\COMCTL32.DLL","SUCCESS","AllocationSize: 622,592, EndOfFile: 617,472, NumberOfLinks: 1, DeletePending: False, Directory: False"
  184. 20:39:07.3107636","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\COMCTL32.DLL","SUCCESS","SyncType: SyncTypeOther"
  185. 20:39:07.3112145","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\My Documents\moonsols\win32dd.sys","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  186. 20:39:07.3115950","cmd.exe","2152","CreateFileMapping","C:\Documents and Settings\rik\My Documents\moonsols\win32dd.sys","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  187. 20:39:07.3116274","cmd.exe","2152","QueryStandardInformationFile","C:\DOCUMENTS AND SETTINGS\RIK\MY DOCUMENTS\MOONSOLS\WIN32DD.SYS","SUCCESS","AllocationSize: 65,536, EndOfFile: 53,736, NumberOfLinks: 1, DeletePending: False, Directory: False"
  188. 20:39:07.3118358","cmd.exe","2152","CreateFileMapping","C:\Documents and Settings\rik\My Documents\moonsols\win32dd.sys","SUCCESS","SyncType: SyncTypeOther"
  189. 20:39:07.3120817","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch\drvmain.sdb","SUCCESS","Desired Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  190. 20:39:07.3157229","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\drvmain.sdb","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READWRITE"
  191. 20:39:07.3157548","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\APPPATCH\DRVMAIN.SDB","SUCCESS","AllocationSize: 16,384, EndOfFile: 9,424, NumberOfLinks: 1, DeletePending: False, Directory: False"
  192. 20:39:07.3159528","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\drvmain.sdb","SUCCESS","SyncType: SyncTypeOther"
  193. 20:39:07.3161140","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\NTDLL.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  194. 20:39:07.3161867","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\KERNEL32.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  195. 20:39:07.3162129","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\MSVCRT.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  196. 20:39:07.3162372","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\USER32.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  197. 20:39:07.3162613","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\GDI32.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  198. 20:39:07.3162886","cmd.exe","2152","ReadFile","C:\WINDOWS\APPPATCH\SYSMAIN.SDB","SUCCESS","Offset: 32,768, Length: 32,768, I/O Flags: Non-cached, Paging I/O"
  199. 20:39:07.3163132","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\ADVAPI32.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  200. 20:39:07.3163375","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\RPCRT4.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  201. 20:39:07.3163624","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\SECUR32.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  202. 20:39:07.3163870","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\OLE32.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  203. 20:39:07.3164116","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\OLEAUT32.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  204. 20:39:07.3164367","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\VERSION.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  205. 20:39:07.3164610","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\SHLWAPI.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  206. 20:39:07.3164859","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\UXTHEME.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  207. 20:39:07.3165099","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\LPK.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  208. 20:39:07.3165691","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\USP10.DLL","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  209. 20:39:07.3166060","cmd.exe","2152","ReadFile","C:\DOCUMENTS AND SETTINGS\RIK\MY DOCUMENTS\MOONSOLS\WIN32DD.SYS","SUCCESS","Offset: 0, Length: 53,736, I/O Flags: Non-cached, Paging I/O"
  210. 20:39:07.3166342","cmd.exe","2152","ReadFile","C:\WINDOWS\APPPATCH\DRVMAIN.SDB","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  211. 20:39:07.5322530","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\ntdll.dll","SUCCESS",""
  212. 20:39:07.6087303","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\kernel32.dll","SUCCESS",""
  213. 20:39:07.6089197","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\unicode.nls","SUCCESS",""
  214. 20:39:07.6115167","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\locale.nls","SUCCESS",""
  215. 20:39:07.6117089","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\sorttbls.nls","SUCCESS",""
  216. 20:39:07.6123757","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\msvcrt.dll","SUCCESS",""
  217. 20:39:07.6125489","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  218. 20:39:07.6134314","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\user32.dll","SUCCESS",""
  219. 20:39:07.6135988","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\gdi32.dll","SUCCESS",""
  220. 20:39:07.6138069","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\shimeng.dll","SUCCESS",""
  221. 20:39:07.6143891","cmd.exe","2152","CloseFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS",""
  222. 20:39:07.6145467","cmd.exe","2152","CloseFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS",""
  223. 20:39:07.6150272","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\advapi32.dll","SUCCESS",""
  224. 20:39:07.6151925","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\rpcrt4.dll","SUCCESS",""
  225. 20:39:07.6157309","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\secur32.dll","SUCCESS",""
  226. 20:39:07.6159007","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\winmm.dll","SUCCESS",""
  227. 20:39:07.6160879","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\ole32.dll","SUCCESS",""
  228. 20:39:07.6162544","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\oleaut32.dll","SUCCESS",""
  229. 20:39:07.6164223","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\msacm32.dll","SUCCESS",""
  230. 20:39:07.6166075","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\version.dll","SUCCESS",""
  231. 20:39:07.6167718","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\shell32.dll","SUCCESS",""
  232. 20:39:07.6169567","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\shlwapi.dll","SUCCESS",""
  233. 20:39:07.6171216","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\userenv.dll","SUCCESS",""
  234. 20:39:07.6173104","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\uxtheme.dll","SUCCESS",""
  235. 20:39:07.6174423","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\ctype.nls","SUCCESS",""
  236. 20:39:07.6176300","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  237. 20:39:07.6178404","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\lpk.dll","SUCCESS",""
  238. 20:39:07.6180485","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\usp10.dll","SUCCESS",""
  239. 20:39:07.6181946","cmd.exe","2152","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS",""
  240. 20:39:07.6182804","cmd.exe","2152","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS",""
  241. 20:39:07.6184681","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\comctl32.dll","SUCCESS",""
  242. 20:39:07.6186388","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\My Documents\moonsols\win32dd.sys","SUCCESS",""
  243. 20:39:07.6187774","cmd.exe","2152","CloseFile","C:\WINDOWS\AppPatch\drvmain.sdb","SUCCESS",""
  244. 20:39:07.6189936","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\ntdll.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  245. 20:39:07.6191794","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\ntdll.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  246. 20:39:07.6192358","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\System32\ntdll.dll","SUCCESS","SyncType: SyncTypeOther"
  247. 20:39:07.6194557","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\kernel32.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  248. 20:39:07.6196331","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\kernel32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  249. 20:39:07.6196859","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\KERNEL32.DLL","SUCCESS","SyncType: SyncTypeOther"
  250. 20:39:07.6199040","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\msvcrt.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  251. 20:39:07.6200784","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\msvcrt.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  252. 20:39:07.6201275","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\MSVCRT.DLL","SUCCESS","SyncType: SyncTypeOther"
  253. 20:39:07.6203485","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  254. 20:39:07.6205298","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  255. 20:39:07.6205823","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  256. 20:39:07.6207969","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\user32.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  257. 20:39:07.6209718","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\user32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  258. 20:39:07.6210207","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\USER32.DLL","SUCCESS","SyncType: SyncTypeOther"
  259. 20:39:07.6212352","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\gdi32.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  260. 20:39:07.6214093","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\gdi32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  261. 20:39:07.6214579","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\GDI32.DLL","SUCCESS","SyncType: SyncTypeOther"
  262. 20:39:07.6217146","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\shimeng.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  263. 20:39:07.6252480","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\shimeng.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  264. 20:39:07.6252980","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\SHIMENG.DLL","SUCCESS","SyncType: SyncTypeOther"
  265. 20:39:07.6254894","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  266. 20:39:07.6256347","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  267. 20:39:07.6256897","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\APPPATCH\ACGENRAL.DLL","SUCCESS","SyncType: SyncTypeOther"
  268. 20:39:07.6259087","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\advapi32.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  269. 20:39:07.6260847","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\advapi32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  270. 20:39:07.6261353","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\ADVAPI32.DLL","SUCCESS","SyncType: SyncTypeOther"
  271. 20:39:07.6263551","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\rpcrt4.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  272. 20:39:07.6265303","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\rpcrt4.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  273. 20:39:07.6265809","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\RPCRT4.DLL","SUCCESS","SyncType: SyncTypeOther"
  274. 20:39:07.6267968","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\secur32.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  275. 20:39:07.6269731","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\secur32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  276. 20:39:07.6270220","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\SECUR32.DLL","SUCCESS","SyncType: SyncTypeOther"
  277. 20:39:07.6272402","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\winmm.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  278. 20:39:07.6274201","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\winmm.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  279. 20:39:07.6274692","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\WINMM.DLL","SUCCESS","SyncType: SyncTypeOther"
  280. 20:39:07.6276852","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\ole32.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  281. 20:39:07.6282397","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\ole32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  282. 20:39:07.6282951","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\OLE32.DLL","SUCCESS","SyncType: SyncTypeOther"
  283. 20:39:07.6285174","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\oleaut32.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  284. 20:39:07.6286954","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\oleaut32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  285. 20:39:07.6287459","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\OLEAUT32.DLL","SUCCESS","SyncType: SyncTypeOther"
  286. 20:39:07.6289669","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\msacm32.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  287. 20:39:07.6291488","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\msacm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  288. 20:39:07.6291985","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\MSACM32.DLL","SUCCESS","SyncType: SyncTypeOther"
  289. 20:39:07.6294153","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\version.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  290. 20:39:07.6295902","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\version.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  291. 20:39:07.6296385","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\VERSION.DLL","SUCCESS","SyncType: SyncTypeOther"
  292. 20:39:07.6298556","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\shell32.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  293. 20:39:07.6300310","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\shell32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  294. 20:39:07.6301215","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\SHELL32.DLL","SUCCESS","SyncType: SyncTypeOther"
  295. 20:39:07.6303727","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\shlwapi.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  296. 20:39:07.6305518","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\shlwapi.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  297. 20:39:07.6306015","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\SHLWAPI.DLL","SUCCESS","SyncType: SyncTypeOther"
  298. 20:39:07.6308197","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\userenv.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  299. 20:39:07.6312499","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\userenv.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  300. 20:39:07.6313033","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\USERENV.DLL","SUCCESS","SyncType: SyncTypeOther"
  301. 20:39:07.6315505","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\uxtheme.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  302. 20:39:07.6317315","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\uxtheme.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  303. 20:39:07.6317807","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\UXTHEME.DLL","SUCCESS","SyncType: SyncTypeOther"
  304. 20:39:07.6320006","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  305. 20:39:07.6411447","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  306. 20:39:07.6411956","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther"
  307. 20:39:07.6414417","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  308. 20:39:07.6416431","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\lpk.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  309. 20:39:07.6416920","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\LPK.DLL","SUCCESS","SyncType: SyncTypeOther"
  310. 20:39:07.6419538","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  311. 20:39:07.6421801","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\usp10.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  312. 20:39:07.6422289","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\USP10.DLL","SUCCESS","SyncType: SyncTypeOther"
  313. 20:39:07.6424365","cmd.exe","2152","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  314. 20:39:07.6425971","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  315. 20:39:07.6426550","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\COMCTL32.DLL","SUCCESS","SyncType: SyncTypeOther"
  316. 20:39:07.6428774","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\comctl32.dll","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  317. 20:39:07.6430561","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\comctl32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  318. 20:39:07.6431064","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\COMCTL32.DLL","SUCCESS","SyncType: SyncTypeOther"
  319. 20:39:07.6433087","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\My Documents\moonsols\win32dd.sys","SUCCESS","Desired Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  320. 20:39:07.6434637","cmd.exe","2152","CreateFileMapping","C:\Documents and Settings\rik\My Documents\moonsols\win32dd.sys","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  321. 20:39:07.6434780","cmd.exe","2152","QueryStandardInformationFile","C:\DOCUMENTS AND SETTINGS\RIK\MY DOCUMENTS\MOONSOLS\WIN32DD.SYS","SUCCESS","AllocationSize: 65,536, EndOfFile: 53,736, NumberOfLinks: 1, DeletePending: False, Directory: False"
  322. 20:39:07.6434911","cmd.exe","2152","CreateFileMapping","C:\DOCUMENTS AND SETTINGS\RIK\MY DOCUMENTS\MOONSOLS\WIN32DD.SYS","SUCCESS","SyncType: SyncTypeOther"
  323. 20:39:07.6436914","cmd.exe","2152","CreateFileMapping","C:\Documents and Settings\rik\My Documents\moonsols\win32dd.sys","SUCCESS","SyncType: SyncTypeOther"
  324. 20:39:07.6438241","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\CMD.EXE","SUCCESS","Offset: 1,024, Length: 98,304, I/O Flags: Non-cached, Paging I/O"
  325. 20:39:07.6438465","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\CMD.EXE","SUCCESS","Offset: 130,048, Length: 98,304, I/O Flags: Non-cached, Paging I/O"
  326. 20:39:07.6438644","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\CMD.EXE","SUCCESS","Offset: 484,864, Length: 1,536, I/O Flags: Non-cached, Paging I/O"
  327. 20:39:07.6438870","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\SHIMENG.DLL","SUCCESS","Offset: 56,832, Length: 1,536, I/O Flags: Non-cached, Paging I/O"
  328. 20:39:07.6439104","cmd.exe","2152","ReadFile","C:\WINDOWS\APPPATCH\ACGENRAL.DLL","SUCCESS","Offset: 205,824, Length: 23,552, I/O Flags: Non-cached, Paging I/O"
  329. 20:39:07.6439342","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\MSACM32.DLL","SUCCESS","Offset: 1,024, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  330. 20:39:07.6439521","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\MSACM32.DLL","SUCCESS","Offset: 63,488, Length: 512, I/O Flags: Non-cached, Paging I/O"
  331. 20:39:07.6439739","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\UXTHEME.DLL","SUCCESS","Offset: 1,024, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  332. 20:39:07.6439920","cmd.exe","2152","ReadFile","C:\WINDOWS\SYSTEM32\UXTHEME.DLL","SUCCESS","Offset: 194,048, Length: 4,096, I/O Flags: Non-cached, Paging I/O"
  333. 20:39:07.6440166","cmd.exe","2152","ReadFile","C:\DOCUMENTS AND SETTINGS\RIK\MY DOCUMENTS\MOONSOLS\WIN32DD.SYS","SUCCESS","Offset: 4,096, Length: 41,472, I/O Flags: Non-cached, Paging I/O"
  334. 20:39:07.8100863","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\ntdll.dll","SUCCESS",""
  335. 20:39:07.8413545","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\kernel32.dll","SUCCESS",""
  336. 20:39:07.8415456","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\msvcrt.dll","SUCCESS",""
  337. 20:39:07.8752910","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  338. 20:39:07.8754840","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\user32.dll","SUCCESS",""
  339. 20:39:07.9064011","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\gdi32.dll","SUCCESS",""
  340. 20:39:07.9066377","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\shimeng.dll","SUCCESS",""
  341. 20:39:07.9350002","cmd.exe","2152","CloseFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS",""
  342. 20:39:07.9351924","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\advapi32.dll","SUCCESS",""
  343. 20:39:07.9700564","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\rpcrt4.dll","SUCCESS",""
  344. 20:39:07.9702514","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\secur32.dll","SUCCESS",""
  345. 20:39:07.9975347","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\winmm.dll","SUCCESS",""
  346. 20:39:07.9977225","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\ole32.dll","SUCCESS",""
  347. 20:39:08.0442976","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\oleaut32.dll","SUCCESS",""
  348. 20:39:08.0445021","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\msacm32.dll","SUCCESS",""
  349. 20:39:08.0753488","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\version.dll","SUCCESS",""
  350. 20:39:08.0755399","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\shell32.dll","SUCCESS",""
  351. 20:39:08.1066408","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\shlwapi.dll","SUCCESS",""
  352. 20:39:08.1068360","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\userenv.dll","SUCCESS",""
  353. 20:39:08.1389049","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\uxtheme.dll","SUCCESS",""
  354. 20:39:08.1391030","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  355. 20:39:08.2005401","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\lpk.dll","SUCCESS",""
  356. 20:39:08.2007868","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\usp10.dll","SUCCESS",""
  357. 20:39:08.2335471","cmd.exe","2152","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS",""
  358. 20:39:08.2337619","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\comctl32.dll","SUCCESS",""
  359. 20:39:08.2355932","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\My Documents\moonsols\win32dd.sys","SUCCESS",""
  360. 20:39:08.2356449","cmd.exe","2152","CloseFile","C:","SUCCESS",""
  361. 20:39:08.2361589","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  362. 20:39:08.2365603","cmd.exe","2152","FileSystemControl","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  363. 20:39:08.2368361","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\cmd.exe.Local","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  364. 20:39:08.5225185","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\shimeng.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  365. 20:39:08.5299362","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\system32\shimeng.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  366. 20:39:08.5301446","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\shimeng.dll","SUCCESS",""
  367. 20:39:08.5304326","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\shimeng.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  368. 20:39:08.5382009","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\shimeng.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  369. 20:39:08.5382607","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\SHIMENG.DLL","SUCCESS","SyncType: SyncTypeOther"
  370. 20:39:08.5386068","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\shimeng.dll","SUCCESS",""
  371. 20:39:08.5603208","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  372. 20:39:08.5604621","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False"
  373. 20:39:08.5605906","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  374. 20:39:08.5606060","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False"
  375. 20:39:08.5606311","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeOther"
  376. 20:39:08.6627863","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False"
  377. 20:39:08.6630229","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch\systest.sdb","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a"
  378. 20:39:08.6645027","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  379. 20:39:08.6686016","cmd.exe","2152","CloseFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS",""
  380. 20:39:08.6702023","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  381. 20:39:08.6703350","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  382. 20:39:08.6704566","cmd.exe","2152","CloseFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS",""
  383. 20:39:08.6713637","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  384. 20:39:08.6714997","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  385. 20:39:08.6715145","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\AppPatch\AcGenral.DLL","SUCCESS","AllocationSize: 1,867,776, EndOfFile: 1,852,928, NumberOfLinks: 1, DeletePending: False, Directory: False"
  386. 20:39:08.6715385","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\AcGenral.DLL","SUCCESS","SyncType: SyncTypeOther"
  387. 20:39:08.6716732","cmd.exe","2152","CloseFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS",""
  388. 20:39:08.6984721","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  389. 20:39:08.6986018","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  390. 20:39:08.6987222","cmd.exe","2152","CloseFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS",""
  391. 20:39:08.7043620","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  392. 20:39:08.7045022","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  393. 20:39:08.7045170","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\AppPatch\AcGenral.DLL","SUCCESS","AllocationSize: 1,867,776, EndOfFile: 1,852,928, NumberOfLinks: 1, DeletePending: False, Directory: False"
  394. 20:39:08.7045416","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\AcGenral.DLL","SUCCESS","SyncType: SyncTypeOther"
  395. 20:39:08.7046765","cmd.exe","2152","CloseFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS",""
  396. 20:39:08.7051246","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  397. 20:39:08.7052534","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  398. 20:39:08.7053747","cmd.exe","2152","CloseFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS",""
  399. 20:39:08.7055688","cmd.exe","2152","CreateFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  400. 20:39:08.7057015","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  401. 20:39:08.7057594","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\APPPATCH\ACGENRAL.DLL","SUCCESS","SyncType: SyncTypeOther"
  402. 20:39:08.7058965","cmd.exe","2152","CloseFile","C:\WINDOWS\AppPatch\AcGenral.dll","SUCCESS",""
  403. 20:39:08.7099225","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\winmm.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  404. 20:39:08.7107857","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\system32\winmm.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  405. 20:39:08.7109405","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\winmm.dll","SUCCESS",""
  406. 20:39:08.7111656","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\winmm.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  407. 20:39:08.7117755","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\winmm.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  408. 20:39:08.7118283","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\WINMM.DLL","SUCCESS","SyncType: SyncTypeOther"
  409. 20:39:08.7119976","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\winmm.dll","SUCCESS",""
  410. 20:39:08.7142018","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\msacm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  411. 20:39:08.7143686","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\system32\msacm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  412. 20:39:08.7145236","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\msacm32.dll","SUCCESS",""
  413. 20:39:08.7154799","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\msacm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  414. 20:39:08.7157056","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\msacm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  415. 20:39:08.7157584","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\MSACM32.DLL","SUCCESS","SyncType: SyncTypeOther"
  416. 20:39:08.7167622","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\msacm32.dll","SUCCESS",""
  417. 20:39:08.7184738","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\uxtheme.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  418. 20:39:08.7186392","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\system32\uxtheme.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  419. 20:39:08.7187943","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\uxtheme.dll","SUCCESS",""
  420. 20:39:08.7200017","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\uxtheme.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  421. 20:39:08.7201696","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\uxtheme.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  422. 20:39:08.7202227","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\UXTHEME.DLL","SUCCESS","SyncType: SyncTypeOther"
  423. 20:39:08.7203928","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\uxtheme.dll","SUCCESS",""
  424. 20:39:08.7279343","cmd.exe","2152","CloseFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS",""
  425. 20:39:08.7604859","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  426. 20:39:08.7727349","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  427. 20:39:08.7728930","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  428. 20:39:08.7731311","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  429. 20:39:08.7778937","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  430. 20:39:08.7779093","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,080, NumberOfLinks: 1, DeletePending: False, Directory: False"
  431. 20:39:08.7779336","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther"
  432. 20:39:08.7781012","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  433. 20:39:08.7804331","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  434. 20:39:08.7805951","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  435. 20:39:08.7807488","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  436. 20:39:08.8985121","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  437. 20:39:08.8987277","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  438. 20:39:08.8987451","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,080, NumberOfLinks: 1, DeletePending: False, Directory: False"
  439. 20:39:08.8987747","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther"
  440. 20:39:08.8989890","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  441. 20:39:08.9024701","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  442. 20:39:08.9026780","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  443. 20:39:08.9028758","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  444. 20:39:08.9041843","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  445. 20:39:08.9043997","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  446. 20:39:08.9044665","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther"
  447. 20:39:08.9046844","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  448. 20:39:08.9061108","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  449. 20:39:08.9064466","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  450. 20:39:08.9066455","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  451. 20:39:08.9082139","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  452. 20:39:08.9084214","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  453. 20:39:08.9086184","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  454. 20:39:08.9105516","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  455. 20:39:08.9118328","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  456. 20:39:08.9120591","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\lpk.dll","SUCCESS",""
  457. 20:39:08.9123770","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  458. 20:39:08.9134305","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\lpk.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  459. 20:39:08.9138123","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\LPK.DLL","SUCCESS","SyncType: SyncTypeOther"
  460. 20:39:08.9140632","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\lpk.dll","SUCCESS",""
  461. 20:39:08.9159336","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  462. 20:39:08.9161987","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  463. 20:39:08.9164509","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\usp10.dll","SUCCESS",""
  464. 20:39:08.9176366","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  465. 20:39:08.9179059","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\usp10.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  466. 20:39:08.9179713","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\USP10.DLL","SUCCESS","SyncType: SyncTypeOther"
  467. 20:39:08.9182417","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\usp10.dll","SUCCESS",""
  468. 20:39:08.9555953","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\shell32.dll","SUCCESS","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  469. 20:39:08.9558124","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\shell32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  470. 20:39:08.9558314","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\system32\SHELL32.dll","SUCCESS","AllocationSize: 8,372,224, EndOfFile: 8,367,104, NumberOfLinks: 1, DeletePending: False, Directory: False"
  471. 20:39:08.9558618","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\shell32.dll","SUCCESS","SyncType: SyncTypeOther"
  472. 20:39:08.9560649","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\SHELL32.dll.124.Manifest","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a"
  473. 20:39:08.9564477","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\SHELL32.dll.124.Config","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a"
  474. 20:39:08.9901327","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\shell32.dll","SUCCESS",""
  475. 20:39:08.9905830","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\cmd.exe.Local","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  476. 20:39:09.0383885","cmd.exe","2152","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  477. 20:39:09.0385254","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS","CreationTime: 2012/10/07 18:19:17, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:19:18, ChangeTime: 1601/01/01 9:00:00, FileAttributes: D"
  478. 20:39:09.0386447","cmd.exe","2152","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS",""
  479. 20:39:09.0404220","cmd.exe","2152","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  480. 20:39:09.0406950","cmd.exe","2152","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  481. 20:39:09.0445765","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  482. 20:39:09.0445935","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","AllocationSize: 1,064,960, EndOfFile: 1,054,208, NumberOfLinks: 1, DeletePending: False, Directory: False"
  483. 20:39:09.0446212","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","SyncType: SyncTypeOther"
  484. 20:39:09.0447684","cmd.exe","2152","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS",""
  485. 20:39:09.0450612","cmd.exe","2152","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  486. 20:39:09.0466382","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  487. 20:39:09.0467021","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\COMCTL32.DLL","SUCCESS","SyncType: SyncTypeOther"
  488. 20:39:09.0468527","cmd.exe","2152","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS",""
  489. 20:39:09.0482238","cmd.exe","2152","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  490. 20:39:09.0488611","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","CreationTime: 2012/10/07 18:40:07, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:40:08, ChangeTime: 1601/01/01 9:00:00, FileAttributes: RHA"
  491. 20:39:09.0519028","cmd.exe","2152","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS",""
  492. 20:39:09.0520338","cmd.exe","2152","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  493. 20:39:09.0521014","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  494. 20:39:09.0521160","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","AllocationSize: 16,384, EndOfFile: 749, NumberOfLinks: 1, DeletePending: False, Directory: False"
  495. 20:39:09.0521408","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeOther"
  496. 20:39:09.0536731","cmd.exe","2152","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS",""
  497. 20:39:09.0539545","cmd.exe","2152","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  498. 20:39:09.0546291","cmd.exe","2152","QueryBasicInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","CreationTime: 2012/10/07 18:40:07, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:40:08, ChangeTime: 1601/01/01 9:00:00, FileAttributes: RHA"
  499. 20:39:09.0546830","cmd.exe","2152","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS",""
  500. 20:39:09.0548076","cmd.exe","2152","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  501. 20:39:09.0555521","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  502. 20:39:09.0555664","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","AllocationSize: 16,384, EndOfFile: 749, NumberOfLinks: 1, DeletePending: False, Directory: False"
  503. 20:39:09.0555910","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeOther"
  504. 20:39:09.0556577","cmd.exe","2152","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS",""
  505. 20:39:09.0557977","cmd.exe","2152","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  506. 20:39:09.0563950","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  507. 20:39:09.0564092","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","AllocationSize: 16,384, EndOfFile: 749, NumberOfLinks: 1, DeletePending: False, Directory: False"
  508. 20:39:09.0564333","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeOther"
  509. 20:39:09.0565109","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","AllocationSize: 16,384, EndOfFile: 749, NumberOfLinks: 1, DeletePending: False, Directory: False"
  510. 20:39:09.0566062","cmd.exe","2152","CreateFile","C:\WINDOWS\WindowsShell.Config","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a"
  511. 20:39:09.0743227","cmd.exe","2152","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS",""
  512. 20:39:09.0823279","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\comctl32.dll","SUCCESS","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  513. 20:39:09.0825022","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\system32\comctl32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  514. 20:39:09.0825181","cmd.exe","2152","QueryStandardInformationFile","C:\WINDOWS\system32\comctl32.dll","SUCCESS","AllocationSize: 622,592, EndOfFile: 617,472, NumberOfLinks: 1, DeletePending: False, Directory: False"
  515. 20:39:09.0825433","cmd.exe","2152","CreateFileMapping","C:\WINDOWS\SYSTEM32\COMCTL32.DLL","SUCCESS","SyncType: SyncTypeOther"
  516. 20:39:09.0827053","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\comctl32.dll.124.Manifest","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a"
  517. 20:39:09.0831272","cmd.exe","2152","CreateFile","C:\WINDOWS\system32\comctl32.dll.124.Config","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a"
  518. 20:39:09.0849673","cmd.exe","2152","CloseFile","C:\WINDOWS\system32\comctl32.dll","SUCCESS",""
  519. 20:39:09.0915738","cmd.exe","2152","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  520. 20:39:09.0916051","cmd.exe","2152","QueryNameInformationFile","C:\","SUCCESS","Name: \"
  521. 20:39:09.0916380","cmd.exe","2152","QueryInformationVolume","C:\","SUCCESS","VolumeCreationTime: 1601/01/01 9:00:00, VolumeSerialNumber: 9455-E50D, SupportsObjects: False, VolumeLabel: "
  522. 20:39:09.0916643","cmd.exe","2152","CloseFile","C:\","SUCCESS",""
  523. 20:39:09.0976100","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Application Data","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  524. 20:39:09.1002771","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  525. 20:39:09.1005012","cmd.exe","2152","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data","SUCCESS","CreationTime: 2012/10/07 18:49:52, LastAccessTime: 2012/10/07 0:00:00, LastWriteTime: 2012/10/07 18:19:58, ChangeTime: 1601/01/01 9:00:00, FileAttributes: RHD"
  526. 20:39:09.1005587","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Application Data","SUCCESS",""
  527. 20:39:09.1021827","cmd.exe","2152","QueryBasicInformationFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS","CreationTime: 2012/10/07 18:49:52, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:19:58, ChangeTime: 1601/01/01 9:00:00, FileAttributes: D"
  528. 20:39:09.1022399","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS",""
  529. 20:39:09.1022919","cmd.exe","2152","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  530. 20:39:09.1023184","cmd.exe","2152","QueryDirectory","C:\Documents and Settings","SUCCESS","Filter: Documents and Settings, 1: Documents and Settings"
  531. 20:39:09.1024408","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Application Data\D5809E24","NAME COLLISION","Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0"
  532. 20:39:09.1025953","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Application Data\D5809E24","SUCCESS","Desired Access: Write Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  533. 20:39:09.1027020","cmd.exe","2152","SetBasicInformationFile","C:\Documents and Settings\rik\Application Data\D5809E24","SUCCESS","CreationTime: 1601/01/01 9:00:00, LastAccessTime: 1601/01/01 9:00:00, LastWriteTime: 1601/01/01 9:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: HN"
  534. 20:39:09.1042927","cmd.exe","2152","CloseFile","C:\","SUCCESS",""
  535. 20:39:09.1043852","cmd.exe","2152","CreateFile","C:\Documents and Settings","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  536. 20:39:09.1044936","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Application Data\D5809E24","SUCCESS",""
  537. 20:39:09.1073945","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik","SUCCESS","Filter: rik, 1: rik"
  538. 20:39:09.1074392","cmd.exe","2152","CloseFile","C:\Documents and Settings","SUCCESS",""
  539. 20:39:09.1075702","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  540. 20:39:09.1109561","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS","Filter: 繝・せ繧ッ繝医ャ繝・ 1: 繝・せ繧ッ繝医ャ繝・
  541. 20:39:09.1110438","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik","SUCCESS",""
  542. 20:39:09.1125169","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  543. 20:39:09.1125837","cmd.exe","2152","QueryBasicInformationFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS","CreationTime: 2012/10/07 18:49:52, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:19:58, ChangeTime: 1601/01/01 9:00:00, FileAttributes: D"
  544. 20:39:09.1126410","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS",""
  545. 20:39:09.1197586","cmd.exe","2152","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  546. 20:39:09.1197908","cmd.exe","2152","QueryNameInformationFile","C:\","SUCCESS","Name: \"
  547. 20:39:09.1198198","cmd.exe","2152","QueryInformationVolume","C:\","SUCCESS","VolumeCreationTime: 1601/01/01 9:00:00, VolumeSerialNumber: 9455-E50D, SupportsObjects: False, VolumeLabel: "
  548. 20:39:09.1198472","cmd.exe","2152","CloseFile","C:\","SUCCESS",""
  549. 20:39:09.1201229","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  550. 20:39:09.1202296","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Filter: exp2.tmp.bat, 1: exp2.tmp.bat"
  551. 20:39:09.1203713","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS",""
  552. 20:39:09.1204182","cmd.exe","2152","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 25,600, Length: 8,192, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  553. 20:39:09.1577369","cmd.exe","2152","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 41,984, Length: 28,672, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  554. 20:39:09.1809804","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  555. 20:39:09.1813285","cmd.exe","2152","QueryNameInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Name: \Documents and Settings\RIK\Local Settings\Temp\exp2.tmp.bat"
  556. 20:39:09.1816095","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  557. 20:39:09.1817112","cmd.exe","2152","QueryBasicInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:08, ChangeTime: 1601/01/01 9:00:00, FileAttributes: HA"
  558. 20:39:09.1818109","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS",""
  559. 20:39:09.1819065","cmd.exe","2152","CreateFile","C:\Documents and Settings","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  560. 20:39:09.1819366","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\RIK","SUCCESS","Filter: RIK, 1: rik"
  561. 20:39:09.1819786","cmd.exe","2152","CloseFile","C:\Documents and Settings","SUCCESS",""
  562. 20:39:09.1821090","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  563. 20:39:09.1821783","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS","Filter: Temp, 1: Temp"
  564. 20:39:09.1822554","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings","SUCCESS",""
  565. 20:39:09.1823783","cmd.exe","2152","QueryStandardInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","AllocationSize: 16,384, EndOfFile: 217, NumberOfLinks: 1, DeletePending: False, Directory: False"
  566. 20:39:09.1824744","cmd.exe","2152","CreateFileMapping","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  567. 20:39:09.1824895","cmd.exe","2152","QueryStandardInformationFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp2.tmp.bat","SUCCESS","AllocationSize: 16,384, EndOfFile: 217, NumberOfLinks: 1, DeletePending: False, Directory: False"
  568. 20:39:09.1825144","cmd.exe","2152","CreateFileMapping","C:\DOCUME~1\rik\LOCALS~1\Temp\exp2.tmp.bat","SUCCESS","SyncType: SyncTypeOther"
  569. 20:39:09.1827856","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS",""
  570. 20:39:09.2124956","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  571. 20:39:09.2125478","cmd.exe","2152","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 154,624, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  572. 20:39:09.2741045","cmd.exe","2152","ReadFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Offset: 0, Length: 217"
  573. 20:39:09.2744286","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS",""
  574. 20:39:09.2752290","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  575. 20:39:09.2753505","cmd.exe","2152","ReadFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Offset: 11, Length: 206"
  576. 20:39:09.2754670","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS",""
  577. 20:39:09.2761556","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  578. 20:39:09.2762713","cmd.exe","2152","ReadFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Offset: 15, Length: 202"
  579. 20:39:09.2764079","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS",""
  580. 20:39:09.2764883","cmd.exe","2152","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 78,848, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  581. 20:39:09.3026344","cmd.exe","2152","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  582. 20:39:09.3026626","cmd.exe","2152","QueryNameInformationFile","C:\","SUCCESS","Name: \"
  583. 20:39:09.3036638","cmd.exe","2152","QueryAttributeInformationVolume","C:\","SUCCESS","FileSystemAttributes: Case Preserved, Unicode, MaximumComponentNameLength: 255, FileSystemName: FAT32"
  584. 20:39:09.3036918","cmd.exe","2152","CloseFile","C:\","SUCCESS",""
  585. 20:39:09.3047509","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝予about1.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  586. 20:39:09.3048584","cmd.exe","2152","QueryBasicInformationFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝予about1.exe","SUCCESS","CreationTime: 2013/01/26 20:31:08, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 18:42:16, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  587. 20:39:09.3049545","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝予about1.exe","SUCCESS",""
  588. 20:39:09.3051830","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  589. 20:39:09.3052492","cmd.exe","2152","QueryBasicInformationFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS","CreationTime: 2012/10/07 18:49:52, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:19:58, ChangeTime: 1601/01/01 9:00:00, FileAttributes: D"
  590. 20:39:09.3053062","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS",""
  591. 20:39:09.3056026","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝予about1.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  592. 20:39:09.3057071","cmd.exe","2152","QueryBasicInformationFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝予about1.exe","SUCCESS","CreationTime: 2013/01/26 20:31:08, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 18:42:16, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  593. 20:39:09.3058018","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝予about1.exe","SUCCESS",""
  594. 20:39:09.3059393","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  595. 20:39:09.3060100","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝予about1.exe","SUCCESS","Filter: about1.exe, 1: about1.exe"
  596. 20:39:09.3061901","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝予about1.exe","SUCCESS","Desired Access: Read Attributes, Delete, Disposition: Open, Options: Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  597. 20:39:09.3063011","cmd.exe","2152","QueryAttributeTagFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝予about1.exe","INVALID PARAMETER",""
  598. 20:39:09.3064086","cmd.exe","2152","SetDispositionInformationFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝予about1.exe","SUCCESS","Delete: True"
  599. 20:39:09.3065651","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝予about1.exe","SUCCESS",""
  600. 20:39:09.3069277","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"NO MORE FILES",""
  601. 20:39:09.3069972","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS",""
  602. 20:39:09.3073559","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  603. 20:39:09.3074772","cmd.exe","2152","ReadFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Offset: 85, Length: 132"
  604. 20:39:09.3075540","cmd.exe","2152","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 232,448, Length: 14,848, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  605. 20:39:09.3432030","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS",""
  606. 20:39:09.3433591","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  607. 20:39:09.3503248","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝予about1.exe","NO SUCH FILE","Filter: about1.exe"
  608. 20:39:09.3504019","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS",""
  609. 20:39:09.3512235","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  610. 20:39:09.3513509","cmd.exe","2152","ReadFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Offset: 158, Length: 59"
  611. 20:39:09.3514900","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS",""
  612. 20:39:09.3515923","cmd.exe","2152","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  613. 20:39:09.3516205","cmd.exe","2152","QueryNameInformationFile","C:\","SUCCESS","Name: \"
  614. 20:39:09.3516482","cmd.exe","2152","QueryAttributeInformationVolume","C:\","SUCCESS","FileSystemAttributes: Case Preserved, Unicode, MaximumComponentNameLength: 255, FileSystemName: FAT32"
  615. 20:39:09.3516739","cmd.exe","2152","CloseFile","C:\","SUCCESS",""
  616. 20:39:09.3519703","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  617. 20:39:09.3520728","cmd.exe","2152","QueryBasicInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:08, ChangeTime: 1601/01/01 9:00:00, FileAttributes: HA"
  618. 20:39:09.3521655","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS",""
  619. 20:39:09.3524594","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  620. 20:39:09.3525575","cmd.exe","2152","QueryBasicInformationFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS","CreationTime: 2012/10/07 18:49:52, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:19:58, ChangeTime: 1601/01/01 9:00:00, FileAttributes: D"
  621. 20:39:09.3526480","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS",""
  622. 20:39:09.3529330","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  623. 20:39:09.3530335","cmd.exe","2152","QueryBasicInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:08, ChangeTime: 1601/01/01 9:00:00, FileAttributes: HA"
  624. 20:39:09.3531243","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS",""
  625. 20:39:09.3532933","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  626. 20:39:09.3533973","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Filter: exp2.tmp.bat, 1: exp2.tmp.bat"
  627. 20:39:09.3535856","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Desired Access: Read Attributes, Delete, Disposition: Open, Options: Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  628. 20:39:09.3536923","cmd.exe","2152","QueryAttributeTagFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","INVALID PARAMETER",""
  629. 20:39:09.3537948","cmd.exe","2152","SetDispositionInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS","Delete: True"
  630. 20:39:09.3539085","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","SUCCESS",""
  631. 20:39:09.3540812","cmd.exe","2152","QueryDirectory","C:\Documents and Settings\rik\Local Settings\Temp","NO MORE FILES",""
  632. 20:39:09.3541826","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS",""
  633. 20:39:09.3545094","cmd.exe","2152","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp2.tmp.bat","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a"
  634. 20:39:09.3547005","cmd.exe","2152","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 411,136, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  635. 20:39:09.4029136","cmd.exe","2152","CloseFile","C:\Documents and Settings\rik\繝・せ繧ッ繝医ャ繝・,"SUCCESS",""
  636. 20:39:09.4030681","cmd.exe","2152","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS",""
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement