Firefox Log Folder Paths

pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:EssentialInit, log:"Start of d
iagnostic log for process with command line: \"C:\Users\i92segoa\Desktop\Firefox

SEO\firefox.exe\" , current pid: 0xFFC"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:EssentialInit, log:"Done Setti
ng some windows apis. Time consumed so far: 0 ms."
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:_DetermineOS, log:"OS Informat
ion - Version 10.0.10586, SP: 0.0, Suite: 0x300, Platform: 0x2, ProductType: 0x1
, Text: ."
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:EssentialInit, log:"Got OS inf
o. Time consumed so far: 0 ms."
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:EssentialInit, log:"Virtual En
vironment is 32bit"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:EssentialInit, log:"Got parent
info. Time consumed so far: 0 ms."
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:Init, log:"@APPDIR@ = C:\Users
\i92segoa\Desktop\Firefox SEO"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:EssentialInit, log:"Initialize
d folder mapper. Time consumed so far: 0 ms."
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:_LoadBootstrapSettings, log:"L
oading bootstrap settings."
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:_LoadBootstrapSettings, log:"D
one loading bootstrap settings."
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:EssentialInit, log:"Applicatio
n executing with VM version: 11.8.723"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:_LoadApplicationSvmSettings, l
og:"Loading embedded app settings."
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@WINDIR@ = C:\
WINDOWS"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@SYSDRIVE@ = C
:"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@PROGRAMFILES@
= C:\Program Files"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@PROGRAMFILESC
OMMON@ = C:\Program Files\Common Files"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@PROGRAMFILESX
86@ = C:\Program Files (x86)"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@PROGRAMFILESC
OMMONX86@ = C:\Program Files (x86)\Common Files"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@SYSTEM@ = C:\
WINDOWS\system32"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@SYSWOW64@ = C
:\WINDOWS\SysWOW64"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@SYSNATIVE@ =
C:\WINDOWS\Sysnative"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@PROFILE@ = C:
\Users\i92segoa"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@PROFILECOMMON
@ = C:\ProgramData"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@APPDATA@ = C:
\Users\i92segoa\AppData\Roaming"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@APPDATALOCAL@
= C:\Users\i92segoa\AppData\Local"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@APPDATALOCALL
OW@ = C:\Users\i92segoa\AppData\LocalLow"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@STARTMENU@ =
C:\Users\i92segoa\AppData\Roaming\Microsoft\Windows\Start Menu"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@PROGRAMS@ = C
:\Users\i92segoa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@STARTUP@ = C:
\Users\i92segoa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@TEMPLATES@ =

C:\Users\i92segoa\AppData\Roaming\Microsoft\Windows\Templates"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@FAVORITES@ =
C:\Users\i92segoa\Favorites"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@DESKTOP@ = C:
\Users\i92segoa\Desktop"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@DOCUMENTS@ =
C:\Users\i92segoa\Documents"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@MUSIC@ = C:\U
sers\i92segoa\Music"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@PICTURES@ = C
:\Users\i92segoa\Pictures"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@VIDEOS@ = C:\
Users\i92segoa\Videos"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@APPDATACOMMON
@ = C:\ProgramData"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@STARTMENUCOMM
ON@ = C:\ProgramData\Microsoft\Windows\Start Menu"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@PROGRAMSCOMMO
N@ = C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@STARTUPCOMMON
@ = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@DESKTOPCOMMON
@ = C:\Users\Public\Desktop"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@TEMPLATESCOMM
ON@ = C:\ProgramData\Microsoft\Windows\Templates"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@FAVORITESCOMM
ON@ = C:\Users\i92segoa\Favorites"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@DOCUMENTSCOMM
ON@ = C:\Users\Public\Documents"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@MUSICCOMMON@
= C:\Users\Public\Music"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@PICTURESCOMMO
N@ = C:\Users\Public\Pictures"
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"Got raw folder
s. Time consumed so far: 0 ms."
pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:_AddAliasMapping, log:"Adding
alias mapping from \??\C: to \Device\HarddiskVolume2"
alias mapping from \??\C:\WINDOWS\system32 to \Device\HarddiskVolume2\Windows\Sy
sWOW64"
alias mapping from \??\C:\WINDOWS\Sysnative to \Device\HarddiskVolume2\Windows\S
ystem32"
alias mapping from \REGISTRY\USER\S-1-5-18 to \REGISTRY\USER\.DEFAULT"
alias mapping from \REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001
_Classes\CLSID to \REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\
SOFTWARE\CLASSES\Wow6432Node\CLSID"
\SOFTWARE\CLASSES\CLSID to \REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990
887-1001\SOFTWARE\CLASSES\Wow6432Node\CLSID"
\SOFTWARE\Wow6432Node\CLASSES\CLSID to \REGISTRY\USER\S-1-5-21-2360094602-260238
3397-2463990887-1001\SOFTWARE\CLASSES\Wow6432Node\CLSID"
_Classes\DirectShow to \REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908871001\SOFTWARE\CLASSES\Wow6432Node\DirectShow"
\SOFTWARE\CLASSES\DirectShow to \REGISTRY\USER\S-1-5-21-2360094602-2602383397-24
63990887-1001\SOFTWARE\CLASSES\Wow6432Node\DirectShow"
\SOFTWARE\Wow6432Node\CLASSES\DirectShow to \REGISTRY\USER\S-1-5-21-2360094602-2
602383397-2463990887-1001\SOFTWARE\CLASSES\Wow6432Node\DirectShow"
_Classes\Interface to \REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1
001\SOFTWARE\CLASSES\Wow6432Node\Interface"
\SOFTWARE\CLASSES\Interface to \REGISTRY\USER\S-1-5-21-2360094602-2602383397-246
3990887-1001\SOFTWARE\CLASSES\Wow6432Node\Interface"
\SOFTWARE\Wow6432Node\CLASSES\Interface to \REGISTRY\USER\S-1-5-21-2360094602-26
02383397-2463990887-1001\SOFTWARE\CLASSES\Wow6432Node\Interface"
_Classes\Media Type to \REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908871001\SOFTWARE\CLASSES\Wow6432Node\Media Type"
\SOFTWARE\CLASSES\Media Type to \REGISTRY\USER\S-1-5-21-2360094602-2602383397-24
63990887-1001\SOFTWARE\CLASSES\Wow6432Node\Media Type"
\SOFTWARE\Wow6432Node\CLASSES\Media Type to \REGISTRY\USER\S-1-5-21-2360094602-2
602383397-2463990887-1001\SOFTWARE\CLASSES\Wow6432Node\Media Type"
_Classes\MediaFoundation to \REGISTRY\USER\S-1-5-21-2360094602-2602383397-246399
0887-1001\SOFTWARE\CLASSES\Wow6432Node\MediaFoundation"
\SOFTWARE\CLASSES\MediaFoundation to \REGISTRY\USER\S-1-5-21-2360094602-26023833
97-2463990887-1001\SOFTWARE\CLASSES\Wow6432Node\MediaFoundation"
\SOFTWARE\Wow6432Node\CLASSES\MediaFoundation to \REGISTRY\USER\S-1-5-21-2360094
602-2602383397-2463990887-1001\SOFTWARE\CLASSES\Wow6432Node\MediaFoundation"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\RegisteredApplications to \REGISTR
Y\MACHINE\SOFTWARE\RegisteredApplications"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\RegisteredApplications
to \REGISTRY\MACHINE\SOFTWARE\RegisteredApplications"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Policies to \REGISTRY\MACHINE\SOFT
WARE\Policies"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Policies to \REGISTRY\
MACHINE\SOFTWARE\Policies"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersio
n\Time Zones to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\T

ime Zones"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\C
urrentVersion\Time Zones to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\Curr
entVersion\Time Zones"
n\ProfileList to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
ProfileList"
urrentVersion\ProfileList to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\Cur
rentVersion\ProfileList"
n\Print to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print"
urrentVersion\Print to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVe
rsion\Print"
n\Ports to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports"
urrentVersion\Ports to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVe
rsion\Ports"
n\Perflib to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perf
lib"
urrentVersion\Perflib to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Perflib"
n\NetworkCards to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\NetworkCards"
urrentVersion\NetworkCards to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\Cu
rrentVersion\NetworkCards"
n\FontSubstitutes to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVers
ion\FontSubstitutes"
urrentVersion\FontSubstitutes to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\FontSubstitutes"
n\Fonts to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts"
urrentVersion\Fonts to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVe
rsion\Fonts"

n\FontMapper to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\F
ontMapper"
urrentVersion\FontMapper to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\Curr
entVersion\FontMapper"
n\FontDpi to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font
Dpi"
urrentVersion\FontDpi to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\FontDpi"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\T
elephony\Locations to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Telephony\Locations"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Curr
entVersion\Telephony\Locations to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Telephony\Locations"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\S
etup to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup"
entVersion\Setup to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Setup"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\P
olicies to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies"
entVersion\Policies to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Policies"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\G
roup Policy to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group
Policy"
entVersion\Group Policy to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentV
ersion\Group Policy"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\C
ontrol Panel\Cursors\Schemes to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Control Panel\Cursors\Schemes"
entVersion\Control Panel\Cursors\Schemes to \REGISTRY\MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Control Panel\Cursors\Schemes"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\Transaction Server to \R
EGISTRY\MACHINE\SOFTWARE\Microsoft\Transaction Server"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Transaction
Server to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Transaction Server"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\TermServLicensing to \RE

GISTRY\MACHINE\SOFTWARE\Microsoft\TermServLicensing"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\TermServLice
nsing to \REGISTRY\MACHINE\SOFTWARE\Microsoft\TermServLicensing"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates to \R
EGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertif
icates to \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\SOFTWARE\Microsoft\Share
d Tools\MSInfo to \REGISTRY\MACHINE\SOFTWARE\Microsoft\SOFTWARE\Microsoft\Shared
Tools\MSInfo"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\SOFTWARE\Mic
rosoft\Shared Tools\MSInfo to \REGISTRY\MACHINE\SOFTWARE\Microsoft\SOFTWARE\Micr
osoft\Shared Tools\MSInfo"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\RPC to \REGISTRY\MACHINE
\SOFTWARE\Microsoft\RPC"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\RPC to \REGI
STRY\MACHINE\SOFTWARE\Microsoft\RPC"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\RAS to \REGISTRY\MACHINE
\SOFTWARE\Microsoft\RAS"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\RAS to \REGI
STRY\MACHINE\SOFTWARE\Microsoft\RAS"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE to \REGISTRY\MACHINE
\SOFTWARE\Microsoft\OLE"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\OLE to \REGI
STRY\MACHINE\SOFTWARE\Microsoft\OLE"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\Non-Driver Signing to \R
EGISTRY\MACHINE\SOFTWARE\Microsoft\Non-Driver Signing"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Non-Driver S
igning to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Non-Driver Signing"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\MSMQ to \REGISTRY\MACHIN
E\SOFTWARE\Microsoft\MSMQ"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSMQ to \REG
ISTRY\MACHINE\SOFTWARE\Microsoft\MSMQ"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem to \REGISTRY
\MACHINE\SOFTWARE\Microsoft\EventSystem"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\EventSystem
to \REGISTRY\MACHINE\SOFTWARE\Microsoft\EventSystem"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates t
o \REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\EnterpriseCe
rtificates to \REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\Driver Signing to \REGIS
TRY\MACHINE\SOFTWARE\Microsoft\Driver Signing"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Driver Signi
ng to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Driver Signing"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\DFS to \REGISTRY\MACHINE
\SOFTWARE\Microsoft\DFS"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\DFS to \REGI
STRY\MACHINE\SOFTWARE\Microsoft\DFS"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\CTF\TIP to \REGISTRY\MAC
HINE\SOFTWARE\Microsoft\CTF\TIP"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\TIP to \
REGISTRY\MACHINE\SOFTWARE\Microsoft\CTF\TIP"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\CTF\SystemShared to \REG
ISTRY\MACHINE\SOFTWARE\Microsoft\CTF\SystemShared"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\SystemSh
ared to \REGISTRY\MACHINE\SOFTWARE\Microsoft\CTF\SystemShared"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Services to
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Services"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography
\Services to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Services"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Read
ers to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Readers"
\Calais\Readers to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Read
ers"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Curr
ent to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Current"
\Calais\Current to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Curr
ent"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3 to \REGISTRY\MACHIN
E\SOFTWARE\Microsoft\COM3"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\COM3 to \REG
ISTRY\MACHINE\SOFTWARE\Microsoft\COM3"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Classes\MediaFoundation to \REGIST
RY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Classes\MediaFoundatio
n to \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundatio
n to \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation"

alias mapping from \REGISTRY\MACHINE\SOFTWARE\Classes\Media Type to \REGISTRY\MA
CHINE\SOFTWARE\Classes\Wow6432Node\Media Type"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Classes\Media Type to
\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type to
\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Classes\Interface to \REGISTRY\MAC
HINE\SOFTWARE\Classes\Wow6432Node\Interface"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Classes\Interface to \
REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface to \
REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Classes\DirectShow to \REGISTRY\MA
CHINE\SOFTWARE\Classes\Wow6432Node\DirectShow"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Classes\DirectShow to
\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow to
\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID to \REGISTRY\MACHINE
\SOFTWARE\Classes\Wow6432Node\CLSID"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID to \REGI
STRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID to \REGI
STRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node to \REGISTRY\M
ACHINE\SOFTWARE\Classes"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Classes to \REGISTRY\MACHINE\SOFTW
ARE\Classes"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Classes to \REGISTRY\M
ACHINE\SOFTWARE\Classes"
alias mapping from \REGISTRY\MACHINE\SOFTWARE\Wow6432Node to \REGISTRY\MACHINE\S
OFTWARE\Wow6432Node"
alias mapping from \REGISTRY\MACHINE\SOFTWARE to \REGISTRY\MACHINE\SOFTWARE\Wow6
432Node"
_Classes to \REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWA
RE\CLASSES"
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:FinalInit, log:"Got alternativ
e paths. Time consumed so far: 16 ms."
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:_LoadItem, log:"Skipping confi
g type: 0x2E"
g type: 0x32"
g type: 0x28"
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:_LoadApplicationSvmSettings, l
og:"Done loading embedded app settings."
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:_LoadBootstrapSystemLayer, log
:"Loading embedded system layers."
g type: 0x2E"
g type: 0x32"
g type: 0x28"
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:_LoadLayer, log:"Loading inner
layer: Xenocode"
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:RecurseDirectoryConfig, log:"A
dding root directory @APPDATA@ (at \Device\HarddiskVolume2\Users\i92segoa\AppDat
a\Roaming) with flags: C."
dding root directory @APPDATACOMMON@ (at \Device\HarddiskVolume2\ProgramData) wi
th flags: C."
dding root directory @APPDATALOCAL@ (at \Device\HarddiskVolume2\Users\i92segoa\A
ppData\Local) with flags: 8C."
dding root directory @APPDATALOCALLOW@ (at \Device\HarddiskVolume2\Users\i92sego
a\AppData\LocalLow) with flags: 8C."
dding root directory @APPDIR@ (at \Device\HarddiskVolume2\Users\i92segoa\Desktop
\Firefox SEO) with flags: 4."
dding root directory @DESKTOP@ (at \Device\HarddiskVolume2\Users\i92segoa\Deskto
p) with flags: C."
dding root directory @DESKTOPCOMMON@ (at \Device\HarddiskVolume2\Users\Public\De
sktop) with flags: C."
dding root directory @DOCUMENTS@ (at \Device\HarddiskVolume2\Users\i92segoa\Docu
ments) with flags: C."
dding root directory @DOCUMENTSCOMMON@ (at \Device\HarddiskVolume2\Users\Public\
Documents) with flags: C."
dding root directory @FAVORITES@ (at \Device\HarddiskVolume2\Users\i92segoa\Favo
rites) with flags: C."
dding root directory @FAVORITESCOMMON@ (at \Device\HarddiskVolume2\Users\i92sego
a\Favorites) with flags: C."
dding root directory @MUSIC@ (at \Device\HarddiskVolume2\Users\i92segoa\Music) w
ith flags: C."
dding root directory @MUSICCOMMON@ (at \Device\HarddiskVolume2\Users\Public\Musi
c) with flags: C."
dding root directory @PICTURES@ (at \Device\HarddiskVolume2\Users\i92segoa\Pictu
res) with flags: C."
dding root directory @PICTURESCOMMON@ (at \Device\HarddiskVolume2\Users\Public\P
ictures) with flags: C."

dding root directory @PROFILE@ (at \Device\HarddiskVolume2\Users\i92segoa) with
flags: C."
dding root directory @PROFILECOMMON@ (at \Device\HarddiskVolume2\ProgramData) wi
th flags: C."
dding root directory @PROGRAMFILES@ (at \Device\HarddiskVolume2\Program Files) w
ith flags: C."
dding root directory @PROGRAMFILESCOMMON@ (at \Device\HarddiskVolume2\Program Fi
les\Common Files) with flags: C."
dding root directory @PROGRAMFILESCOMMONX86@ (at \Device\HarddiskVolume2\Program
Files (x86)\Common Files) with flags: C."
dding root directory @PROGRAMFILESX86@ (at \Device\HarddiskVolume2\Program Files
(x86)) with flags: C."
dding root directory @PROGRAMS@ (at \Device\HarddiskVolume2\Users\i92segoa\AppDa
ta\Roaming\Microsoft\Windows\Start Menu\Programs) with flags: C."
dding root directory @PROGRAMSCOMMON@ (at \Device\HarddiskVolume2\ProgramData\Mi
crosoft\Windows\Start Menu\Programs) with flags: C."
dding root directory @STARTMENU@ (at \Device\HarddiskVolume2\Users\i92segoa\AppD
ata\Roaming\Microsoft\Windows\Start Menu) with flags: C."
dding root directory @STARTMENUCOMMON@ (at \Device\HarddiskVolume2\ProgramData\M
icrosoft\Windows\Start Menu) with flags: C."
dding root directory @STARTUP@ (at \Device\HarddiskVolume2\Users\i92segoa\AppDat
a\Roaming\Microsoft\Windows\Start Menu\Programs\Startup) with flags: C."
dding root directory @STARTUPCOMMON@ (at \Device\HarddiskVolume2\ProgramData\Mic
rosoft\Windows\Start Menu\Programs\Startup) with flags: C."
dding root directory @SYSDRIVE@ (at \Device\HarddiskVolume2) with flags: C."
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:RecurseDirectoryConfig, log:"S
kipping special directory root @SYSTEM@"
dding root directory @SYSWOW64@ (at \Device\HarddiskVolume2\WINDOWS\SysWOW64) wi
th flags: C."
dding root directory @TEMPLATES@ (at \Device\HarddiskVolume2\Users\i92segoa\AppD
ata\Roaming\Microsoft\Windows\Templates) with flags: C."
dding root directory @TEMPLATESCOMMON@ (at \Device\HarddiskVolume2\ProgramData\M
icrosoft\Windows\Templates) with flags: C."
dding root directory @VIDEOS@ (at \Device\HarddiskVolume2\Users\i92segoa\Videos)
with flags: C."
dding root directory @WINDIR@ (at \Device\HarddiskVolume2\WINDOWS) with flags: C
."
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:_LoadComplexItemCore, log:"Ski
pping config type: 0x12"
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:_LoadBootstrapSystemLayer, log
:"Done loading embedded system layerss."

pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:_LoadApplicationSvmNonSystemLa
yers, log:"Loading embedded app xlayer."
g type: 0x2E"
g type: 0x32"
g type: 0x28"
layer: Default"
a\Roaming) with flags: 4."
th flags: C."
ppData\Local) with flags: 84."
a\AppData\LocalLow) with flags: 84."
p) with flags: 4."
ments) with flags: 4."
ith flags: C."
c) with flags: C."
flags: 4."

th flags: C."
ith flags: C."
(x86)) with flags: 4."
th flags: C."
with flags: C."
dding root directory @WINDIR@ (at \Device\HarddiskVolume2\WINDOWS) with flags: 4
."
alias mapping from \??\C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\
Start Menu\Programs\StartUp to \Device\HarddiskVolume2\Users\i92segoa\AppData\Ro
aming\Microsoft\Windows\Start Menu\Programs\Startup"

Start Menu\Programs to \Device\HarddiskVolume2\Users\i92segoa\AppData\Roaming\Mi
crosoft\Windows\Start Menu\Programs"
Start Menu to \Device\HarddiskVolume2\Users\i92segoa\AppData\Roaming\Microsoft\W
indows\Start Menu"
alias mapping from \??\C:\Users\Administrator\Desktop to \Device\HarddiskVolume2
\Users\i92segoa\Desktop"
Templates to \Device\HarddiskVolume2\Users\i92segoa\AppData\Roaming\Microsoft\Wi
ndows\Templates"
alias mapping from \??\C:\Users\Administrator\Favorites to \Device\HarddiskVolum
e2\Users\i92segoa\Favorites"
alias mapping from \??\C:\Users\Administrator\Music to \Device\HarddiskVolume2\U
sers\i92segoa\Music"
alias mapping from \??\C:\Users\Administrator\Pictures to \Device\HarddiskVolume
2\Users\i92segoa\Pictures"
alias mapping from \??\C:\Users\Administrator\Documents to \Device\HarddiskVolum
e2\Users\i92segoa\Documents"
alias mapping from \??\C:\Users\Administrator\AppData\Local to \Device\HarddiskV
olume2\Users\i92segoa\AppData\Local"
alias mapping from \??\C:\Users\Administrator\AppData\Roaming to \Device\Harddis
kVolume2\Users\i92segoa\AppData\Roaming"
alias mapping from \??\C:\Users\Administrator to \Device\HarddiskVolume2\Users\i
92segoa"
alias mapping from \??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Star
tUp to \Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs
\Startup"
alias mapping from \??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs to \
Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs"
alias mapping from \??\C:\ProgramData\Microsoft\Windows\Start Menu to \Device\Ha
rddiskVolume2\ProgramData\Microsoft\Windows\Start Menu"
alias mapping from \??\C:\Users\Public\Desktop to \Device\HarddiskVolume2\Users\
Public\Desktop"
alias mapping from \??\C:\ProgramData\Microsoft\Windows\Templates to \Device\Har
ddiskVolume2\ProgramData\Microsoft\Windows\Templates"
alias mapping from \??\C:\Users\Public\Music to \Device\HarddiskVolume2\Users\Pu
blic\Music"
alias mapping from \??\C:\Users\Public\Pictures to \Device\HarddiskVolume2\Users
\Public\Pictures"
alias mapping from \??\C:\Users\Public\Documents to \Device\HarddiskVolume2\User
s\Public\Documents"

alias mapping from \??\C:\ProgramData to \Device\HarddiskVolume2\ProgramData"
alias mapping from \??\C:\Program Files (x86)\Common Files to \Device\HarddiskVo
lume2\Program Files (x86)\Common Files"
alias mapping from \??\C:\Program Files (x86) to \Device\HarddiskVolume2\Program
Files (x86)"
alias mapping from \??\C:\Windows\SysWOW64 to \Device\HarddiskVolume2\WINDOWS\Sy
sWOW64"
alias mapping from \??\C:\Windows to \Device\HarddiskVolume2\WINDOWS"
layer: Flash||14.0.0.125||1||Default"
a\Roaming) with flags: 4."
th flags: 4."
ppData\Local) with flags: 84."
a\AppData\LocalLow) with flags: 8C."
p) with flags: C."
ments) with flags: C."
ith flags: C."
c) with flags: C."

flags: C."
th flags: C."
ith flags: C."
(x86)) with flags: C."
th flags: 4."
with flags: C."
dding root directory @WINDIR@ (at \Device\HarddiskVolume2\WINDOWS) with flags: 4
."
g type: 0x17"
alias mapping from \??\C:\Program Files\Common Files to \Device\HarddiskVolume2\
Program Files (x86)\Common Files"
alias mapping from \??\C:\Program Files to \Device\HarddiskVolume2\Program Files
(x86)"
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:_LoadApplicationSvmNonSystemLa
yers, log:"Done loading embedded app xlayer."
dding directory Downloads with flags: 14."
dding directory __Xenocode with flags: 3."
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:RecurseDirectoryConfig, log:"D
uplicate directory __Xenocode will not be added as it is at lower layer."
uplicate directory __Xenocode will not be added as it is at lower layer."
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:FormatSandboxPath, log:"Settin
g sandbox path to: \Device\HarddiskVolume2\Users\i92segoa\Desktop\Firefox SEO\da
ta"
dding directory Google with flags: 4."
dding directory Mozilla with flags: 6."
dding directory Adobe with flags: A."
dding directory Macromedia with flags: A."
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:FormatSandboxPath, log:"Settin
g registry cache path to: \REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908
87-1001\Software\Spoon\SandboxCache\A527E666CB0D6807"
dding directory XSxS with flags: 2."
uplicate directory XSxS will not be added as it is at lower layer."
dding directory Mozilla Firefox with flags: 2."
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:EssentialInit, log:"Extracted
configuration. Time consumed so far: 16 ms."
pid:4092, tid:2168, tick:0x33D6F92, lvl:OK, func:NtMapViewOfSection, status:0x0,
address:0x670000, zerobits:0x0, commitsize:0x0, offset:0x210000, viewsize:0x100
00, disposition:0x2, type:0x0, protect:0x2, handle:0x78
pid:4092, tid:2168, tick:0x33D6F92, lvl:OK, func:NtUnmapViewOfSection, status:0x
0, address:0x5B0000
0, address:0x670000
dding directory Macromed with flags: 2."
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:NtOpenSection, status:0xC00000
34, handle:0x0, access:0xF, path:"\KnownDlls32\Iphlpapi.dll"
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:RecurseRegistryConfig, log:"Du
plicate regkey Software will not be added as it is at lower layer."
0, address:0x570000

plicate regkey SOFTWARE will not be added as it is at lower layer."
0, address:0x580000
plicate regkey SOFTWARE will not be added as it is at lower layer."
0, address:0x570000
plicate regkey SYSTEM will not be added as it is at lower layer."
0, address:0x580000
0, address:0x570000
plicate regkey CurrentControlSet will not be added as it is at lower layer."
0, address:0x580000
0, address:0x570000
pid:4092, tid:2168, tick:0x33D6F92, lvl:OK, func:NtOpenKey, status:0x0, handle:0
xD8, access:0x1, path:"\Registry\MACHINE\System\CurrentControlSet\Control\Sessio
n Manager"
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"SafeDllSearchMode", class:0x2, length:0x10, resultlength:0x681B54, h
andle:0xD8, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER
"
pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:NtQueryAttributesFile, status:
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\Iphlpapi.dll"
pid:4092, tid:2168, tick:0x33D6F92, lvl:OK, func:NtQueryAttributesFile, status:0
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\Iphlpapi.dll"
pid:4092, tid:2168, tick:0x33D6F92, lvl:OK, func:NtOpenFile, status:0x0, handle:
0xDC, access:0x100021, iostatus:0x0, information:0x1, share:0x5, options:0x60, p
ath:"C:\WINDOWS\SYSTEM32\Iphlpapi.dll"
pid:4092, tid:2168, tick:0x33D6F92, lvl:OK, func:NtCreateSection, status:0x0, ha
ndle:0xE0, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0xDC
address:0x736A0000, zerobits:0x0, commitsize:0x0, viewsize:0x2F000, disposition
:0x1, type:0x800000, protect:0x4, handle:0xE0, path:"C:\WINDOWS\SYSTEM32\Iphlpap
i.dll"
pid:4092, tid:2168, tick:0x33D6F92, lvl:OK, func:LdrLoadDll, status:0x0, flags:0
x0, module:"Iphlpapi.dll", handle:0x736A0000
pid:4092, tid:2168, tick:0x33D6F92, lvl:OK, func:LdrGetDllHandle, status:0x0, na

me:"ntdll.dll", module:0x77C10000
me:"kernel32.dll", module:0x74CD0000
pid:4092, tid:2168, tick:0x33D6FA1, lvl:LOG, func:_WrapExistingHandles, log:"Wra
pping existing handles"
pid:4092, tid:2168, tick:0x33D6FA1, lvl:LOG, func:_WrapExistingHandles, log:" W
rapping File handle: 0x14."
rapping Key handle: 0x1C."
pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtMapViewOfSection, status:0x0,
pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtUnmapViewOfSection, status:0x
0, address:0x580000
pid:4092, tid:2168, tick:0x33D6FA1, lvl:LOG, func:RecurseRegistryConfig, log:"Du
plicate regkey Classes will not be added as it is at lower layer."
0, address:0x570000
plicate regkey CLASSES will not be added as it is at lower layer."
0, address:0x580000
0, address:0x570000
plicate regkey Wow6432Node will not be added as it is at lower layer."
0, address:0x580000
0, address:0x570000
plicate regkey Microsoft will not be added as it is at lower layer."
0, address:0x580000
0, address:0x570000
plicate regkey Windows will not be added as it is at lower layer."
rapping Key handle: 0x6C."
rapping Key handle: 0x70."
rapping Key handle: 0x74."
rapping Key handle: 0xA4."
rapping Key handle: 0xD8."
rapping File handle: 0xDC."
rapping File handle: 0xF0."
0, address:0x580000
0, address:0x570000
0, address:0x580000
0, address:0x570000

0, address:0x580000
0, address:0x570000
plicate regkey Software will not be added as it is at lower layer."
pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtCreateKey, status:0x0, handle
:0x160, access:0xF013F, title:0x0, options:0x0, path:"\REGISTRY\USER\S-1-5-21-23
60094602-2602383397-2463990887-1001\Environment"
pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtSetValueKey, status:0x0, name
:"path", index:0x0, type:0x2, size:0x64C, handle:0x160, path:"\REGISTRY\USER\S-1
-5-21-2360094602-2602383397-2463990887-1001\Environment"
pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtClose, status:0x0, handle:0x1
60
pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtOpenFile, status:0x0, handle:
0x1D0, access:0x100020, iostatus:0x0, information:0x0, share:0x3, options:0x21,
path:"C:\Users\i92segoa\Desktop\Firefox SEO\"
pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtQueryVolumeInformationFile, s
tatus:0x0, iostatus:0x0, information:0x8, length:0x8, class:0x4, handle:0x1D0, p
ath:"C:\Users\i92segoa\Desktop\Firefox SEO"
pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtClose, status:0x0, handle:0x2
8
0, address:0x580000
pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtOpenKey, status:0x0, handle:0
x28, access:0x20119, path:"\REGISTRY\MACHINE\System\CurrentControlSet\Services"
pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind
ex:0x0, class:0x0, length:0x400, resultlength:0x30, handle:0x28, path:"\REGISTRY
\MACHINE\System\CurrentControlSet\Services"
ex:0x2, class:0x0, length:0x400, resultlength:0x3E, handle:0x28, path:"\REGISTRY
ex:0x3, class:0x0, length:0x400, resultlength:0x4E, handle:0x28, path:"\REGISTRY

ex:0xA, class:0x0, length:0x400, resultlength:0x20, handle:0x28, path:"\REGISTRY
ex:0xB, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGISTRY
ex:0xC, class:0x0, length:0x400, resultlength:0x28, handle:0x28, path:"\REGISTRY
ex:0xD, class:0x0, length:0x400, resultlength:0x26, handle:0x28, path:"\REGISTRY
ex:0xE, class:0x0, length:0x400, resultlength:0x28, handle:0x28, path:"\REGISTRY
ex:0xF, class:0x0, length:0x400, resultlength:0x36, handle:0x28, path:"\REGISTRY
ex:0x10, class:0x0, length:0x400, resultlength:0x32, handle:0x28, path:"\REGISTR
Y\MACHINE\System\CurrentControlSet\Services"
ex:0x13, class:0x0, length:0x400, resultlength:0x1E, handle:0x28, path:"\REGISTR
ex:0x1A, class:0x0, length:0x400, resultlength:0x26, handle:0x28, path:"\REGISTR
ex:0x1B, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGISTR
ex:0x1C, class:0x0, length:0x400, resultlength:0x26, handle:0x28, path:"\REGISTR

ex:0x1D, class:0x0, length:0x400, resultlength:0x2C, handle:0x28, path:"\REGISTR
ex:0x1E, class:0x0, length:0x400, resultlength:0x2E, handle:0x28, path:"\REGISTR
ex:0x1F, class:0x0, length:0x400, resultlength:0x22, handle:0x28, path:"\REGISTR
ex:0x2D, class:0x0, length:0x400, resultlength:0x30, handle:0x28, path:"\REGISTR

ex:0x39, class:0x0, length:0x400, resultlength:0x2C, handle:0x28, path:"\REGISTR
ex:0x3A, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGISTR
ex:0x3E, class:0x0, length:0x400, resultlength:0x26, handle:0x28, path:"\REGISTR
ex:0x42, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGISTR


ex:0x5A, class:0x0, length:0x400, resultlength:0x3A, handle:0x28, path:"\REGISTR
ex:0x5B, class:0x0, length:0x400, resultlength:0x3A, handle:0x28, path:"\REGISTR
ex:0x5F, class:0x0, length:0x400, resultlength:0x1E, handle:0x28, path:"\REGISTR
ex:0x6C, class:0x0, length:0x400, resultlength:0x2C, handle:0x28, path:"\REGISTR

ex:0x6F, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGISTR
ex:0x7F, class:0x0, length:0x400, resultlength:0x2E, handle:0x28, path:"\REGISTR

ex:0x8A, class:0x0, length:0x400, resultlength:0x1E, handle:0x28, path:"\REGISTR
ex:0x8D, class:0x0, length:0x400, resultlength:0x2E, handle:0x28, path:"\REGISTR
ex:0x8F, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGISTR

ex:0x9A, class:0x0, length:0x400, resultlength:0x2E, handle:0x28, path:"\REGISTR
ex:0x9B, class:0x0, length:0x400, resultlength:0x2C, handle:0x28, path:"\REGISTR
ex:0x9D, class:0x0, length:0x400, resultlength:0x3E, handle:0x28, path:"\REGISTR
ex:0xA0, class:0x0, length:0x400, resultlength:0x30, handle:0x28, path:"\REGISTR

ex:0xAA, class:0x0, length:0x400, resultlength:0x26, handle:0x28, path:"\REGISTR
ex:0xAB, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGISTR
ex:0xAC, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGISTR
ex:0xAD, class:0x0, length:0x400, resultlength:0x3A, handle:0x28, path:"\REGISTR
ex:0xAE, class:0x0, length:0x400, resultlength:0x3A, handle:0x28, path:"\REGISTR
ex:0xAF, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGISTR
ex:0xB0, class:0x0, length:0x400, resultlength:0x20, handle:0x28, path:"\REGISTR
ex:0xB8, class:0x0, length:0x400, resultlength:0x2E, handle:0x28, path:"\REGISTR
ex:0xBA, class:0x0, length:0x400, resultlength:0x26, handle:0x28, path:"\REGISTR
ex:0xBB, class:0x0, length:0x400, resultlength:0x22, handle:0x28, path:"\REGISTR
ex:0xBC, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGISTR

ex:0xBD, class:0x0, length:0x400, resultlength:0x42, handle:0x28, path:"\REGISTR
ex:0xBE, class:0x0, length:0x400, resultlength:0x20, handle:0x28, path:"\REGISTR
ex:0xBF, class:0x0, length:0x400, resultlength:0x42, handle:0x28, path:"\REGISTR
ex:0xC0, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGISTR
ex:0xC4, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGISTR
ex:0xCA, class:0x0, length:0x400, resultlength:0x28, handle:0x28, path:"\REGISTR
ex:0xCB, class:0x0, length:0x400, resultlength:0x26, handle:0x28, path:"\REGISTR
ex:0xCC, class:0x0, length:0x400, resultlength:0x22, handle:0x28, path:"\REGISTR
ex:0xCD, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGISTR
ex:0xCE, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGISTR
ex:0xCF, class:0x0, length:0x400, resultlength:0x28, handle:0x28, path:"\REGISTR
ex:0xD0, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGISTR

ex:0xDA, class:0x0, length:0x400, resultlength:0x3A, handle:0x28, path:"\REGISTR
ex:0xDB, class:0x0, length:0x400, resultlength:0x20, handle:0x28, path:"\REGISTR
ex:0xDC, class:0x0, length:0x400, resultlength:0x22, handle:0x28, path:"\REGISTR
ex:0xDD, class:0x0, length:0x400, resultlength:0x34, handle:0x28, path:"\REGISTR
ex:0xDE, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGISTR
ex:0xDF, class:0x0, length:0x400, resultlength:0x26, handle:0x28, path:"\REGISTR
ex:0xE0, class:0x0, length:0x400, resultlength:0x26, handle:0x28, path:"\REGISTR
ex:0xE1, class:0x0, length:0x400, resultlength:0x2E, handle:0x28, path:"\REGISTR
ex:0xE4, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGISTR

ex:0xE5, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGISTR
ex:0xE9, class:0x0, length:0x400, resultlength:0x2C, handle:0x28, path:"\REGISTR
ex:0xEA, class:0x0, length:0x400, resultlength:0x32, handle:0x28, path:"\REGISTR
ex:0xEB, class:0x0, length:0x400, resultlength:0x2E, handle:0x28, path:"\REGISTR
ex:0xEC, class:0x0, length:0x400, resultlength:0x40, handle:0x28, path:"\REGISTR
ex:0xED, class:0x0, length:0x400, resultlength:0x26, handle:0x28, path:"\REGISTR
ex:0xEE, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGISTR
ex:0xEF, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGISTR
ex:0xF0, class:0x0, length:0x400, resultlength:0x38, handle:0x28, path:"\REGISTR

ex:0xF9, class:0x0, length:0x400, resultlength:0x4A, handle:0x28, path:"\REGISTR
ex:0xFA, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGISTR
ex:0xFB, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGISTR
ex:0xFC, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGISTR
ex:0xFD, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGISTR
ex:0xFE, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGISTR
ex:0xFF, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGISTR
ex:0x100, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGIST
RY\MACHINE\System\CurrentControlSet\Services"
ex:0x10A, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGIST
ex:0x10B, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGIST
ex:0x10C, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGIST

ex:0x10D, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGIST
ex:0x10E, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGIST
ex:0x10F, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGIST

ex:0x131, class:0x0, length:0x400, resultlength:0x3C, handle:0x28, path:"\REGIST

ex:0x13D, class:0x0, length:0x400, resultlength:0x2E, handle:0x28, path:"\REGIST
ex:0x13E, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGIST
ex:0x13F, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGIST
ex:0x142, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGIST

ex:0x14C, class:0x0, length:0x400, resultlength:0x1E, handle:0x28, path:"\REGIST
ex:0x14F, class:0x0, length:0x400, resultlength:0x2E, handle:0x28, path:"\REGIST

ex:0x15F, class:0x0, length:0x400, resultlength:0x2C, handle:0x28, path:"\REGIST
ex:0x164, class:0x0, length:0x400, resultlength:0x2E, handle:0x28, path:"\REGIST
ex:0x16C, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGIST

ex:0x17D, class:0x0, length:0x400, resultlength:0x2C, handle:0x28, path:"\REGIST

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

ex:0x1A0, class:0x0, length:0x400, resultlength:0x3A, handle:0x28, path:"\REGIST
ex:0x1A1, class:0x0, length:0x400, resultlength:0x38, handle:0x28, path:"\REGIST
ex:0x1AA, class:0x0, length:0x400, resultlength:0x38, handle:0x28, path:"\REGIST
ex:0x1AB, class:0x0, length:0x400, resultlength:0x38, handle:0x28, path:"\REGIST
ex:0x1AC, class:0x0, length:0x400, resultlength:0x38, handle:0x28, path:"\REGIST

ex:0x1AD, class:0x0, length:0x400, resultlength:0x38, handle:0x28, path:"\REGIST
ex:0x1AE, class:0x0, length:0x400, resultlength:0x38, handle:0x28, path:"\REGIST
ex:0x1AF, class:0x0, length:0x400, resultlength:0x38, handle:0x28, path:"\REGIST
ex:0x1B0, class:0x0, length:0x400, resultlength:0x38, handle:0x28, path:"\REGIST
ex:0x1B7, class:0x0, length:0x400, resultlength:0x1E, handle:0x28, path:"\REGIST
ex:0x1BA, class:0x0, length:0x400, resultlength:0x26, handle:0x28, path:"\REGIST
ex:0x1BB, class:0x0, length:0x400, resultlength:0x26, handle:0x28, path:"\REGIST
ex:0x1BC, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGIST
ex:0x1BD, class:0x0, length:0x400, resultlength:0x1E, handle:0x28, path:"\REGIST
ex:0x1BE, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGIST
ex:0x1BF, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGIST
ex:0x1C0, class:0x0, length:0x400, resultlength:0x1E, handle:0x28, path:"\REGIST

ex:0x1C1, class:0x0, length:0x400, resultlength:0x1E, handle:0x28, path:"\REGIST
ex:0x1C2, class:0x0, length:0x400, resultlength:0x24, handle:0x28, path:"\REGIST
ex:0x1C3, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGIST
ex:0x1C4, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGIST
ex:0x1CA, class:0x0, length:0x400, resultlength:0x28, handle:0x28, path:"\REGIST
ex:0x1CB, class:0x0, length:0x400, resultlength:0x44, handle:0x28, path:"\REGIST
ex:0x1CC, class:0x0, length:0x400, resultlength:0x52, handle:0x28, path:"\REGIST
ex:0x1CD, class:0x0, length:0x400, resultlength:0x52, handle:0x28, path:"\REGIST
ex:0x1CE, class:0x0, length:0x400, resultlength:0x52, handle:0x28, path:"\REGIST
ex:0x1CF, class:0x0, length:0x400, resultlength:0x52, handle:0x28, path:"\REGIST
ex:0x1D0, class:0x0, length:0x400, resultlength:0x52, handle:0x28, path:"\REGIST

ex:0x1DA, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1DB, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1DC, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1DD, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1DE, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1DF, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1E0, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST

ex:0x1EA, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1EB, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1EC, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1ED, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1EE, class:0x0, length:0x400, resultlength:0x52, handle:0x28, path:"\REGIST
ex:0x1EF, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1F0, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1FA, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1FB, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1FC, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST

ex:0x1FD, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1FE, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x1FF, class:0x0, length:0x400, resultlength:0x50, handle:0x28, path:"\REGIST
ex:0x20A, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGIST



ex:0x23B, class:0x0, length:0x400, resultlength:0x3A, handle:0x28, path:"\REGIST
ex:0x24B, class:0x0, length:0x400, resultlength:0x2E, handle:0x28, path:"\REGIST

ex:0x24D, class:0x0, length:0x400, resultlength:0x2A, handle:0x28, path:"\REGIST

ex:0x26A, class:0x0, length:0x400, resultlength:0x2E, handle:0x28, path:"\REGIST
ex:0x26C, class:0x0, length:0x400, resultlength:0x2C, handle:0x28, path:"\REGIST
ex:0x26E, class:0x0, length:0x400, resultlength:0x3C, handle:0x28, path:"\REGIST
ex:0x26F, class:0x0, length:0x400, resultlength:0x3C, handle:0x28, path:"\REGIST
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:LdrGetDllHandle, status:0x0, na
me:"kernel32", module:0x74CD0000
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtOpenSection, status:0x0, hand
le:0xE4, access:0xF, path:"\KnownDlls32\psapi.dll"
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtMapViewOfSection, status:0x0,
address:0x74DB0000, zerobits:0x0, commitsize:0x0, viewsize:0x6000, disposition:
0x1, type:0x800000, protect:0x4, handle:0xE4, path:"\KnownDlls32\PSAPI.DLL"
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtClose, status:0x0, handle:0xE

4
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:LdrLoadDll, status:0x0, flags:0
x0, module:"psapi.dll", handle:0x74DB0000
me:"psapi", module:0x74DB0000
me:"advapi32", module:0x77B40000
le:0xE4, access:0xF, path:"\KnownDlls32\shell32.dll"
address:0x75670000, zerobits:0x0, commitsize:0x0, viewsize:0x13FE000, dispositi
on:0x1, type:0x800000, protect:0x4, handle:0xE4, path:"\KnownDlls32\SHELL32.dll"
le:0x1D4, access:0xF, path:"\KnownDlls32\cfgmgr32.dll"
address:0x75210000, zerobits:0x0, commitsize:0x0, viewsize:0x37000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x1D4, path:"\KnownDlls32\CFGMGR32.dll"
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtClose, status:0x0, handle:0x1

D4
le:0x1D4, access:0xF, path:"\KnownDlls32\windows.storage.dll"
address:0x76B00000, zerobits:0x0, commitsize:0x0, viewsize:0x4FA000, dispositio
n:0x1, type:0x800000, protect:0x4, handle:0x1D4, path:"\KnownDlls32\windows.stor
age.dll"
le:0x1D8, access:0xF, path:"\KnownDlls32\combase.dll"
address:0x74DC0000, zerobits:0x0, commitsize:0x0, viewsize:0x1BD000, dispositio
n:0x1, type:0x800000, protect:0x4, handle:0x1D8, path:"\KnownDlls32\combase.dll"
D8
le:0x1D8, access:0xF, path:"\KnownDlls32\shlwapi.dll"
address:0x77BC0000, zerobits:0x0, commitsize:0x0, viewsize:0x45000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x1D8, path:"\KnownDlls32\SHLWAPI.dll"
le:0x1DC, access:0xF, path:"\KnownDlls32\GDI32.dll"
address:0x779F0000, zerobits:0x0, commitsize:0x0, viewsize:0x14F000, dispositio
n:0x1, type:0x800000, protect:0x4, handle:0x1DC, path:"\KnownDlls32\gdi32.dll"
le:0x1E0, access:0xF, path:"\KnownDlls32\USER32.dll"
address:0x75050000, zerobits:0x0, commitsize:0x0, viewsize:0x147000, dispositio
n:0x1, type:0x800000, protect:0x4, handle:0x1E0, path:"\KnownDlls32\user32.dll"
E0
DC
D8
le:0x1D8, access:0xF, path:"\KnownDlls32\kernel.appcore.dll"
address:0x74B10000, zerobits:0x0, commitsize:0x0, viewsize:0xC000, disposition:
0x1, type:0x800000, protect:0x4, handle:0x1D8, path:"\KnownDlls32\kernel.appcore
.dll"
D8
le:0x1D8, access:0xF, path:"\KnownDlls32\shcore.dll"
address:0x74B20000, zerobits:0x0, commitsize:0x0, viewsize:0x8D000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x1D8, path:"\KnownDlls32\shcore.dll"
D8
le:0x1D8, access:0xF, path:"\KnownDlls32\powrprof.dll"
address:0x74FE0000, zerobits:0x0, commitsize:0x0, viewsize:0x44000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x1D8, path:"\KnownDlls32\powrprof.dll"
D8
le:0x1D8, access:0xF, path:"\KnownDlls32\profapi.dll"

address:0x75430000, zerobits:0x0, commitsize:0x0, viewsize:0xF000, disposition:
0x1, type:0x800000, protect:0x4, handle:0x1D8, path:"\KnownDlls32\profapi.dll"
D8
D4
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtSetInformationProcess, status
:0x0, class:0x23, length:0x1C
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtClose, status:0x0, handle:0xE
4
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0xE4, access:0x80000000, iostatus:0x0, information:0x0, attribs:0x0, share:0x0
, disposition:0x1, options:0x0, path:"\Device\DeviceApi\CMApi"
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtUnmapViewOfSection, status:0x
0, address:0x570000
0, address:0x580000
0, address:0x570000
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtOpenKey, status:0x0, handle:0
x1D4, access:0x2000000, path:"\REGISTRY\MACHINE"
0, address:0x580000
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtOpenKeyEx, status:0x0, handle
:0x1D8, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE"
pid:4092, tid:2168, tick:0x33D6FB1, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"PageAllocatorUseSystemHeap", class:0x2, length:0x90, resultlength:0x
0, handle:0x1D8, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\OLE"
D8
0034, name:"PageAllocatorSystemHeapIsPrivate", class:0x2, length:0x90, resultlen
gth:0x0, handle:0x1D8, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\OLE"
D8
0034, name:"AggressiveMTATesting", class:0x2, length:0x90, resultlength:0x0, han
dle:0x1D8, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\OLE"
D8
me:"rpcrt4.dll", module:0x77000000
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:LdrGetProcedureAddressForCaller
, status:0x0, module:0x77000000, name:"I_RpcInitNdrImports", ordinal:0x0, addres
s:0x77036110, image:0x0, caller:0x74E980E2
pid:4092, tid:2168, tick:0x33D6FB1, lvl:LOG, func:NtOpenKeyEx, status:0xC0000034
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\OLE\Tra
cing"
pid:4092, tid:2168, tick:0x33D6FB1, lvl:LOG, func:NtOpenEvent, status:0xC0000034
, handle:0x0, access:0x100000, path:"\Sessions\1\BaseNamedObjects\HookSwitchHook
EnabledEvent"
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtQueryAttributesFile, status:0
x0, attribs:0x20, path:"C:\WINDOWS\system32\IMM32.DLL"
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtOpenFile, status:0x0, handle:
0x208, access:0x100001, iostatus:0x0, information:0x1, share:0x5, options:0x60,
path:"C:\WINDOWS\system32\IMM32.DLL"
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtCreateSection, status:0x0, ha
ndle:0x20C, access:0x4, pageattribs:0x2, sectionattribs:0x8000000, file:0x208
address:0x580000, zerobits:0x0, commitsize:0x0, viewsize:0x2A000, disposition:0
x1, type:0x0, protect:0x2, handle:0x20C, path:"C:\WINDOWS\system32\IMM32.DLL"
0, address:0x580000
0C
08
pid:4092, tid:2168, tick:0x33D6FB1, lvl:LOG, func:LdrGetDllHandle, status:0xC000
0135, name:"C:\WINDOWS\system32\IMM32.DLL"
le:0x208, access:0xF, path:"\KnownDlls32\IMM32.DLL"
address:0x77670000, zerobits:0x0, commitsize:0x0, viewsize:0x2B000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x208, path:"\KnownDlls32\IMM32.dll"
08
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtQueryAttributesFile, status:0
me:"C:\WINDOWS\system32\IMM32.DLL", module:0x77670000
, status:0x0, module:0x77670000, name:"ImmWINNLSEnableIME", ordinal:0x0, address
:0x77688860, image:0x0, caller:0x750628CF
, status:0x0, module:0x77670000, name:"ImmWINNLSGetEnableStatus", ordinal:0x0, a
ddress:0x77688890, image:0x0, caller:0x750628E8
, status:0x0, module:0x77670000, name:"ImmSendIMEMessageExW", ordinal:0x0, addre
ss:0x77688840, image:0x0, caller:0x75062901
, status:0x0, module:0x77670000, name:"ImmSendIMEMessageExA", ordinal:0x0, addre
ss:0x77688820, image:0x0, caller:0x7506291A
, status:0x0, module:0x77670000, name:"ImmIMPGetIMEW", ordinal:0x0, address:0x77
688490, image:0x0, caller:0x75062933
, status:0x0, module:0x77670000, name:"ImmIMPGetIMEA", ordinal:0x0, address:0x77
688420, image:0x0, caller:0x7506294C
, status:0x0, module:0x77670000, name:"ImmIMPQueryIMEW", ordinal:0x0, address:0x

77688570, image:0x0, caller:0x75062965
, status:0x0, module:0x77670000, name:"ImmIMPQueryIMEA", ordinal:0x0, address:0x
776884D0, image:0x0, caller:0x7506297E
, status:0x0, module:0x77670000, name:"ImmIMPSetIMEW", ordinal:0x0, address:0x77
688710, image:0x0, caller:0x75062997
, status:0x0, module:0x77670000, name:"ImmIMPSetIMEA", ordinal:0x0, address:0x77
688690, image:0x0, caller:0x750629B0
, status:0x0, module:0x77670000, name:"ImmAssociateContext", ordinal:0x0, addres
s:0x77672380, image:0x0, caller:0x750629C9
, status:0x0, module:0x77670000, name:"ImmEscapeA", ordinal:0x0, address:0x77681
640, image:0x0, caller:0x750629E2
, status:0x0, module:0x77670000, name:"ImmEscapeW", ordinal:0x0, address:0x77681
900, image:0x0, caller:0x750629FB
, status:0x0, module:0x77670000, name:"ImmGetCompositionStringA", ordinal:0x0, a
ddress:0x7767E280, image:0x0, caller:0x75062A14
, status:0x0, module:0x77670000, name:"ImmGetCompositionStringW", ordinal:0x0, a
ddress:0x7767E320, image:0x0, caller:0x75062A2D
, status:0x0, module:0x77670000, name:"ImmGetCompositionWindow", ordinal:0x0, ad
dress:0x776728A0, image:0x0, caller:0x75062A46
, status:0x0, module:0x77670000, name:"ImmGetContext", ordinal:0x0, address:0x77
672D10, image:0x0, caller:0x75062A5F
, status:0x0, module:0x77670000, name:"ImmGetDefaultIMEWnd", ordinal:0x0, addres
s:0x77675000, image:0x0, caller:0x75062A78
, status:0x0, module:0x77670000, name:"ImmIsIME", ordinal:0x0, address:0x7767505
0, image:0x0, caller:0x75062A91
, status:0x0, module:0x77670000, name:"ImmReleaseContext", ordinal:0x0, address:
0x77675430, image:0x0, caller:0x75062AAA
, status:0x0, module:0x77670000, name:"ImmRegisterClient", ordinal:0x0, address:
0x776760E0, image:0x0, caller:0x75062AC3
, status:0x0, module:0x77670000, name:"ImmGetCompositionFontW", ordinal:0x0, add
ress:0x7767E1D0, image:0x0, caller:0x75062ADC
, status:0x0, module:0x77670000, name:"ImmGetCompositionFontA", ordinal:0x0, add
ress:0x7767E120, image:0x0, caller:0x75062AF5
, status:0x0, module:0x77670000, name:"ImmSetCompositionFontW", ordinal:0x0, add
ress:0x77672210, image:0x0, caller:0x75062B0E
, status:0x0, module:0x77670000, name:"ImmSetCompositionFontA", ordinal:0x0, add
ress:0x7767EF70, image:0x0, caller:0x75062B27
, status:0x0, module:0x77670000, name:"ImmSetCompositionWindow", ordinal:0x0, ad
dress:0x77673780, image:0x0, caller:0x75062B40
, status:0x0, module:0x77670000, name:"ImmNotifyIME", ordinal:0x0, address:0x776

81CB0, image:0x0, caller:0x75062B59
, status:0x0, module:0x77670000, name:"ImmLockIMC", ordinal:0x0, address:0x77672
DE0, image:0x0, caller:0x75062B72
, status:0x0, module:0x77670000, name:"ImmUnlockIMC", ordinal:0x0, address:0x776
73F00, image:0x0, caller:0x75062B8B
, status:0x0, module:0x77670000, name:"ImmLoadIME", ordinal:0x0, address:0x77675
DF0, image:0x0, caller:0x75062BA4
, status:0x0, module:0x77670000, name:"ImmSetOpenStatus", ordinal:0x0, address:0
x7767F660, image:0x0, caller:0x75062BBD
, status:0x0, module:0x77670000, name:"ImmFreeLayout", ordinal:0x0, address:0x77
681B10, image:0x0, caller:0x75062BD6
, status:0x0, module:0x77670000, name:"ImmActivateLayout", ordinal:0x0, address:
0x77681060, image:0x0, caller:0x75062BEF
, status:0x0, module:0x77670000, name:"ImmGetCandidateWindow", ordinal:0x0, addr
ess:0x77672B40, image:0x0, caller:0x75062C08
, status:0x0, module:0x77670000, name:"ImmSetCandidateWindow", ordinal:0x0, addr
ess:0x7767EEE0, image:0x0, caller:0x75062C21
, status:0x0, module:0x77670000, name:"ImmConfigureIMEW", ordinal:0x0, address:0
x77681400, image:0x0, caller:0x75062C3A
, status:0x0, module:0x77670000, name:"ImmGetConversionStatus", ordinal:0x0, add
ress:0x77672750, image:0x0, caller:0x75062C53
, status:0x0, module:0x77670000, name:"ImmSetConversionStatus", ordinal:0x0, add
ress:0x7767F580, image:0x0, caller:0x75062C6C
, status:0x0, module:0x77670000, name:"ImmSetStatusWindowPos", ordinal:0x0, addr
ess:0x7767F700, image:0x0, caller:0x75062C85
, status:0x0, module:0x77670000, name:"ImmGetImeInfoEx", ordinal:0x0, address:0x
77675F00, image:0x0, caller:0x75062C9E
, status:0x0, module:0x77670000, name:"ImmLockImeDpi", ordinal:0x0, address:0x77
673E70, image:0x0, caller:0x75062CB7
, status:0x0, module:0x77670000, name:"ImmUnlockImeDpi", ordinal:0x0, address:0x
77672700, image:0x0, caller:0x75062CD0
, status:0x0, module:0x77670000, name:"ImmGetOpenStatus", ordinal:0x0, address:0
x776727F0, image:0x0, caller:0x75062CE9
, status:0x0, module:0x77670000, name:"ImmSetActiveContext", ordinal:0x0, addres
s:0x776733B0, image:0x0, caller:0x75062D02
, status:0x0, module:0x77670000, name:"ImmTranslateMessage", ordinal:0x0, addres
s:0x77687F00, image:0x0, caller:0x75062D1B
, status:0x0, module:0x77670000, name:"ImmLoadLayout", ordinal:0x0, address:0x77
682160, image:0x0, caller:0x75062D34
, status:0x0, module:0x77670000, name:"ImmProcessKey", ordinal:0x0, address:0x77

6742D0, image:0x0, caller:0x75062D4D
, status:0x0, module:0x77670000, name:"ImmPutImeMenuItemsIntoMappedFile", ordina
l:0x0, address:0x7768D9E0, image:0x0, caller:0x75062D66
, status:0x0, module:0x77670000, name:"ImmGetProperty", ordinal:0x0, address:0x7
7682FE0, image:0x0, caller:0x75062D7F
, status:0x0, module:0x77670000, name:"ImmSetCompositionStringA", ordinal:0x0, a
ddress:0x7767F0A0, image:0x0, caller:0x75062D98
, status:0x0, module:0x77670000, name:"ImmSetCompositionStringW", ordinal:0x0, a
ddress:0x7767F0D0, image:0x0, caller:0x75062DB1
, status:0x0, module:0x77670000, name:"ImmEnumInputContext", ordinal:0x0, addres
s:0x776740B0, image:0x0, caller:0x75062DCA
, status:0x0, module:0x77670000, name:"ImmSystemHandler", ordinal:0x0, address:0
x77683D90, image:0x0, caller:0x75062DE3
, status:0x0, module:0x77670000, name:"CtfImmTIMActivate", ordinal:0x0, address:
0x77675F80, image:0x0, caller:0x75062DFC
, status:0x0, module:0x77670000, name:"CtfImmRestoreToolbarWnd", ordinal:0x0, ad
dress:0x7768E0D0, image:0x0, caller:0x75062E15
, status:0x0, module:0x77670000, name:"CtfImmHideToolbarWnd", ordinal:0x0, addre
ss:0x7768DF60, image:0x0, caller:0x75062E2A
, status:0x0, module:0x77670000, name:"CtfImmDispatchDefImeMessage", ordinal:0x0
, address:0x77675AA0, image:0x0, caller:0x75062E3F
, status:0x0, module:0x77670000, name:"CtfImmNotify", ordinal:0x0, address:0x776
75AE0, image:0x0, caller:0x75062E54
, status:0x0, module:0x77670000, name:"CtfImmSetDefaultRemoteKeyboardLayout", or
dinal:0x0, address:0x7768E140, image:0x0, caller:0x75062E69
, status:0x0, module:0x77670000, name:"CtfImmGetCompatibleKeyboardLayout", ordin
al:0x0, address:0x7768DE00, image:0x0, caller:0x75062E7E
pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:LdrLoadDll, status:0x0, flags:0
x0, module:"C:\WINDOWS\system32\IMM32.DLL", handle:0x77670000
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtQueryAttributesFile, status:0
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:LdrGetDllHandle, status:0x0, na
me:"C:\WINDOWS\system32\IMM32.DLL", module:0x77670000
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtOpenKey, status:0x0, handle:0
x208, access:0x20019, path:"\Registry\Machine\Software\Microsoft\Windows NT\Curr
entVersion\GRE_Initialize"
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"DisableMetaFiles", class:0x2, length:0x14, resultlength:0x680000, ha
ndle:0x208, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION
\GRE_Initialize"
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtClose, status:0x0, handle:0x2
08
x218, access:0x1, path:"\Registry\MACHINE\SYSTEM\CurrentControlSet\Control\Nls\C
ustomLocale"
0034, name:"EMPTY", class:0x2, length:0x78, resultlength:0x768FB0, handle:0x218,

path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale"
0034, name:"EMPTY", class:0x2, length:0x78, resultlength:0x768FB0, handle:0x218,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale"
x21C, access:0x20019, path:"\Registry\Machine\System\CurrentControlSet\Control\N
LS\Language"
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:NtQueryValueKey, status:0x8000
0005, name:"InstallLanguageFallback", class:0x2, length:0x10, resultlength:0x1A,
handle:0x21C, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language
"
1C
x21C, access:0x20019, path:"\Registry\Machine\System\CurrentControlSet\Control\M
UI\UILanguages"
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtEnumerateKey, status:0x0, ind
ex:0x0, class:0x0, length:0x200, resultlength:0x1A, handle:0x21C, path:"\REGISTR
Y\MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages"
x220, access:0x20019, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\MUI\U
ILanguages\es-ES"
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtQueryValueKey, status:0x0, na
me:"Type", class:0x2, length:0x10, resultlength:0x10, handle:0x220, path:"\REGIS
TRY\MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\es-ES"
me:"DefaultFallback", class:0x2, length:0xB6, resultlength:0x18, handle:0x220, p
ath:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\es-ES"
me:"en-US", class:0x1, length:0x200, resultlength:0x24, handle:0x220, path:"\REG
ISTRY\MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\es-ES"
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtEnumerateValueKey, status:0x0
, index:0x0, class:0x1, length:0x200, resultlength:0x44, handle:0x220, path:"\RE
GISTRY\MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\es-ES"
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:NtEnumerateValueKey, status:0x
8000001A, index:0x4, class:0x1, length:0x200, resultlength:0x24, handle:0x220, p
ath:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\es-ES"
0034, name:"AlternateCodePage", class:0x2, length:0xC, resultlength:0x0, handle:
0x220, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\es-E
S"
20
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:NtEnumerateKey, status:0x80000
01A, index:0x1, class:0x0, length:0x200, resultlength:0x1A, handle:0x21C, path:"
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages"
1C
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:NtOpenKey, status:0xC0000034,
handle:0x0, access:0x20019, path:"\Registry\Machine\System\CurrentControlSet\Con
trol\MUI\UILanguages\PendingDelete"
handle:0x0, access:0x20019, path:"\Registry\Machine\Software\Policies\Microsoft\
MUI\Settings"
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtMapViewOfSection, status:0x0,
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtUnmapViewOfSection, status:0x
0, address:0x570000
0, address:0x580000
0, address:0x570000
x220, access:0x2000000, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463
990887-1001"
handle:0x0, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-26023833972463990887-1001\Control Panel\Desktop\MuiCached\MachineLanguageConfiguration"
x224, access:0x20019, path:"\Registry\Machine\System\CurrentControlSet\Control\M
UI\Settings\LanguageConfiguration"
8000001A, index:0x0, class:0x1, length:0x200, resultlength:0x2000B09, handle:0x2
24, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\MUI\Settings\LanguageCo
nfiguration"
24
20
MUI\Settings"
990887-1001"
0, address:0x580000
0, address:0x570000
0, address:0x580000
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:RecurseRegistryConfig, log:"Du
plicate regkey Microsoft will not be added as it is at lower layer."

handle:0x0, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-26023833972463990887-1001\Software\Policies\Microsoft\Control Panel\Desktop"
0887-1001\Control Panel\Desktop\LanguageConfiguration"
8000001A, index:0x0, class:0x1, length:0x200, resultlength:0x2000002, handle:0x2
24, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Control
Panel\Desktop\LanguageConfiguration"
24
20
MUI\Settings"
990887-1001"
handle:0x0, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-26023833972463990887-1001\Software\Policies\Microsoft\Control Panel\Desktop"
0887-1001\Control Panel\Desktop"
0034, name:"PreferredUILanguages", class:0x2, length:0xC, resultlength:0x0, hand
le:0x224, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Co
ntrol Panel\Desktop"
24
20
MUI\Settings"
990887-1001"
0887-1001\Control Panel\Desktop\MuiCached"
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:NtQueryValueKey, status:0x8000
0005, name:"MachinePreferredUILanguages", class:0x2, length:0xC, resultlength:0x
18, handle:0x224, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887
-1001\Control Panel\Desktop\MuiCached"
me:"MachinePreferredUILanguages", class:0x2, length:0x18, resultlength:0x18, han
dle:0x224, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\C
ontrol Panel\Desktop\MuiCached"
24
20
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtCreateSemaphore, status:0x0,
handle:0x264, access:0x100003, initialcount:0x0, maxcount:0x7FFFFFFF

me:"advapi32.dll", module:0x77B40000
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:LdrGetProcedureAddressForCaller
, status:0x0, module:0x77B40000, name:"EventWrite", ordinal:0x0, address:0x77C6D
C10, image:0x0, caller:0x757C11C3
, status:0x0, module:0x77B40000, name:"EventRegister", ordinal:0x0, address:0x77
C3B590, image:0x0, caller:0x757C11DC
, status:0x0, module:0x77B40000, name:"EventUnregister", ordinal:0x0, address:0x
77C41E30, image:0x0, caller:0x757C11F5
, status:0x0, module:0x77C10000, name:"EtwEventRegister", ordinal:0x0, address:0
x77C3B590, image:0x0, caller:0x7582E069
, status:0x0, module:0x77C10000, name:"EtwEventUnregister", ordinal:0x0, address
:0x77C41E30, image:0x0, caller:0x7582E07C
, status:0x0, module:0x77C10000, name:"EtwEventEnabled", ordinal:0x0, address:0x
77C6FE90, image:0x0, caller:0x7582E08F
, status:0x0, module:0x77C10000, name:"EtwEventWrite", ordinal:0x0, address:0x77
C6DC10, image:0x0, caller:0x7582E0A2
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:LdrLoadDll, status:0x0, flags:0
x0, module:"shell32.dll", handle:0x75670000
me:"shell32", module:0x75670000
me:"shell32", module:0x75670000
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtOpenSection, status:0x0, hand
le:0x298, access:0xF, path:"\KnownDlls32\ole32.dll"
address:0x75580000, zerobits:0x0, commitsize:0x0, viewsize:0xEB000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x298, path:"\KnownDlls32\ole32.dll"
98
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:NtOpenKeyEx, status:0xC0000034
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\OLE\Tra
cing"
x0, attribs:0x20, path:"C:\WINDOWS\system32\oleaut32.dll"
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtOpenFile, status:0x0, handle:
0x2A0, access:0x100001, iostatus:0x0, information:0x1, share:0x5, options:0x60,
path:"C:\WINDOWS\system32\oleaut32.dll"
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtCreateSection, status:0x0, ha
ndle:0x2A4, access:0x4, pageattribs:0x2, sectionattribs:0x8000000, file:0x2A0
address:0xD90000, zerobits:0x0, commitsize:0x0, viewsize:0x93000, disposition:0
x1, type:0x0, protect:0x2, handle:0x2A4, path:"C:\WINDOWS\system32\oleaut32.dll"
0, address:0xD90000
A4
A0
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:LdrGetDllHandle, status:0xC000
0135, name:"C:\WINDOWS\system32\oleaut32.dll"
x0, module:"ole32.dll", handle:0x75580000

me:"ole32", module:0x75580000
me:"ole32", module:0x75580000
le:0x2A4, access:0xF, path:"\KnownDlls32\oleaut32.dll"
address:0x754E0000, zerobits:0x0, commitsize:0x0, viewsize:0x95000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x2A4, path:"\KnownDlls32\OLEAUT32.dll"
A4
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\ole32.dll"
me:"ext-ms-win-ole32-oleautomation-l1-1-0.dll", module:0x75580000
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
s:0x0, module:0x754E0000
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:NtOpenKeyEx, status:0xC0000034
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Microsoft\OLEAUT"
x0, module:"oleaut32.dll", handle:0x754E0000
me:"oleaut32", module:0x754E0000
x0, module:"gdi32.dll", handle:0x779F0000
me:"gdi32", module:0x779F0000
le:0x2A4, access:0xF, path:"\KnownDlls32\ws2_32.dll"
address:0x775F0000, zerobits:0x0, commitsize:0x0, viewsize:0x5F000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x2A4, path:"\KnownDlls32\WS2_32.dll"
A4
x0, module:"ws2_32.dll", handle:0x775F0000
me:"ws2_32", module:0x775F0000
x0, module:"rpcrt4.dll", handle:0x77000000

me:"rpcrt4", module:0x77000000
x0, module:"user32.dll", handle:0x75050000
me:"user32", module:0x75050000
address:0x5A0000, zerobits:0x0, commitsize:0x0, offset:0x220000, viewsize:0x100
0, address:0x570000
0, address:0x5A0000
plicate regkey CurrentVersion will not be added as it is at lower layer."
0, address:0x570000
0, address:0x5A0000
handle:0x0, access:0x8, path:"\Registry\Machine\Software\Microsoft\Windows\Curre
ntVersion\SideBySide\AssemblyStorageRoots"
address:0x5A0000, zerobits:0x0, commitsize:0x0, offset:0x1E0000, viewsize:0x100
0, address:0x570000
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:RecurseDirectoryConfig, log:"A
dding directory browser with flags: 2."
dding directory defaults with flags: 2."
dding directory dictionaries with flags: 2."

dding directory gmp-clearkey with flags: 2."
dding directory uninstall with flags: 2."
0, address:0x5A0000
dding directory webapprt with flags: 2."
0, address:0x570000
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:NtQueryAttributesFile, status:
0xC0000034, path:"C:\Program Files (x86)\Mozilla Firefox\firefox.exe.Local\"
0x2B0, access:0x100020, iostatus:0x0, information:0x1, share:0x3, options:0x21,
path:"C:\WINDOWS\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5
.82.10586.0_none_811bc0006c44242b"
x0, attribs:0x20, path:"C:\WINDOWS\WinSxS\x86_microsoft.windows.common-controls_
6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\comctl32.dll"
path:"C:\WINDOWS\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5
.82.10586.0_none_811bc0006c44242b\comctl32.dll"
ndle:0x2B8, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x2B4
:0x1, type:0x800000, protect:0x4, handle:0x2B8, path:"C:\WINDOWS\WinSxS\x86_micr
osoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242
b\comctl32.dll"
B8
B4
me:"KERNELBASE.DLL", module:0x776F0000
, status:0x0, module:0x776F0000, name:"FlsAlloc", ordinal:0x0, address:0x777B470
0, image:0x0, caller:0x6471F1B5
, status:0x0, module:0x776F0000, name:"FlsGetValue", ordinal:0x0, address:0x7779
F4E0, image:0x0, caller:0x6471F1C6
, status:0x0, module:0x776F0000, name:"FlsSetValue", ordinal:0x0, address:0x777A
DA10, image:0x0, caller:0x6471F1D7
, status:0x0, module:0x776F0000, name:"FlsFree", ordinal:0x0, address:0x777B61A0
, image:0x0, caller:0x6471F1E8
, status:0x0, module:0x776F0000, name:"EncodePointer", ordinal:0x0, address:0x77
C70070, image:0x0, caller:0x6471ED5D

, status:0x0, module:0x776F0000, name:"DecodePointer", ordinal:0x0, address:0x77
C6FE50, image:0x0, caller:0x6471ECCC
C6FE50, image:0x0, caller:0x6471ECCC
C70070, image:0x0, caller:0x6471F0D2
C6FE50, image:0x0, caller:0x6471F0E4
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:GetCommandLineA, ret:0x68CBA0,
gle:0x0, cmdline:"\"C:\Program Files (x86)\Mozilla Firefox\firefox.exe\""
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:LdrGetDllHandle, status:0xC000
0135, name:"LPK.DLL"
me:"KERNEL32", module:0x74CD0000
, status:0x0, module:0x74CD0000, name:"ProcessIdToSessionId", ordinal:0x0, addre
ss:0x74CE8FA0, image:0x0, caller:0x647149F9
x2B8, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246399
0887-1001"
B8
x0, module:"imm32.dll", handle:0x77670000
, status:0x0, module:0x77670000, name:"ImmCreateContext", ordinal:0x0, address:0
x7767D5D0, image:0x0, caller:0x64714B09
, status:0x0, module:0x77670000, name:"ImmDestroyContext", ordinal:0x0, address:
0x7767D640, image:0x0, caller:0x64714B22
, status:0x0, module:0x77670000, name:"ImmNotifyIME", ordinal:0x0, address:0x776
81CB0, image:0x0, caller:0x64714B3B
, status:0x0, module:0x77670000, name:"ImmAssociateContext", ordinal:0x0, addres
s:0x77672380, image:0x0, caller:0x64714B54
, status:0x0, module:0x77670000, name:"ImmReleaseContext", ordinal:0x0, address:
0x77675430, image:0x0, caller:0x64714B6D
, status:0x0, module:0x77670000, name:"ImmGetContext", ordinal:0x0, address:0x77

672D10, image:0x0, caller:0x64714B86
, status:0x0, module:0x77670000, name:"ImmGetCompositionStringA", ordinal:0x0, a
ddress:0x7767E280, image:0x0, caller:0x64714B9B
, status:0x0, module:0x77670000, name:"ImmSetCompositionStringA", ordinal:0x0, a
ddress:0x7767F0A0, image:0x0, caller:0x64714BB0
, status:0x0, module:0x77670000, name:"ImmGetCompositionStringW", ordinal:0x0, a
ddress:0x7767E320, image:0x0, caller:0x64714BC5
, status:0x0, module:0x77670000, name:"ImmSetCompositionStringW", ordinal:0x0, a
ddress:0x7767F0D0, image:0x0, caller:0x64714BDA
, status:0x0, module:0x77670000, name:"ImmSetCandidateWindow", ordinal:0x0, addr
ess:0x7767EEE0, image:0x0, caller:0x64714BEF
x0, module:"comctl32.dll", handle:0x64710000
6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\comctl32.DLL"
me:"comctl32", module:0x64710000
pid:4092, tid:2168, tick:0x33D6FC1, lvl:LOG, func:NtOpenSection, status:0xC00000
34, handle:0x0, access:0xF, path:"\KnownDlls32\version.dll"
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\version.dll"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\version.dll"
path:"C:\WINDOWS\SYSTEM32\version.dll"
address:0x743C0000, zerobits:0x0, commitsize:0x0, viewsize:0x8000, disposition:
0x1, type:0x800000, protect:0x4, handle:0x2B8, path:"C:\WINDOWS\SYSTEM32\version
.dll"
B8
B4
x0, module:"version.dll", handle:0x743C0000
me:"version", module:0x743C0000
me:"version", module:0x743C0000
x0, module:"gdi32.dll", handle:0x779F0000

me:"gdi32.dll", module:0x779F0000
me:"gdi32.dll", module:0x779F0000
34, handle:0x0, access:0xF, path:"\KnownDlls32\mswsock.dll"
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\mswsock.dll"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\mswsock.dll"
path:"C:\WINDOWS\SYSTEM32\mswsock.dll"
address:0x73700000, zerobits:0x0, commitsize:0x0, viewsize:0x4F000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x2B8, path:"C:\WINDOWS\SYSTEM32\mswsoc
k.dll"
B8
B4
x0, module:"mswsock.dll", handle:0x73700000
me:"mswsock.dll", module:0x73700000
34, handle:0x0, access:0xF, path:"\KnownDlls32\dnsapi.dll"
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\dnsapi.dll"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\dnsapi.dll"
0x29C, access:0x100021, iostatus:0x0, information:0x1, share:0x5, options:0x60,
path:"C:\WINDOWS\SYSTEM32\dnsapi.dll"
ndle:0x2B4, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x29C
:0x1, type:0x800000, protect:0x4, handle:0x2B4, path:"C:\WINDOWS\SYSTEM32\dnsapi
.dll"
le:0x2B8, access:0xF, path:"\KnownDlls32\NSI.dll"
address:0x77520000, zerobits:0x0, commitsize:0x0, viewsize:0x7000, disposition:
0x1, type:0x800000, protect:0x4, handle:0x2B8, path:"\KnownDlls32\NSI.dll"
B8
B4
9C
x0, module:"dnsapi.dll", handle:0x72170000
me:"dnsapi.dll", module:0x72170000

34, handle:0x0, access:0xF, path:"\KnownDlls32\httpapi.dll"
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\httpapi.dll"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\httpapi.dll"
0x2C4, access:0x100021, iostatus:0x0, information:0x1, share:0x5, options:0x60,
path:"C:\WINDOWS\SYSTEM32\httpapi.dll"
ndle:0x2C8, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x2C4
address:0x74800000, zerobits:0x0, commitsize:0x0, viewsize:0xB000, disposition:
0x1, type:0x800000, protect:0x4, handle:0x2C8, path:"C:\WINDOWS\SYSTEM32\httpapi
.dll"
C8
C4
x0, module:"httpapi.dll", handle:0x74800000
me:"httpapi.dll", module:0x74800000
le:0x2C4, access:0xF, path:"\KnownDlls32\crypt32.dll"
n:0x1, type:0x800000, protect:0x4, handle:0x2C4, path:"\KnownDlls32\CRYPT32.dll"
le:0x2C8, access:0xF, path:"\KnownDlls32\MSASN1.dll"
address:0x75250000, zerobits:0x0, commitsize:0x0, viewsize:0xE000, disposition:
0x1, type:0x800000, protect:0x4, handle:0x2C8, path:"\KnownDlls32\MSASN1.dll"
C8
C4
x0, module:"crypt32.dll", handle:0x77870000
me:"crypt32.dll", module:0x77870000
me:"crypt32.dll", module:0x77870000
me:"shell32.dll", module:0x75670000
34, handle:0x0, access:0xF, path:"\KnownDlls32\mpr.dll"
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\mpr.dll"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\mpr.dll"
path:"C:\WINDOWS\SYSTEM32\mpr.dll"
ndle:0x2CC, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x2C8
address:0x62CE0000, zerobits:0x0, commitsize:0x0, viewsize:0x16000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x2CC, path:"C:\WINDOWS\SYSTEM32\mpr.dl
l"
CC
C8
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtOpenKeyEx, status:0x0, handle
:0x2CC, access:0x20019, path:"\REGISTRY\MACHINE\system\CurrentControlSet\control
\NetworkProvider\HwOrder"
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:NtNotifyChangeKey, status:0x103
, event:0x2C8, iostatus:0x103, information:0x0, filter:0x4, watch:0x0, length:0x
0, async:0x1, handle:0x2CC, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control
\NetworkProvider\HwOrder"
handle:0x2D0, access:0x100003, initialcount:0x0, maxcount:0x7FFFFFFF
handle:0x2D4, access:0x100003, initialcount:0x0, maxcount:0x7FFFFFFF
x0, module:"mpr.dll", handle:0x62CE0000
me:"mpr.dll", module:0x62CE0000
me:"mpr.dll", module:0x62CE0000
x0, module:"advapi32.dll", handle:0x77B40000
me:"kernelbase.dll", module:0x776F0000
me:"sechost.dll", module:0x776A0000
x0, module:"shlwapi.dll", handle:0x77BC0000
me:"shlwapi.dll", module:0x77BC0000
x0, module:"advapi32.dll", handle:0x77B40000
x0, module:"sechost.dll", handle:0x776A0000
x0, module:"sechost.dll", handle:0x776A0000
pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK,
x0, module:"ole32.dll", handle:0x75580000
me:"ole32.dll", module:0x75580000
func:LdrGetDllHandle, status:0x0, na
func:LdrLoadDll, status:0x0, flags:0
me:"user32.dll", module:0x75050000
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:InterceptAPI32, log:"Didn't fi
nd method CreateWindowA."
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:LdrGetDllHandle, status:0x0, na
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:InterceptAPI32, log:"Didn't fi
nd method CreateWindowW."
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:LdrLoadDll, status:0x0, flags:0
x0, module:"ws2_32.dll", handle:0x775F0000
me:"ws2_32.dll", module:0x775F0000
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:NtMapViewOfSection, status:0x0,
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:NtUnmapViewOfSection, status:0x
0, address:0x5A0000
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:RecurseDirectoryConfig, log:"A
dding directory x64 with flags: 3."
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:RecurseDirectoryConfig, log:"A
dding directory x86 with flags: 3."
0, address:0x570000
0, address:0x5A0000
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:NtQueryAttributesFile, status:0
x0, attribs:0x82, path:"C:\Users\i92segoa\Desktop\Firefox SEO\__Xenocode\x86\vmx
.dll"
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:NtOpenFile, status:0x0, handle:
path:"C:\Users\i92segoa\Desktop\Firefox SEO\__Xenocode\x86\vmx.dll"
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:NtCreateSection, status:0x0, ha
ndle:0x2E0, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x2D8
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:NtClose, status:0x0, handle:0x2
E8
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:NtSetInformationProcess, status
:0x0, class:0x1, length:0x38
EC
n:0x1, type:0x800000, protect:0x4, handle:0x2E0, path:"C:\Users\i92segoa\Desktop
\Firefox SEO\__Xenocode\x86\vmx.dll"
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:NtOpenSection, status:0xC00000
34, handle:0x0, access:0xF, path:"\KnownDlls32\WININET.dll"
34, handle:0x0, access:0xF, path:"\KnownDlls32\Secur32.dll"
E0

D8
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:NtQueryAttributesFile, status:
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\WININET.dll"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\WININET.dll"
0x2E4, access:0x100021, iostatus:0x0, information:0x1, share:0x5, options:0x60,
path:"C:\WINDOWS\SYSTEM32\WININET.dll"
ndle:0x2EC, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x2E4
address:0x701C0000, zerobits:0x0, commitsize:0x0, viewsize:0x277000, dispositio
n:0x1, type:0x800000, protect:0x4, handle:0x2EC, path:"C:\WINDOWS\SYSTEM32\WININ
ET.dll"
EC
E4
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\Secur32.dll"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\Secur32.dll"
0x2E4, access:0x100021, iostatus:0x0, information:0x1, share:0x5, options:0x60,
path:"C:\WINDOWS\SYSTEM32\Secur32.dll"
ndle:0x2EC, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x2E4
address:0x732C0000, zerobits:0x0, commitsize:0x0, viewsize:0xA000, disposition:
0x1, type:0x800000, protect:0x4, handle:0x2EC, path:"C:\WINDOWS\SYSTEM32\Secur32
.dll"
EC
E4
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
s:0x0, module:0x701C0000
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:New_NtQueryInformationToken::<l
ambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0x2EC, c
lass:0x1D, length:0x4, returnlength:0x4
EC
E8
EC
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:LdrGetProcedureAddressForCaller
, status:0x0, module:0x74CD0000, name:"FlsAlloc", ordinal:0x0, address:0x74CEA98
0, image:0x0, caller:0x1005CEC3
, status:0x0, module:0x74CD0000, name:"FlsFree", ordinal:0x0, address:0x74CF4FF0
, image:0x0, caller:0x1005CED6
, status:0x0, module:0x74CD0000, name:"FlsGetValue", ordinal:0x0, address:0x74CE
7570, image:0x0, caller:0x1005CEE9

, status:0x0, module:0x74CD0000, name:"FlsSetValue", ordinal:0x0, address:0x74CE
9E30, image:0x0, caller:0x1005CEFC
, status:0x0, module:0x74CD0000, name:"InitializeCriticalSectionEx", ordinal:0x0
, address:0x74CF6740, image:0x0, caller:0x1005CF0F
, status:0x0, module:0x74CD0000, name:"CreateSemaphoreExW", ordinal:0x0, address
:0x74CF6700, image:0x0, caller:0x1005CF22
, status:0x0, module:0x74CD0000, name:"SetThreadStackGuarantee", ordinal:0x0, ad
dress:0x74CEB040, image:0x0, caller:0x1005CF35
, status:0x0, module:0x74CD0000, name:"CreateThreadpoolTimer", ordinal:0x0, addr
ess:0x74CEACE0, image:0x0, caller:0x1005CF48
, status:0x0, module:0x74CD0000, name:"SetThreadpoolTimer", ordinal:0x0, address
:0x77C3A8F0, image:0x0, caller:0x1005CF5B
, status:0x0, module:0x74CD0000, name:"WaitForThreadpoolTimerCallbacks", ordinal
:0x0, address:0x77C398B0, image:0x0, caller:0x1005CF6E
, status:0x0, module:0x74CD0000, name:"CloseThreadpoolTimer", ordinal:0x0, addre
ss:0x77C39130, image:0x0, caller:0x1005CF81
, status:0x0, module:0x74CD0000, name:"CreateThreadpoolWait", ordinal:0x0, addre
ss:0x74CEA7B0, image:0x0, caller:0x1005CF94
, status:0x0, module:0x74CD0000, name:"SetThreadpoolWait", ordinal:0x0, address:
0x77C7ACA0, image:0x0, caller:0x1005CFA7
, status:0x0, module:0x74CD0000, name:"CloseThreadpoolWait", ordinal:0x0, addres
s:0x77C37FA0, image:0x0, caller:0x1005CFBA
, status:0x0, module:0x74CD0000, name:"FlushProcessWriteBuffers", ordinal:0x0, a
ddress:0x77C87990, image:0x0, caller:0x1005CFCD
, status:0x0, module:0x74CD0000, name:"FreeLibraryWhenCallbackReturns", ordinal:
0x0, address:0x77C7AC60, image:0x0, caller:0x1005CFE0
, status:0x0, module:0x74CD0000, name:"GetCurrentProcessorNumber", ordinal:0x0,
address:0x77C6D620, image:0x0, caller:0x1005CFF3
, status:0x0, module:0x74CD0000, name:"GetLogicalProcessorInformation", ordinal:
0x0, address:0x74CEAC80, image:0x0, caller:0x1005D006
, status:0x0, module:0x74CD0000, name:"CreateSymbolicLinkW", ordinal:0x0, addres
s:0x74D10830, image:0x0, caller:0x1005D019
, status:0x0, module:0x74CD0000, name:"SetDefaultDllDirectories", ordinal:0x0, a
ddress:0x77826210, image:0x0, caller:0x1005D02C
, status:0x0, module:0x74CD0000, name:"EnumSystemLocalesEx", ordinal:0x0, addres
s:0x74CEFE80, image:0x0, caller:0x1005D03F
, status:0x0, module:0x74CD0000, name:"CompareStringEx", ordinal:0x0, address:0x
74CEFF80, image:0x0, caller:0x1005D052
, status:0x0, module:0x74CD0000, name:"GetDateFormatEx", ordinal:0x0, address:0x
74D10E00, image:0x0, caller:0x1005D065

, status:0x0, module:0x74CD0000, name:"GetLocaleInfoEx", ordinal:0x0, address:0x
74CEA750, image:0x0, caller:0x1005D078
, status:0x0, module:0x74CD0000, name:"GetTimeFormatEx", ordinal:0x0, address:0x
74D11240, image:0x0, caller:0x1005D08B
, status:0x0, module:0x74CD0000, name:"GetUserDefaultLocaleName", ordinal:0x0, a
ddress:0x74CEAD60, image:0x0, caller:0x1005D09E
, status:0x0, module:0x74CD0000, name:"IsValidLocaleName", ordinal:0x0, address:
0x74D11460, image:0x0, caller:0x1005D0B1
, status:0x0, module:0x74CD0000, name:"LCMapStringEx", ordinal:0x0, address:0x74
CE9A10, image:0x0, caller:0x1005D0C4
, status:0x0, module:0x74CD0000, name:"GetCurrentPackageId", ordinal:0x0, addres
s:0x777AE140, image:0x0, caller:0x1005D0D7
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:GetCommandLineA, ret:0x68CBA0,
s:0x0, module:0x77000000
x0, module:"Kernel32.dll", handle:0x74CD0000
, status:0x0, module:0x74CD0000, name:"GetTickCount64", ordinal:0x0, address:0x7
4CE3630, image:0x0, caller:0x1010934B
x0, module:"C:\Users\i92segoa\Desktop\Firefox SEO\__Xenocode\x86\vmx.dll", handl
e:0x10000000

pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:LdrGetDllHandle, status:0xC000
0135, name:"sxwmon32.dll"
:0x0, class:0xC, length:0x4
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\data\roaming\modified\@P
ROGRAMFILESX86@\Mozilla Firefox\firefox.exe"
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\data\roaming\modified\@P
ROGRAMFILESX86@\Mozilla Firefox\firefox.exe.DLL"
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:NtAssociateWaitCompletionPacket
, status:0x0, completionpacket:0x2F0, iocompletion:0x38, handle:0xCC, path:"\Ses
sions\1\BaseNamedObjects\_xvm_evt_notification_0xA527E666CB0D6807"
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:ExtraInit, log:"Finished extra
init. Time consumed so far: 78 ms."
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:NtCreateFile, status:0xC000003
A, handle:0x0, access:0x80100080, iostatus:0xC0, information:0xA30055F6, attribs
:0x80, share:0x3, disposition:0x1, options:0x60, path:"C:\_spoon\windowclassexce
ption.txt"
0, address:0x570000
0, address:0x5A0000
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:NtOpenFile, status:0xC0000034,
handle:0x0, access:0x100001, iostatus:0x1D0FE0, information:0x100, share:0x7, o
ptions:0x4021, path:"C:\_spoon\"
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:NtOpenKey, status:0x0, handle:0
x2F4, access:0x20019, path:"\Registry\Machine\System\CurrentControlSet\Control\C
omputerName\ActiveComputerName"
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:NtQueryValueKey, status:0x0, na
me:"ComputerName", class:0x1, length:0x80, resultlength:0x50, handle:0x2F4, path

:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
"
F4
x2F4, access:0x20019, path:"\Registry\Machine\System\Setup"
me:"OOBEInProgress", class:0x1, length:0x80, resultlength:0x34, handle:0x2F4, pa
th:"\REGISTRY\MACHINE\SYSTEM\Setup"
F4
x2F4, access:0x20019, path:"\Registry\Machine\System\Setup"
me:"SystemSetupInProgress", class:0x1, length:0x80, resultlength:0x44, handle:0x
2F4, path:"\REGISTRY\MACHINE\SYSTEM\Setup"
F4
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:GetComputerNameExW, ret:0x1, g
le:0xCB, NameType:0x0, lpBuffer:"DESKTOP-OHU1LUJ", lpnSize:0xF
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:VmLog, log:"LICENSE: Checking
license."
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:VmLog, log:"LICENSE: Checking
expiration if can expire."
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:VmLog, log:"LICENSE: Passed."
s:0x0, module:0x736A0000
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0x2F4, access:0x100080, iostatus:0x0, information:0x0, attribs:0x0, share:0x3,
disposition:0x1, options:0x40, path:"\??\Nsi"
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:NtDeviceIoControlFile, status:0
x105, event:0x2F8, iostatus:0x105, information:0x70, code:0x12001B, inlen:0x3C,
outlen:0x3C, handle:0x2F4, path:"\??\Nsi"
F8
x0, event:0x2F8, iostatus:0x0, information:0x70, code:0x12001B, inlen:0x3C, outl
en:0x3C, handle:0x2F4, path:"\??\Nsi"
F8
x0, event:0x2F8, iostatus:0x0, information:0x50, code:0x120007, inlen:0x30, outl
en:0x4, handle:0x2F4, path:"\??\Nsi"
F8
pid:4092, tid:2168, tick:0x33D6FD0, lvl:LOG, func:NtDeviceIoControlFile, status:
0xC0000225, event:0x2F8, iostatus:0x0, information:0x19E8DC, code:0x12000F, inle
n:0x38, outlen:0x38, handle:0x2F4, path:"\??\Nsi"
F8
F8
F8
F8
F8
F8
F8
F8
F8
F8
F8
F8
x0, event:0x2F8, iostatus:0x0, information:0x68, code:0x12000F, inlen:0x38, outl
F8
34, handle:0x0, access:0xF, path:"\KnownDlls32\dhcpcsvc.DLL"
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\dhcpcsvc.DLL"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\dhcpcsvc.DLL"
path:"C:\WINDOWS\SYSTEM32\dhcpcsvc.DLL"

ndle:0x2F8, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x2C0
address:0x705C0000, zerobits:0x0, commitsize:0x0, viewsize:0x14000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x2F8, path:"C:\WINDOWS\SYSTEM32\dhcpcs
vc.DLL"
F8
C0
pid:4092, tid:2168, tick:0x33D6FD0, lvl:OK, func:NtOpenKeyEx, status:0x0, handle
:0x2F8, access:0x20019, path:"\REGISTRY\MACHINE\System\CurrentControlSet\Service
s\Tcpip\Parameters\Interfaces"
x0, event:0x2FC, iostatus:0x0, information:0x68, code:0x12000F, inlen:0x38, outl
FC
:0x2FC, access:0x1, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
Parameters\Interfaces\{abd919bb-91ac-4c6c-8277-e2111fefc2db}"
me:"EnableDhcp", class:0x2, length:0x90, resultlength:0x10, handle:0x2FC, path:"
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{abd
919bb-91ac-4c6c-8277-e2111fefc2db}"
F8
FC
e:0x2FC, access:0x100001, iostatus:0x0, information:0x0, attribs:0x80, share:0x3
, disposition:0x1, options:0x0, path:"\DEVICE\NETBT_TCPIP_{ABD919BB-91AC-4C6C-82
77-E2111FEFC2DB}"
x0, iostatus:0x0, information:0x0, code:0x21009A, inlen:0x0, outlen:0x3C, handle
:0x2FC, path:"\DEVICE\NETBT_TCPIP_{ABD919BB-91AC-4C6C-8277-E2111FEFC2DB}"
FC
0xC0000225, event:0x2FC, iostatus:0x736A18B0, information:0x0, code:0x12000F, in
len:0x38, outlen:0x38, handle:0x2F4, path:"\??\Nsi"
FC
FC
FC
:0x2FC, access:0x20019, path:"\REGISTRY\MACHINE\System\CurrentControlSet\Service

F8
:0x2F8, access:0x1, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
Parameters\Interfaces\{c81413b6-ce1c-47be-a023-4451f682ef7b}"
me:"EnableDhcp", class:0x2, length:0x90, resultlength:0x10, handle:0x2F8, path:"
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c81
413b6-ce1c-47be-a023-4451f682ef7b}"
FC
F8
e:0x2F8, access:0x100001, iostatus:0x0, information:0x0, attribs:0x80, share:0x3
, disposition:0x1, options:0x0, path:"\DEVICE\NETBT_TCPIP_{C81413B6-CE1C-47BE-A0
23-4451F682EF7B}"
:0x2F8, path:"\DEVICE\NETBT_TCPIP_{C81413B6-CE1C-47BE-A023-4451F682EF7B}"
F8
F8
:0x2F8, access:0x20019, path:"\REGISTRY\MACHINE\System\CurrentControlSet\Service
FC
:0x2FC, access:0x1, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
Parameters\Interfaces\{1d1269e9-273b-4f67-a226-1f36daec17e1}"
me:"EnableDhcp", class:0x2, length:0x90, resultlength:0x10, handle:0x2FC, path:"
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1d1
269e9-273b-4f67-a226-1f36daec17e1}"
F8
FC
e:0x2FC, access:0x100001, iostatus:0x0, information:0x0, attribs:0x80, share:0x3
, disposition:0x1, options:0x0, path:"\DEVICE\NETBT_TCPIP_{1D1269E9-273B-4F67-A2
26-1F36DAEC17E1}"
:0x2FC, path:"\DEVICE\NETBT_TCPIP_{1D1269E9-273B-4F67-A226-1F36DAEC17E1}"
FC

FC
FC
FC
FC
FC
FC
FC
FC
FC
FC
FC
FC
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtOpenKeyEx, status:0x0, handle

:0x304, access:0x20019, path:"\REGISTRY\MACHINE\System\CurrentControlSet\Service
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtDeviceIoControlFile, status:0
x0, event:0x308, iostatus:0x0, information:0x68, code:0x12000F, inlen:0x38, outl
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtClose, status:0x0, handle:0x3
08
:0x308, access:0x1, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
Parameters\Interfaces\{326e8084-72c2-41be-908e-dcd81f25f732}"
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtQueryValueKey, status:0x0, na
me:"EnableDhcp", class:0x2, length:0x90, resultlength:0x10, handle:0x308, path:"
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{326
e8084-72c2-41be-908e-dcd81f25f732}"
04
08
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:LdrLoadDll, status:0x0, flags:0
x0, module:"rpcrt4.dll", handle:0x77000000
:0x308, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Rpc"
pid:4092, tid:2168, tick:0x33D6FE0, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"MaxRpcSize", class:0x2, length:0x90, resultlength:0x201C8, handle:0x
308, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Rpc"
08
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:New_NtQueryInformationToken::<l
ambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0xFFFFFF
FA, class:0x1D, length:0x4, returnlength:0x4
pid:4092, tid:2168, tick:0x33D6FE0, lvl:LOG, func:NtQuerySecurityObject, status:
0xC0000023, class:0x17, length:0x0, requiredlength:0xE8, handle:0x304, path:"\RP
C Control"
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtQuerySecurityObject, status:0
x0, class:0x17, length:0xE8, requiredlength:0xE8, handle:0x304, path:"\RPC Contr
ol"
ambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0x30C, c
lass:0xA, length:0x38, returnlength:0x38
lass:0x4, length:0x48, returnlength:0x20
lass:0x19, length:0x4C, returnlength:0x14, sid:"S-1-16-8192", attributes:0x60
pid:4092, tid:2168, tick:0x33D6FE0, lvl:LOG, func:New_NtQueryInformationToken::<
lambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0xC0000023, token:
0x30C, class:0x5, length:0x0, returnlength:0x20
FC, class:0x29, length:0x48, returnlength:0x4

04
0C
pid:4092, tid:2168, tick:0x33D6FE0, lvl:LOG, func:NtOpenKeyEx, status:0xC0000034
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\Software\Policies\Microsof
t\Windows NT\Rpc"
:0x314, access:0x1, path:"\REGISTRY\MACHINE\Software\Microsoft\Rpc"
0034, name:"IdleTimerWindow", class:0x2, length:0x90, resultlength:0x19DF38, han
dle:0x314, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Rpc"
14
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtDuplicateObject, status:0x0,
targethandle:0x318, access:0x0, inherit:0x0, options:0x2, handle:0xFFFFFFFE
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0x320, access:0x100001, iostatus:0x0, information:0x0, attribs:0x80, share:0x3
, disposition:0x1, options:0x0, path:"\DEVICE\NETBT_TCPIP_{326E8084-72C2-41BE-90
8E-DCD81F25F732}"
:0x320, path:"\DEVICE\NETBT_TCPIP_{326E8084-72C2-41BE-908E-DCD81F25F732}"
20

20
24
Parameters\Interfaces\{fe6ca5f4-30ac-4d3c-9c85-547684bf338a}"
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{fe6
ca5f4-30ac-4d3c-9c85-547684bf338a}"
20
24
, disposition:0x1, options:0x0, path:"\DEVICE\NETBT_TCPIP_{FE6CA5F4-30AC-4D3C-9C
85-547684BF338A}"
:0x324, path:"\DEVICE\NETBT_TCPIP_{FE6CA5F4-30AC-4D3C-9C85-547684BF338A}"
24
pid:4092, tid:2168, tick:0x33D6FE0, lvl:LOG, func:NtDeviceIoControlFile, status:
0xC0000225, event:0x324, iostatus:0x736A18B0, information:0x0, code:0x12000F, in
24
24
24
24
24

24
x0, event:0x324, iostatus:0x0, information:0x70, code:0x12001B, inlen:0x3C, outl
24
24
24
24
:0x324, access:0x20019, path:"\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Service
s\Tcpip\Linkage"
pid:4092, tid:2168, tick:0x33D6FE0, lvl:LOG, func:NtQueryValueKey, status:0x8000
0005, name:"Bind", class:0x2, length:0x90, resultlength:0x2A0, handle:0x324, pat
h:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage"
me:"Bind", class:0x2, length:0x2A0, resultlength:0x2A0, handle:0x324, path:"\REG
ISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage"
24
pid:4092, tid:2168, tick:0x33D6FE0, lvl:LOG, func:NtOpenSection, status:0xC00000
34, handle:0x0, access:0xF, path:"\KnownDlls32\CRYPTSP.dll"
pid:4092, tid:2168, tick:0x33D6FE0, lvl:LOG, func:NtQueryAttributesFile, status:
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\CRYPTSP.dll"
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtQueryAttributesFile, status:0
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\CRYPTSP.dll"
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtOpenFile, status:0x0, handle:
path:"C:\WINDOWS\SYSTEM32\CRYPTSP.dll"
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtCreateSection, status:0x0, ha
ndle:0x320, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x324
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtMapViewOfSection, status:0x0,
:0x1, type:0x800000, protect:0x4, handle:0x320, path:"C:\WINDOWS\SYSTEM32\CRYPTS
P.dll"

20
24
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
s:0x0, module:0x77B40000
:0x320, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\
Defaults\Provider\Microsoft Base Cryptographic Provider v1.0"
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider\Micros
oft Base Cryptographic Provider v1.0"
me:"Image Path", class:0x2, length:0x90, resultlength:0x4E, handle:0x320, path:"
\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider\
Microsoft Base Cryptographic Provider v1.0"
34, handle:0x0, access:0xF, path:"\KnownDlls32\rsaenh.dll"
x0, attribs:0x20, path:"C:\WINDOWS\system32\rsaenh.dll"
path:"C:\WINDOWS\system32\rsaenh.dll"
ndle:0x32C, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x328
address:0x705E0000, zerobits:0x0, commitsize:0x0, viewsize:0x2F000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x32C, path:"C:\WINDOWS\system32\rsaenh
.dll"
34, handle:0x0, access:0xF, path:"\KnownDlls32\bcrypt.dll"
2C
28
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\bcrypt.dll"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\bcrypt.dll"
path:"C:\WINDOWS\SYSTEM32\bcrypt.dll"
ndle:0x32C, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x328
address:0x72B20000, zerobits:0x0, commitsize:0x0, viewsize:0x1B000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x32C, path:"C:\WINDOWS\SYSTEM32\bcrypt
.dll"
2C
28
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtCreateSemaphore, status:0x0,
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtCreateSemaphore, status:0x0,
path:"\Device\KsecDD"
x0, iostatus:0x0, information:0x0, code:0x390402, inlen:0x68, outlen:0x8, handle
:0x340, path:"\Device\KsecDD"
x0, module:"C:\WINDOWS\system32\rsaenh.dll", handle:0x705E0000
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:LdrGetProcedureAddressForCaller
, status:0x0, module:0x705E0000, name:"CPAcquireContext", ordinal:0x0, address:0
x705E4CA0, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPReleaseContext", ordinal:0x0, address:0
x705E8930, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPGenKey", ordinal:0x0, address:0x705E600
0, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPDeriveKey", ordinal:0x0, address:0x705F
ADE0, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPDestroyKey", ordinal:0x0, address:0x705
E6D30, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPSetKeyParam", ordinal:0x0, address:0x70
5FC7D0, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPGetKeyParam", ordinal:0x0, address:0x70
5E8800, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPExportKey", ordinal:0x0, address:0x705E
5B80, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPImportKey", ordinal:0x0, address:0x705E
, status:0x0, module:0x705E0000, name:"CPEncrypt", ordinal:0x0, address:0x705F98
E0, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPDecrypt", ordinal:0x0, address:0x705E95
A0, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPCreateHash", ordinal:0x0, address:0x705
, status:0x0, module:0x705E0000, name:"CPHashData", ordinal:0x0, address:0x705E6
, status:0x0, module:0x705E0000, name:"CPHashSessionKey", ordinal:0x0, address:0
x705FA650, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPDestroyHash", ordinal:0x0, address:0x70

5E5A30, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPSignHash", ordinal:0x0, address:0x705FF
, status:0x0, module:0x705E0000, name:"CPVerifySignature", ordinal:0x0, address:
0x705E6290, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPGenRandom", ordinal:0x0, address:0x705E
8C10, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPGetUserKey", ordinal:0x0, address:0x705
EB040, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPSetProvParam", ordinal:0x0, address:0x7
05FD280, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPGetProvParam", ordinal:0x0, address:0x7
05FB820, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPSetHashParam", ordinal:0x0, address:0x7
05E6EC0, image:0x0, caller:0x706542D4
, status:0x0, module:0x705E0000, name:"CPGetHashParam", ordinal:0x0, address:0x7
, status:0x0, module:0x705E0000, name:"CPDuplicateKey", ordinal:0x0, address:0x7
05FB620, image:0x0, caller:0x70654303
, status:0x0, module:0x705E0000, name:"CPDuplicateHash", ordinal:0x0, address:0x
705FA4C0, image:0x0, caller:0x70654303
:0x34C, access:0x20119, path:"\REGISTRY\MACHINE\Software\Policies\Microsoft\Cryp
tography"
0034, name:"PrivKeyCacheMaxItems", class:0x2, length:0x90, resultlength:0x11, ha
ndle:0x34C, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Cryptography"
0034, name:"PrivKeyCachePurgeIntervalSeconds", class:0x2, length:0x90, resultlen
gth:0x20, handle:0x34C, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Cryp
tography"
0034, name:"PrivateKeyLifetimeSeconds", class:0x2, length:0x90, resultlength:0x2
0, handle:0x34C, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Cryptograph
y"
4C
4C
:0x34C, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptography"
me:"MachineGuid", class:0x2, length:0x90, resultlength:0x56, handle:0x34C, path:
"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography"
4C
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptog
raphy\Offload"
lass:0x1, length:0x400, returnlength:0x24, sid:"S-1-5-21-2360094602-2602383397-2
463990887-1001", attributes:0x0
4C
raphy\DESHashSessionKeyBackward"
20
x0, iostatus:0x0, information:0xE0, code:0x390402, inlen:0x40, outlen:0x180, han
dle:0x340, path:"\Device\KsecDD"
x0, module:"C:\WINDOWS\system32\bcryptprimitives.dll", handle:0x74AB0000
, status:0x0, module:0x74AB0000, name:"GetHashInterface", ordinal:0x0, address:0
x74AC98C0, image:0x0, caller:0x72B3146B
20
x105, event:0x320, iostatus:0x105, information:0x70, code:0x12001B, inlen:0x3C,
outlen:0x3C, handle:0x2F4, path:"\??\Nsi"
20
pid:4092, tid:9004, tick:0x33D6FE0, lvl:LOG, func:BaseThreadInitThunk, log:"New
thread started (via BaseThreadInitThunk) at address: 0x10039100, parameter: 0x10
14D36C"
20
34, handle:0x0, access:0xF, path:"\KnownDlls32\iertutil.dll"
x0, event:0x320, iostatus:0x0, information:0x50, code:0x120007, inlen:0x30, outl
20
0xC0000225, event:0x320, iostatus:0x0, information:0x19E8D4, code:0x12000F, inle
20

20
20
20
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\iertutil.dll"
20
20
20
20
20
20
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\iertutil.dll"
20
20

20
54
Parameters\Interfaces\{abd919bb-91ac-4c6c-8277-e2111fefc2db}"
path:"C:\WINDOWS\SYSTEM32\iertutil.dll"
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{abd
919bb-91ac-4c6c-8277-e2111fefc2db}"
20
ndle:0x350, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x34C
54
address:0x72810000, zerobits:0x0, commitsize:0x0, viewsize:0x2CF000, dispositio
n:0x1, type:0x800000, protect:0x4, handle:0x350, path:"C:\WINDOWS\SYSTEM32\iertu
til.dll"
, disposition:0x1, options:0x0, path:"\DEVICE\NETBT_TCPIP_{ABD919BB-91AC-4C6C-82
77-E2111FEFC2DB}"
:0x354, path:"\DEVICE\NETBT_TCPIP_{ABD919BB-91AC-4C6C-8277-E2111FEFC2DB}"
54
54
54
54
50
4C

20
Parameters\Interfaces\{c81413b6-ce1c-47be-a023-4451f682ef7b}"
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c81
413b6-ce1c-47be-a023-4451f682ef7b}"
54
20
pid:4092, tid:9004, tick:0x33D6FE0, lvl:OK, func:NtSetInformationProcess, status
, disposition:0x1, options:0x0, path:"\DEVICE\NETBT_TCPIP_{C81413B6-CE1C-47BE-A0
23-4451F682EF7B}"
:0x320, path:"\DEVICE\NETBT_TCPIP_{C81413B6-CE1C-47BE-A023-4451F682EF7B}"
20
20
pid:4092, tid:9004, tick:0x33D6FE0, lvl:OK, func:LdrGetDllHandle, status:0x0, na
, status:0x0, module:0x77C10000, name:"RtlGetDeviceFamilyInfoEnum", ordinal:0x0,
address:0x77C7B110, image:0x0, caller:0x72A1504F
54
Parameters\Interfaces\{1d1269e9-273b-4f67-a226-1f36daec17e1}"
ambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0x350, c
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1d1
269e9-273b-4f67-a226-1f36daec17e1}"

lass:0x3, length:0x1F8, returnlength:0x40
20
50
54
, disposition:0x1, options:0x0, path:"\DEVICE\NETBT_TCPIP_{1D1269E9-273B-4F67-A2
26-1F36DAEC17E1}"
pid:4092, tid:9004, tick:0x33D6FE0, lvl:OK, func:NtOpenEvent, status:0x0, handle
:0x350, access:0x1, path:"\SECURITY\LSA_AUTHENTICATION_INITIALIZED"
:0x354, path:"\DEVICE\NETBT_TCPIP_{1D1269E9-273B-4F67-A226-1F36DAEC17E1}"
50
54
pid:4092, tid:9004, tick:0x33D6FE0, lvl:OK, func:NtDuplicateObject, status:0x0,
targethandle:0x35C, access:0x0, inherit:0x0, options:0x2, handle:0xFFFFFFFE
54
54
54
54
54
54

54
54
54
x0, module:"sspicli.dll", handle:0x74940000
54
54
54
s:0x0, module:0x776F0000
20
FA, class:0x1, length:0x50, returnlength:0x24, sid:"S-1-5-21-2360094602-26023833
97-2463990887-1001", attributes:0x0
Parameters\Interfaces\{326e8084-72c2-41be-908e-dcd81f25f732}"
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{326
e8084-72c2-41be-908e-dcd81f25f732}"
54
20
pid:4092, tid:9004, tick:0x33D6FE0, lvl:OK, func:NtOpenKey, status:0x0, handle:0
990887-1001"

, disposition:0x1, options:0x0, path:"\DEVICE\NETBT_TCPIP_{326E8084-72C2-41BE-90
8E-DCD81F25F732}"
:0x320, path:"\DEVICE\NETBT_TCPIP_{326E8084-72C2-41BE-908E-DCD81F25F732}"
pid:4092, tid:9004, tick:0x33D6FE0, lvl:OK, func:NtUnmapViewOfSection, status:0x
0, address:0x570000
20
20
0, address:0x5A0000
pid:4092, tid:9004, tick:0x33D6FE0, lvl:LOG, func:RecurseRegistryConfig, log:"Du
plicate regkey Windows will not be added as it is at lower layer."
54
0, address:0x570000
Parameters\Interfaces\{fe6ca5f4-30ac-4d3c-9c85-547684bf338a}"
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{fe6
ca5f4-30ac-4d3c-9c85-547684bf338a}"
20
0, address:0x5A0000
54
plicate regkey CurrentVersion will not be added as it is at lower layer."
, disposition:0x1, options:0x0, path:"\DEVICE\NETBT_TCPIP_{FE6CA5F4-30AC-4D3C-9C
85-547684BF338A}"

:0x354, path:"\DEVICE\NETBT_TCPIP_{FE6CA5F4-30AC-4D3C-9C85-547684BF338A}"
0, address:0x570000
54
54
0, address:0x5A0000
54
0, address:0x570000
54
plicate regkey Explorer will not be added as it is at lower layer."
54
plicate regkey Internet Settings will not be added as it is at lower layer."
54
54
54

0, address:0x5A0000
54
0, address:0x570000
54
:0x370, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463
990887-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"SyncMode5", class:0x2, length:0x90, resultlength:0x10, handle:0x370,
path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software\Mi
crosoft\Windows\CurrentVersion\Internet Settings"
54
s\Tcpip\Linkage"
:0x374, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Internet Settings\5.0\Cache"
0034, name:"SessionStartTimeDefaultDeltaSecs", class:0x2, length:0x90, resultlen
gth:0x10, handle:0x374, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\W
indows\CurrentVersion\Internet Settings\5.0\Cache"
lass:0x19, length:0x64, returnlength:0x14, sid:"S-1-16-8192", attributes:0x60
78

54
lass:0x1, length:0x4C, returnlength:0x24, sid:"S-1-5-21-2360094602-2602383397-24
63990887-1001", attributes:0x0
78
pid:4092, tid:9004, tick:0x33D6FE0, lvl:WRN, func:New_NtQueryInformationToken::<
lambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0xC0000024, class:
0x1, length:0x40, returnlength:0xFFFFFFF8
Defaults\Provider\Microsoft Base Cryptographic Provider v1.0"
pid:4092, tid:9004, tick:0x33D6FE0, lvl:WRN, func:New_NtQueryInformationToken::<
0x1D, length:0x4, returnlength:0x0
oft Base Cryptographic Provider v1.0"

pid:4092, tid:9004, tick:0x33D6FE0, lvl:OK, func:NtOpenSection, status:0x0, hand
le:0x37C, access:0x6, path:"\Sessions\1\BaseNamedObjects\windows_shell_global_co
unters"
address:0x570000, zerobits:0x0, commitsize:0x0, offset:0x0, viewsize:0x1000, di
sposition:0x1, type:0x0, protect:0x4, handle:0x37C, path:"\Sessions\1\BaseNamedO
bjects\windows_shell_global_counters"
address:0x5B0000, zerobits:0x0, commitsize:0x0, offset:0x270000, viewsize:0x100

0, address:0x5A0000
78
ntVersion\Explorer\FolderDescriptions"
:0x378, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptography"
me:"MachineGuid", class:0x2, length:0x90, resultlength:0x56, handle:0x378, path:
:0x388, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\W
indows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007C
AEDCF9D}"
78
80
me:"Category", class:0x2, length:0x90, resultlength:0x10, handle:0x388, path:"\R
EGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\F
olderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
raphy\Offload"
me:"Name", class:0x2, length:0x90, resultlength:0x18, handle:0x388, path:"\REGIS
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Folde
rDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"

463990887-1001", attributes:0x0
me:"ParentFolder", class:0x2, length:0x90, resultlength:0x5A, handle:0x388, path
:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explor
er\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
78
0034, name:"Description", class:0x2, length:0x90, resultlength:0x5A, handle:0x38
8, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion
\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
me:"RelativePath", class:0x2, length:0x90, resultlength:0x44, handle:0x388, path
54
0034, name:"ParsingName", class:0x2, length:0x90, resultlength:0x44, handle:0x38
\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
0034, name:"InfoTip", class:0x2, length:0x90, resultlength:0x44, handle:0x388, p
ath:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Exp
lorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
0034, name:"LocalizedName", class:0x2, length:0x90, resultlength:0x44, handle:0x
388, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersi
on\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
54
0034, name:"Icon", class:0x2, length:0x90, resultlength:0x44, handle:0x388, path
0034, name:"Security", class:0x2, length:0x90, resultlength:0x44, handle:0x388,
path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Ex
plorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
pid:4092, tid:4644, tick:0x33D6FE0, lvl:LOG, func:BaseThreadInitThunk, log:"New
thread started (via BaseThreadInitThunk) at address: 0x100390E0, parameter: 0x10
14D398"
0034, name:"StreamResource", class:0x2, length:0x90, resultlength:0x44, handle:0
x388, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVers
ion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
pid:4092, tid:2168, tick:0x33D6FE0, lvl:LOG, func:ShellExecuteFile, log:"Launchi
ng startup file C:\Program Files (x86)\Mozilla Firefox\firefox.exe, verb open, p
arams , cur-dir C:\Users\i92segoa\Desktop\Firefox SEO\, Wait for Return 2"
0034, name:"StreamResourceType", class:0x2, length:0x90, resultlength:0x44, hand
le:0x388, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Current
Version\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
s:0x0, module:0x75670000

me:"LocalRedirectOnly", class:0x2, length:0x90, resultlength:0x10, handle:0x388,
path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\E
xplorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
0034, name:"Roamable", class:0x2, length:0x90, resultlength:0x10, handle:0x388,
plorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
0034, name:"PreCreate", class:0x2, length:0x90, resultlength:0x10, handle:0x388,
xplorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
0, address:0x5B0000
0034, name:"Stream", class:0x2, length:0x90, resultlength:0x10, handle:0x388, pa
th:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Expl
orer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
0034, name:"PublishExpandedPath", class:0x2, length:0x90, resultlength:0x10, han
dle:0x388, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Curren
tVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
:0x354, access:0x1, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVe
rsion\Policies\Explorer"
0034, name:"DefinitionFlags", class:0x2, length:0x90, resultlength:0x10, handle:
0x388, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVer
sion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
0034, name:"EnableShellExecuteHooks", class:0x2, length:0x90, resultlength:0x0,
handle:0x354, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\
Policies\Explorer"
54
0034, name:"Attributes", class:0x2, length:0x90, resultlength:0x10, handle:0x388
, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\
Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
0034, name:"FolderTypeID", class:0x2, length:0x90, resultlength:0x10, handle:0x3
88, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersio
n\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
, handle:0x0, access:0x1, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24
63990887-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
0034, name:"InitFolderHandler", class:0x2, length:0x90, resultlength:0x10, handl
e:0x388, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentV
ersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
s:0x0, module:0x75670000
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Micro
soft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85
-6007CAEDCF9D}\PropertyBag"
88
0, address:0x5A0000
x0, attribs:0x10, path:"C:\Users\i92segoa\Desktop\Firefox SEO\"
0, address:0x5B0000
s:0x0, module:0x75670000
87-1001\Software\Microsoft\Windows\CurrentVersion\Explorer"
0, address:0x5A0000
0, address:0x5B0000
0xC0000034, path:"C:\WINDOWS\system32\rpcss.dll"
pid:4092, tid:2168, tick:0x33D6FE0, lvl:LOG, func:LdrGetDllHandle, status:0xC000
0135, name:"C:\WINDOWS\system32\rpcss.dll"
0, address:0x5A0000
s:0x0, module:0x74DC0000
plicate regkey UserAssist will not be added as it is at lower layer."
87-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1"
63990887-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\K
nownFolders"
80
0, address:0x5B0000

0, address:0x5A0000
34, handle:0x0, access:0xF, path:"\KnownDlls32\uxtheme.dll"
x380, access:0x2000000, path:"\REGISTRY\USER"
:0x320, access:0x20019, path:"\REGISTRY\USER\.DEFAULT"
:0x358, access:0x20019, path:"\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows
\CurrentVersion\Explorer\User Shell Folders"
20
me:"Cache", class:0x2, length:0x90, resultlength:0x7C, handle:0x358, path:"\REGI
STRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders"
x0, attribs:0x20, path:"C:\WINDOWS\system32\uxtheme.dll"
:0x320, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows NT\Cu
rrentVersion\ProfileList"
me:"Default", class:0x2, length:0x90, resultlength:0x44, handle:0x320, path:"\RE
GISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\ProfileList"
20
58
path:"C:\WINDOWS\system32\uxtheme.dll"
:0x1, type:0x800000, protect:0x4, handle:0x390, path:"C:\WINDOWS\system32\uxthem
e.dll"
nownFolders"
20
97-2463990887-1001", attributes:0x0
0887-1001"

90
8C
:0x38C, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463
990887-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folder
s"
84
x0, module:"C:\WINDOWS\system32\uxtheme.dll", handle:0x71930000
me:"Cache", class:0x2, length:0x90, resultlength:0x84, handle:0x38C, path:"\REGI
STRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft\Wind
ows\CurrentVersion\Explorer\User Shell Folders"
, status:0x0, module:0x71930000, name:"ThemeInitApiHook", ordinal:0x0, address:0
x71953160, image:0x0, caller:0x7506F4C6
58
8C
pid:4092, tid:9004, tick:0x33D6FE0, lvl:OK, func:NtOpenProcess, status:0x0, hand
le:0x38C, access:0x400, processid:0xFFC, threadid:0x0, path:""
8C
58
0x358, class:0x19, length:0x0, returnlength:0x14
58
pid:4092, tid:9004, tick:0x33D6FE0, lvl:OK, func:NtOpenProcess, status:0x0, hand
le:0x358, access:0x400, processid:0xFFC, threadid:0x0, path:""
58
8C
63990887-1001", attributes:0x0
8C
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:CreateWindowExW, ret:0x108EA, g
le:0x0, parent:0xFFFFFFFD, class:"", window:"OleMainThreadWndName"
, status:0x0, module:0x75050000, name:"IsImmersiveProcess", ordinal:0x0, address

:0x7506FEA0, image:0x0, caller:0x72A15666
s:0x0, module:0x75670000
s:0x0, module:0x75670000
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\Software\Policies\Microsoft\Wi
ndows\Explorer"
0x38C, access:0x100000, iostatus:0x0, information:0x0, share:0x0, options:0x8000
21, path:"C:\WINDOWS"
pid:4092, tid:9004, tick:0x33D6FE0, lvl:OK, func:NtQueryVolumeInformationFile, s
tatus:0x0, iostatus:0x0, information:0x18, length:0x18, class:0x3, handle:0x38C,
path:"C:\WINDOWS"
63990887-1001\Software\Policies\Microsoft\Windows\Explorer"
8C
0, address:0x5B0000
address:0x5B0000, zerobits:0x0, commitsize:0x0, offset:0x1E0000, viewsize:0x100
0, address:0x5A0000
0, address:0x5B0000
990887-1001\Software\Microsoft\Internet Explorer\Main"
0034, name:"FrameTabWindow", class:0x2, length:0x90, resultlength:0x0, handle:0x
358, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Softwar
e\Microsoft\Internet Explorer\Main"
0, address:0x5A0000
:0x398, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Internet Expl
orer\Main"
0034, name:"FrameTabWindow", class:0x2, length:0x90, resultlength:0x10, handle:0
x398, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\M
ain"
e:0x39C, access:0x100081, iostatus:0x0, information:0x1, attribs:0x0, share:0x7,
disposition:0x1, options:0x4020, path:"C:\Program Files (x86)\Mozilla Firefox"
0034, name:"FrameMerging", class:0x2, length:0x90, resultlength:0x0, handle:0x35

8, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software\
Microsoft\Internet Explorer\Main"
pid:4092, tid:2168, tick:0x33D6FE0, lvl:WRN, func:NtQueryInformationFile, status
:0xC000000D, iostatus:0x19EEC8, information:0x0, length:0x74, class:0x37, handle
:0x39C, path:"C:\Program Files (x86)\Mozilla Firefox"
0034, name:"FrameMerging", class:0x2, length:0x90, resultlength:0x0, handle:0x39
8, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main
"
0034, name:"SessionMerging", class:0x2, length:0x90, resultlength:0x0, handle:0x
e\Microsoft\Internet Explorer\Main"
0034, name:"SessionMerging", class:0x2, length:0x90, resultlength:0x0, handle:0x
398, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Ma
in"
0034, name:"AdminTabProcs", class:0x2, length:0x90, resultlength:0x0, handle:0x3
58, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software
\Microsoft\Internet Explorer\Main"
0034, name:"AdminTabProcs", class:0x2, length:0x90, resultlength:0x0, handle:0x3
98, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Mai
n"
pid:4092, tid:2168, tick:0x33D6FE0, lvl:OK, func:NtQueryDirectoryFile, status:0x
0, iostatus:0x0, information:0x88, length:0x278, class:0x25, single:0x3DB001, ma
sk:"firefox.exe", restart:0x1, handle:0x39C, path:"C:\Program Files (x86)\Mozill
a Firefox"
0x3A4, class:0x19, length:0x0, returnlength:0x14
9C
ambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0x3A4, c
A4
A4
34, handle:0x0, access:0xF, path:"\KnownDlls32\PROPSYS.dll"
t\Internet Explorer\Main"
, handle:0x0, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-260238339
7-2463990887-1001\Software\Policies\Microsoft\Internet Explorer\Main"
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\PROPSYS.dll"
0034, name:"TabProcGrowth", class:0x2, length:0x90, resultlength:0x0, handle:0x3

n"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\PROPSYS.dll"
n"
ndows\Explorer"
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:NtOpenFile, status:0x0, handle:
path:"C:\WINDOWS\SYSTEM32\PROPSYS.dll"
pid:4092, tid:9004, tick:0x33D6FF0, lvl:LOG, func:NtOpenKeyEx, status:0xC0000034
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:NtCreateSection, status:0x0, ha
pid:4092, tid:9004, tick:0x33D6FF0, lvl:OK, func:New_NtQueryInformationToken::<l
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:NtMapViewOfSection, status:0x0,
address:0x717E0000, zerobits:0x0, commitsize:0x0, viewsize:0x14B000, dispositio
n:0x1, type:0x800000, protect:0x4, handle:0x384, path:"C:\WINDOWS\SYSTEM32\PROPS
YS.dll"
pid:4092, tid:9004, tick:0x33D6FF0, lvl:OK, func:NtOpenKeyEx, status:0x0, handle
:0x3A8, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows\Curre
:0x3AC, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\W
indows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7
F157091}"
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:NtClose, status:0x0, handle:0x3
84
A8
9C
pid:4092, tid:9004, tick:0x33D6FF0, lvl:OK, func:NtQueryValueKey, status:0x0, na
me:"Category", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC, path:"\R
olderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
me:"Name", class:0x2, length:0x90, resultlength:0x28, handle:0x3AC, path:"\REGIS
rDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
pid:4092, tid:9004, tick:0x33D6FF0, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"ParentFolder", class:0x2, length:0x90, resultlength:0x10, handle:0x3
AC, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersio
n\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
0034, name:"Description", class:0x2, length:0x90, resultlength:0x10, handle:0x3A
C, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion
\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"

me:"RelativePath", class:0x2, length:0x90, resultlength:0x28, handle:0x3AC, path
er\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
0034, name:"ParsingName", class:0x2, length:0x90, resultlength:0x28, handle:0x3A
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
s:0x0, module:0x75670000
0034, name:"InfoTip", class:0x2, length:0x90, resultlength:0x28, handle:0x3AC, p
lorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
3AC, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersi
on\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
0034, name:"Icon", class:0x2, length:0x90, resultlength:0x28, handle:0x3AC, path
er\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
s:0x0, module:0x77BC0000
0034, name:"Security", class:0x2, length:0x90, resultlength:0x28, handle:0x3AC,
plorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
x3AC, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVers
ion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
le:0x3AC, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Current
Version\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
me:"LocalRedirectOnly", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC,
xplorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
0034, name:"NoPropertiesMyComputer", class:0x2, length:0x90, resultlength:0x19EF
F0, handle:0x384, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVers
ion\Policies\Explorer"
84
0034, name:"Roamable", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC,
plorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
0034, name:"PreCreate", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC,
xplorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
0034, name:"Stream", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC, pa
orer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
me:"PublishExpandedPath", class:0x2, length:0x90, resultlength:0x10, handle:0x3A
0x3AC, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVer
sion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
0034, name:"NoPropertiesRecycleBin", class:0x2, length:0x90, resultlength:0x19EF
F0, handle:0x384, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVers
ion\Policies\Explorer"
84
0034, name:"Attributes", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC
Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
n\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
e:0x3AC, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentV
ersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
soft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55
-7B8E7F157091}\PropertyBag"
0034, name:"NoControlPanel", class:0x2, length:0x90, resultlength:0x0, handle:0x
384, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\
Explorer"
AC
84
0034, name:"NoSetFolders", class:0x2, length:0x90, resultlength:0x0, handle:0x38
4, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\Ex
plorer"
84
:0x3AC, access:0x1, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908
nownFolders"
AC
97-2463990887-1001", attributes:0x0
0034, name:"NoInternetIcon", class:0x2, length:0x90, resultlength:0x19EFF0, hand
le:0x384, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Poli
cies\Explorer"
84
pid:4092, tid:9004, tick:0x33D6FF0, lvl:OK, func:NtOpenKey, status:0x0, handle:0
0887-1001"
, handle:0x0, access:0x9, path:"\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\ShellCompatibility\Applications\firefox.exe"
:0x3B8, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463
s"
B4
me:"Local AppData", class:0x2, length:0x90, resultlength:0x44, handle:0x3B8, pat
h:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Micros
oft\Windows\CurrentVersion\Explorer\User Shell Folders"
rsion\Explorer\Desktop\NameSpace"
0034, name:"ValidateRegItems", class:0x2, length:0x90, resultlength:0x19F114, ha
ndle:0x384, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Curre
ntVersion\Explorer\Desktop\NameSpace"
A4

84
B8
ambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0x3B8, c
rsion\Explorer\Desktop\NameSpace"
me:"MonitorRegistry", class:0x2, length:0x90, resultlength:0x10, handle:0x384, p
lorer\Desktop\NameSpace"
84
:0x3AC, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\W
indows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA331
7B67173}"
A4
me:"Category", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC, path:"\R
olderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
me:"Name", class:0x2, length:0x90, resultlength:0x1C, handle:0x3AC, path:"\REGIS
rDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
0034, name:"NoCommonGroups", class:0x2, length:0x90, resultlength:0x19F000, hand
le:0x384, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Poli
cies\Explorer"
84
n\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
0034, name:"Description", class:0x2, length:0x90, resultlength:0x10, handle:0x3A
\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
0034, name:"RelativePath", class:0x2, length:0x90, resultlength:0x10, handle:0x3
0034, name:"ParsingName", class:0x2, length:0x90, resultlength:0x10, handle:0x3A
\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
0034, name:"InfoTip", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC, p
lorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
3AC, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersi
on\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
0034, name:"Icon", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC, path
er\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
0034, name:"Security", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC,
plorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
97-2463990887-1001", attributes:0x0
x3AC, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVers
ion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
le:0x3AC, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Current
Version\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
0034, name:"LocalRedirectOnly", class:0x2, length:0x90, resultlength:0x10, handl
ersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
0034, name:"Roamable", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC,
plorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:NtUnmapViewOfSection, status:0x
0, address:0x5B0000
0034, name:"PreCreate", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC,
xplorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
0034, name:"Stream", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC, pa

orer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
0, address:0x5A0000
dle:0x3AC, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Curren
tVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
990887-1001_Classes"
0x3AC, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVer
sion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
0034, name:"Attributes", class:0x2, length:0x90, resultlength:0x10, handle:0x3AC
Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
0, address:0x5B0000
ersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
0, address:0x5A0000
soft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE
-EA3317B67173}\PropertyBag"
AC
ambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0x3AC, c
63990887-1001", attributes:0x0
:0x3A4, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows NT\Cu
rrentVersion\ProfileList\S-1-5-21-2360094602-2602383397-2463990887-1001"
me:"ProfileImagePath", class:0x2, length:0x90, resultlength:0x30, handle:0x3A4,
path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\ProfileList
\S-1-5-21-2360094602-2602383397-2463990887-1001"
me:"ProfileImagePath", class:0x2, length:0x90, resultlength:0x30, handle:0x3A4,
\S-1-5-21-2360094602-2602383397-2463990887-1001"
A4
AC
B8
pid:4092, tid:9004, tick:0x33D6FF0, lvl:LOG, func:NtCreateFile, status:0xC000003
5, handle:0x0, access:0x100001, iostatus:0xDD, information:0xBD20DC, attribs:0x8
0, share:0x3, disposition:0x2, options:0x204021, path:"C:\Users\i92segoa"
pid:4092, tid:9004, tick:0x33D6FF0, lvl:OK, func:NtQueryAttributesFile, status:0
x0, attribs:0x10, path:"C:\Users\i92segoa"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Explorer\KnownFolderSettings"
rentVersion\Explorer\KnownFolderSettings"
5, handle:0x0, access:0x100001, iostatus:0x0, information:0xFFFFFFFF, attribs:0x
80, share:0x3, disposition:0x2, options:0x204021, path:"C:\Users\i92segoa\AppDat
a\Local"
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:NtQueryKey, status:0x0, class:0
x3, length:0x180, resultlength:0x92, handle:0x386, path:"\REGISTRY\USER\S-1-5-21
-2360094602-2602383397-2463990887-1001_Classes"
x7, length:0x4, resultlength:0x4, handle:0x386, path:"\REGISTRY\USER\S-1-5-21-23
60094602-2602383397-2463990887-1001_Classes"
63990887-1001_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"
x0, attribs:0x10, path:"C:\Users\i92segoa\AppData\Local"
0, address:0x5B0000
0, address:0x5A0000
0, address:0x5B0000
a\Local\Microsoft\Windows\INetCache"
pid:4092, tid:2168, tick:0x33D6FF0, lvl:LOG, func:RecurseRegistryConfig, log:"Du
0, address:0x5A0000
x0, attribs:0x2016, path:"C:\Users\i92segoa\AppData\Local\Microsoft\Windows\INet
Cache"
pid:4092, tid:9004, tick:0x33D6FF0, lvl:OK, func:NtQueryVirtualMemory, status:0x
0, address:0x72AAA000, class:0x0, length:0x1C, resultlength:0x1C
pid:4092, tid:9004, tick:0x33D6FF0, lvl:OK, func:LdrLoadDll, status:0x0, flags:0
x0, module:"OLEAUT32.dll", handle:0x754E0000
0, address:0x5B0000
pid:4092, tid:9004, tick:0x33D6FF0, lvl:OK, func:LdrGetProcedureAddressForCaller
, status:0x0, module:0x754E0000, ordinal:0x2, address:0x754FAB60, image:0x0, cal
ler:0x72A4ABED
, status:0x0, module:0x754E0000, ordinal:0x7, address:0x754F2860, image:0x0, cal
ler:0x72A4ABED
pid:4092, tid:9004, tick:0x33D6FF0, lvl:OK, func:NtSetInformationProcess, status
Cache"
pid:4092, tid:9004, tick:0x33D6FF0, lvl:OK, func:NtSetInformationProcess, status
, status:0x0, module:0x754E0000, ordinal:0x6, address:0x754FAC10, image:0x0, cal
ler:0x72A4ABED
0, address:0x5A0000
63990887-1001", attributes:0x0
B8
0, address:0x5B0000
plicate regkey CLSID will not be added as it is at lower layer."
0, address:0x5A0000
plicate regkey CLSID will not be added as it is at lower layer."
plicate regkey Interface will not be added as it is at lower layer."

0, address:0x5B0000
0, address:0x5A0000
pid:4092, tid:9004, tick:0x33D6FF0, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0x3B8, access:0xC0100080, iostatus:0x0, information:0x1, attribs:0x0, share:0x
3, disposition:0x3, options:0x60, path:"C:\Users\i92segoa\AppData\Local\Microsof
t\Windows\INetCache\counters.dat"
0, address:0x5B0000
ndle:0x3AC, access:0xF0007, size:0x80, pageattribs:0x4, sectionattribs:0x8000000
, file:0x3B8
address:0x5B0000, zerobits:0x0, commitsize:0x0, offset:0x0, viewsize:0x1000, di
sposition:0x1, type:0x0, protect:0x4, handle:0x3AC, path:"C:\Users\i92segoa\AppD
ata\Local\Microsoft\Windows\INetCache\counters.dat"
:0x38C, access:0x1, path:"\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AE
A-1069-A2D8-08002B30309D}\ShellFolder"
x3, length:0x188, resultlength:0xD2, handle:0x38E, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
"
x7, length:0x4, resultlength:0x4, handle:0x38E, path:"\REGISTRY\MACHINE\SOFTWARE
\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"
97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B303
09D}\ShellFolder"
0034, name:"Attributes", class:0x2, length:0x90, resultlength:0x19F6A0, handle:0
x38E, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA1069-A2D8-08002B30309D}\ShellFolder"
"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\kernelbase.dll"
pid:4092, tid:4644, tick:0x33D6FF0, lvl:OK, func:LdrGetDllHandle, status:0x0, na
me:"api-ms-win-eventing-provider-l1-1-0", module:0x776F0000

97-2463990887-1001", attributes:0x0
, status:0x0, module:0x776F0000, name:"EventSetInformation", ordinal:0x0, addres
s:0x77C39FC0, image:0x0, caller:0x7030A15F
09D}\ShellFolder"
pid:4092, tid:4644, tick:0x33D6FF0, lvl:OK, func:LdrUnloadDll, status:0x0, handl
e:0x776F0000
0034, name:"CallForAttributes", class:0x2, length:0x90, resultlength:0x19F6A0, h
andle:0x38E, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE
0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"
"
97-2463990887-1001", attributes:0x0
:0x3A8, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463
990887-1001\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
"
0034, name:"MBCSAPIforCrack", class:0x2, length:0x90, resultlength:0x10, handle:
0x3A8, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTW
ARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
09D}\ShellFolder"
0034, name:"RestrictedAttributes", class:0x2, length:0x90, resultlength:0x19F6A0
, handle:0x38E, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D0
4FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"
:0x3B0, access:0x1, path:"\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\
CurrentVersion\Internet Settings"
"
0034, name:"Security_HKLM_only", class:0x2, length:0x90, resultlength:0x29CFBC8,
handle:0x3B0, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Curre
ntVersion\Internet Settings"
B0

97-2463990887-1001", attributes:0x0
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\Software\Policies\Microsoft\In
ternet Explorer\Main\FeatureControl"
09D}\ShellFolder"
me:"FolderValueFlags", class:0x2, length:0x90, resultlength:0x10, handle:0x38E,
path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A
2D8-08002B30309D}\ShellFolder"
63990887-1001\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"
8E
:0x3B0, access:0x1, path:"\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer
\Main\FeatureControl"
0, address:0x5A0000
63990887-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0
-3AEA-1069-A2D8-08002B30309D}\ShellFolder"
0, address:0x670000
rentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"
:0x3BC, access:0x1, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908
87-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl"
63990887-1001\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_H
TTP_USERNAME_PASSWORD_DISABLE"
:0x38C, access:0x1, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVe
rsion\Policies\NonEnum"
:0x3C0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Inter
net Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE"
0034, name:"{20D04FE0-3AEA-1069-A2D8-08002B30309D}", class:0x2, length:0x90, res
ultlength:0x19EE08, handle:0x38C, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Win
dows\CurrentVersion\Policies\NonEnum"
0034, name:"firefox.exe", class:0x2, length:0x90, resultlength:0xAA1199, handle:

0x3C0, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\
Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE"
8C
0034, name:"*", class:0x2, length:0x90, resultlength:0xAA1199, handle:0x3C0, pat
h:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Featu
reControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE"
C0
rsion\Explorer\MyComputer\NameSpace"
t\Internet Explorer\Main\FeatureControl"
0034, name:"ValidateRegItems", class:0x2, length:0x90, resultlength:0x19E524, ha
ndle:0x38C, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Curre
ntVersion\Explorer\MyComputer\NameSpace"
8C
7-2463990887-1001\Software\Policies\Microsoft\Internet Explorer\Main\FeatureCont
rol"
rsion\Explorer\MyComputer\NameSpace"
:0x3C0, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463
990887-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl"
0034, name:"MonitorRegistry", class:0x2, length:0x90, resultlength:0x19E524, han
dle:0x38C, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Curren
tVersion\Explorer\MyComputer\NameSpace"
8C
:0x3C8, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Internet Expl
orer\Main\FeatureControl"
-2360094602-2602383397-2463990887-1001_Classes"
0034, name:"FEATURE_CLIENTAUTHCERTFILTER", class:0x2, length:0x90, resultlength:
0x0, handle:0x3C0, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246399088
7-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl"
60094602-2602383397-2463990887-1001_Classes"
C0
0034, name:"FEATURE_CLIENTAUTHCERTFILTER", class:0x2, length:0x90, resultlength:
0x124B600, handle:0x3C8, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\
Internet Explorer\Main\FeatureControl"
C8

63990887-1001_Classes\Drive\shellex\FolderExtensions"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEA
DERONLYPOST_ONCONNECTIONRESET"
:0x38C, access:0x8, path:"\Registry\Machine\Software\Classes\Drive\shellex\Folde
rExtensions"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft
\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET"
x3, length:0x188, resultlength:0x86, handle:0x38E, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\Drive\SHELLEX\FolderExtensions"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_M
IME_HANDLING"
\Classes\Drive\SHELLEX\FolderExtensions"
97-2463990887-1001", attributes:0x0
net Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING"
Main\FeatureControl\FEATURE_MIME_HANDLING"
397-2463990887-1001_Classes\Drive\SHELLEX\FolderExtensions"
reControl\FEATURE_MIME_HANDLING"
C8
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:NtEnumerateKey, status:0x0, ind
ex:0x0, class:0x1, length:0x120, resultlength:0x64, handle:0x38E, path:"\REGISTR
Y\MACHINE\SOFTWARE\Classes\Drive\SHELLEX\FolderExtensions"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_B
YPASS_CACHE_FOR_CREDPOLICY_KB936611"
-2360094602-2602383397-2463990887-1001_Classes"
\Internet Explorer\Main\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936
611"
60094602-2602383397-2463990887-1001_Classes"

63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_I
GNORE_MAPPINGS_FOR_CREDPOLICY"
\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY"
63990887-1001_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-40
9d6c4515e9}"
NCLUDE_PORT_IN_SPN_KB908209"
\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209"
:0x3B4, access:0x1, path:"\Registry\Machine\Software\Classes\Drive\shellex\Folde
rExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_B
UFFERBREAKING_818408"
x3, length:0x188, resultlength:0xD4, handle:0x3B6, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\Drive\SHELLEX\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9
}"
\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408"
x7, length:0x4, resultlength:0x4, handle:0x3B6, path:"\REGISTRY\MACHINE\SOFTWARE
\Classes\Drive\SHELLEX\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_S
KIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"
97-2463990887-1001", attributes:0x0
\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEF
ILE_KB895954"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_F
IX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"
397-2463990887-1001_Classes\Drive\SHELLEX\FolderExtensions\{fbeb8a05-beee-4442-8
04e-409d6c4515e9}"
\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD
_KB843289"

63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_U
SE_CNAME_FOR_SPN_KB911149"
me:"DriveMask", class:0x2, length:0x90, resultlength:0x10, handle:0x3B6, path:"\
REGISTRY\MACHINE\SOFTWARE\Classes\Drive\SHELLEX\FolderExtensions\{fbeb8a05-beee4442-804e-409d6c4515e9}"
B6
\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149"
pid:4092, tid:2168, tick:0x33D6FF0, lvl:LOG, func:NtEnumerateKey, status:0x80000
01A, index:0x1, class:0x1, length:0x120, resultlength:0x64, handle:0x38E, path:"
\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\SHELLEX\FolderExtensions"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_A
LWAYS_USE_DNS_FOR_SPN_KB3022771"
8E
\Internet Explorer\Main\FeatureControl\FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_P
ERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"
\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FT
P_KB910274"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_D
ISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"
0034, name:"AllowFileCLSIDJunctions", class:0x2, length:0x90, resultlength:0x19C
DE8, handle:0x38C, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVer
sion\Policies\Explorer"
net Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
"
8C
Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"
reControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"

C8
ISALLOW_NULL_IN_RESPONSE_HEADERS"
\Internet Explorer\Main\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
"
:0x38C, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Explorer\KindMap"
IGEST_NO_EXTRAS_IN_URI"
me:".exe", class:0x2, length:0x90, resultlength:0x1C, handle:0x38C, path:"\REGIS
TRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Explorer\KindMap"
\Internet Explorer\Main\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI"
8C
-2360094602-2602383397-2463990887-1001_Classes"
\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB9
48608"
60094602-2602383397-2463990887-1001_Classes"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_E
XCLUDE_INVALID_CLIENT_CERT_KB929477"
7-2463990887-1001_Classes\.exe"
\Internet Explorer\Main\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929
477"
SE_UTF8_FOR_BASIC_AUTH_KB967545"
:0x38C, access:0x20019, path:"\Registry\Machine\Software\Classes\.exe"
\Internet Explorer\Main\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545"
ARE\Classes\.exe"

63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_R
ETURN_FAILED_CONNECT_CONTENT_KB942615"
\Classes\.exe"
\Internet Explorer\Main\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB9
42615"
97-2463990887-1001", attributes:0x0
RESERVE_SPACES_IN_FILENAMES_KB952730"
\Internet Explorer\Main\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB95
2730"
397-2463990887-1001_Classes\.exe"
0034, name:"FromCacheTimeout", class:0x2, length:0x90, resultlength:0xA8FDBB, ha
ndle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\
Software\Microsoft\Windows\CurrentVersion\Internet Settings"
me:"Content Type", class:0x2, length:0x90, resultlength:0x3E, handle:0x38E, path
:"\REGISTRY\MACHINE\SOFTWARE\Classes\.exe"
8E
87-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"
me:"SecureProtocols", class:0x2, length:0x90, resultlength:0x10, handle:0x3C0, p
ath:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Micr
osoft\Windows\CurrentVersion\Internet Settings"
C0
:0x3C8, access:0x20019, path:"\REGISTRY\MACHINE\Software\Policies"
x3B4, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{1F486A52-3
CB1-48FD-8F50-B8DC300D9F9D}"
0034, name:"AppID", class:0x2, length:0x400, resultlength:0x2D006D, handle:0x3B4
, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD
-8F50-B8DC300D9F9D}"
:0x3CC, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463
990887-1001\Software\Policies"
pid:4092, tid:2168, tick:0x33D6FF0, lvl:LOG, func:NtOpenKey, status:0xC0000034,

handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node
\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\LocalServer32"
B4
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:LdrGetDllHandle, status:0x0, na
me:"combase.dll", module:0x74DC0000
, status:0x0, module:0x74DC0000, name:"CLSIDFromOle1Class", ordinal:0x0, address
:0x74E92E10, image:0x0, caller:0x74E98AC5
0, address:0x5A0000
lass:0x1A, length:0x4, returnlength:0x4
63990887-1001", attributes:0x0
0, address:0x670000
:0x3D4, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463
990887-1001\Software"
x3C0, access:0x2000000, path:"\Registry\User\S-1-5-21-2360094602-2602383397-2463
990887-1001_Classes"
B4
0, address:0x5A0000
0, address:0x670000
:0x3D8, access:0x20019, path:"\REGISTRY\MACHINE\Software"
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:NtOpenSection, status:0x0, hand
le:0x3B4, access:0x4, path:"\Sessions\1\BaseNamedObjects\Global\__ComCatalogCach
e__"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\Software\Policies\Microsoft\In
ternet Explorer"
sposition:0x1, type:0x0, protect:0x2, handle:0x3B4, path:"\BaseNamedObjects\__Co
mCatalogCache__"

ambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0x3DC, c
:0x3E0, access:0x1, path:"\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\
DC
x4, length:0xB0, resultlength:0x28, handle:0x3E0, path:"\REGISTRY\MACHINE\SOFTWA
RE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
E0
:0x3DC, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\COM3"
me:"Com+Enabled", class:0x2, length:0x90, resultlength:0x10, handle:0x3DC, path:
"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\COM3"
DC
:0x3E4, access:0x1, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908
87-1001\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
x4, length:0xB0, resultlength:0x28, handle:0x3E4, path:"\REGISTRY\USER\S-1-5-212360094602-2602383397-2463990887-1001\SOFTWARE\Policies\Microsoft\Windows\Curren
tVersion\Internet Settings"
E4
le:0x3DC, access:0xF, path:"\KnownDlls32\clbcatq.dll"
address:0x76A70000, zerobits:0x0, commitsize:0x0, viewsize:0x84000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x3DC, path:"\KnownDlls32\clbcatq.dll"
me:"CertificateRevocation", class:0x2, length:0x90, resultlength:0x10, handle:0x
3E8, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWAR
E\Microsoft\Windows\CurrentVersion\Internet Settings"
E8
0034, name:"DisableKeepAlive", class:0x2, length:0x90, resultlength:0x80, handle
:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Soft
ware\Microsoft\Windows\CurrentVersion\Internet Settings"
DC
0034, name:"IdnEnabled", class:0x2, length:0x90, resultlength:0x29CF4AC, handle:
0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Softw
are\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"PreConnectLimit", class:0x2, length:0x90, resultlength:0x29CF4AC, ha
0034, name:"PreResolveLimit", class:0x2, length:0x90, resultlength:0x29CF4AC, ha
0034, name:"CacheMode", class:0x2, length:0x90, resultlength:0x29CF4AC, handle:0
x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Softwa
re\Microsoft\Windows\CurrentVersion\Internet Settings"
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:NtOpenEvent, status:0x0, handle
:0x3E0, access:0x100001, path:"\KernelObjects\MaximumCommitCondition"
:0x3E4, access:0x20019, path:"\REGISTRY\MACHINE\Software\Policies\Microsoft\Wind
ows\CurrentVersion\Internet Settings"
0034, name:"EnableHttp1_1", class:0x2, length:0x90, resultlength:0x10, handle:0x
3E4, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\
Internet Settings"
0034, name:"EnableHttp1_1", class:0x2, length:0x90, resultlength:0x10, handle:0x
3A8, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWAR
E\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
me:"EnableHttp1_1", class:0x2, length:0x90, resultlength:0x10, handle:0x370, pat
h:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software\Micros
oft\Windows\CurrentVersion\Internet Settings"
0034, name:"ProxyHttp1.1", class:0x2, length:0x90, resultlength:0x10, handle:0x3
E4, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\I
nternet Settings"
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Microsoft\Ole\App
Compat\DisableClsidFreeActivatableClasses"
0034, name:"ProxyHttp1.1", class:0x2, length:0x90, resultlength:0x10, handle:0x3
A8, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE
\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
me:"ProxyHttp1.1", class:0x2, length:0x90, resultlength:0x10, handle:0x370, path
:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software\Microso
ft\Windows\CurrentVersion\Internet Settings"
me:"EnableNegotiate", class:0x2, length:0x90, resultlength:0x10, handle:0x370, p
ath:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software\Micr
osoft\Windows\CurrentVersion\Internet Settings"
0034, name:"DisableBasicOverClearChannel", class:0x2, length:0x90, resultlength:
0x10, handle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908
le:0x3E8, access:0x4, path:"\Sessions\1\BaseNamedObjects\Global\__ComCatalogCach
e__"
0034, name:"EnableAutoProxyResultCache", class:0x2, length:0x90, resultlength:0x
10, handle:0x3A8, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887
-1001\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
address:0x6D0000, zerobits:0x0, commitsize:0x0, offset:0x0, viewsize:0x1000, di
sposition:0x1, type:0x0, protect:0x2, handle:0x3E8, path:"\BaseNamedObjects\__Co
mCatalogCache__"

0034, name:"DisplayScriptDownloadFailureUI", class:0x2, length:0x90, resultlengt
h:0x10, handle:0x3A8, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246399
0887-1001\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"MBCSServername", class:0x2, length:0x90, resultlength:0x10, handle:0
x3A8, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWA
RE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"UTF8ServerNameRes", class:0x2, length:0x90, resultlength:0x10, handl
e:0x3A8, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOF
TWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"DisableReadRange", class:0x2, length:0x90, resultlength:0x10, handle
:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Soft
ware\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"SocketSendBufferLength", class:0x2, length:0x90, resultlength:0x29CF
4AC, handle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246399088
0034, name:"SocketReceiveBufferLength", class:0x2, length:0x90, resultlength:0x2
9CF4AC, handle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246399
0034, name:"KeepAliveTimeout", class:0x2, length:0x90, resultlength:0x29CF4AC, h
andle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001
\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0x3EC, access:0x80100080, iostatus:0x0, information:0x1, attribs:0x0, share:0x
1, disposition:0x1, options:0x60, path:"C:\WINDOWS\Registration\R00000000000d.cl
b"
0034, name:"MaxHttpRedirects", class:0x2, length:0x90, resultlength:0x29CF4AC, h
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:NtQueryInformationFile, status:
0x0, iostatus:0x0, information:0x18, length:0x18, class:0x5, handle:0x3EC, path:
"C:\WINDOWS\Registration\R00000000000d.clb"
pid:4092, tid:2168, tick:0x33D6FF0, lvl:OK, func:NtSetInformationFile, status:0x
0, iostatus:0x0, information:0x0, length:0x8, class:0xE, handle:0x3EC, path:"C:\
WINDOWS\Registration\R00000000000d.clb"
0034, name:"MaxConnectionsPerServer", class:0x2, length:0x90, resultlength:0x29C
F4AC, handle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908
ndle:0x3F0, access:0xF0005, pageattribs:0x2, sectionattribs:0x8000000, file:0x3E
C
address:0x6E0000, zerobits:0x0, commitsize:0x0, offset:0x0, viewsize:0x6000, di
sposition:0x1, type:0x0, protect:0x2, handle:0x3F0, path:"C:\WINDOWS\Registratio
n\R00000000000d.clb"
:0x3F4, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows\Curre
0034, name:"MaxConnectionsPerServer", class:0x2, length:0x90, resultlength:0x10,

handle:0x3F4, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Cu
rrentVersion\Internet Settings"
0034, name:"MaxConnectionsPer1_0Server", class:0x2, length:0x90, resultlength:0x
-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"MaxConnectionsPer1_0Server", class:0x2, length:0x90, resultlength:0x
10, handle:0x3F4, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows
\CurrentVersion\Internet Settings"
0034, name:"MaxConnectionsPerProxy", class:0x2, length:0x90, resultlength:0x10,
handle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-100
1\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"MaxConnectionsPerProxy", class:0x2, length:0x90, resultlength:0x10,
handle:0x3F4, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Cur
rentVersion\Internet Settings"
0034, name:"ServerInfoTimeout", class:0x2, length:0x90, resultlength:0x10, handl
e:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Sof
tware\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"ConnectTimeOut", class:0x2, length:0x90, resultlength:0x10, handle:0
0034, name:"ConnectTimeOut", class:0x2, length:0x90, resultlength:0x10, handle:0
x3F4, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVers
ion\Internet Settings"
0034, name:"ConnectRetries", class:0x2, length:0x90, resultlength:0x10, handle:0
0034, name:"ConnectRetries", class:0x2, length:0x90, resultlength:0x10, handle:0
0034, name:"SendTimeOut", class:0x2, length:0x90, resultlength:0x10, handle:0x37
Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"SendTimeOut", class:0x2, length:0x90, resultlength:0x10, handle:0x3F
\Internet Settings"
0034, name:"ReceiveTimeOut", class:0x2, length:0x90, resultlength:0x10, handle:0
0034, name:"ReceiveTimeOut", class:0x2, length:0x90, resultlength:0x10, handle:0
0034, name:"DisableNTLMPreAuth", class:0x2, length:0x90, resultlength:0x7834A0,
0034, name:"CertCacheNoValidate", class:0x2, length:0x90, resultlength:0x7834A0,
ISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266"
\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2
385266"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_C
OMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543"
\Internet Explorer\Main\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOT
IATE_AUTH_KB2151543"
0034, name:"HttpDefaultExpiryTimeSecs", class:0x2, length:0x90, resultlength:0x2
9CFC0C, handle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246399
0034, name:"FtpDefaultExpiryTimeSecs", class:0x2, length:0x90, resultlength:0x29
CFC0C, handle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990
:0x3FC, access:0x1, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908
me:"DisableCachingOfSSLPages", class:0x2, length:0x90, resultlength:0x10, handle
:0x3FC, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFT
WARE\Microsoft\Windows\CurrentVersion\Internet Settings"
FC
0034, name:"LeashLegacyCookies", class:0x2, length:0x90, resultlength:0x80, hand
le:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\So
ftware\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"DialupUseLanSettings", class:0x2, length:0x90, resultlength:0x80, ha
0034, name:"DialupUseLanSettings", class:0x2, length:0x90, resultlength:0x80, ha
ndle:0x3F4, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Curre
0034, name:"SendExtraCRLF", class:0x2, length:0x90, resultlength:0x80, handle:0x
e\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"BypassHTTPNoCacheCheck", class:0x2, length:0x90, resultlength:0x80,
0034, name:"BypassHTTPNoCacheCheck", class:0x2, length:0x90, resultlength:0x80,
0034, name:"BypassSSLNoCacheCheck", class:0x2, length:0x90, resultlength:0x80, h
0034, name:"BypassSSLNoCacheCheck", class:0x2, length:0x90, resultlength:0x80, h
andle:0x3F4, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Curr
entVersion\Internet Settings"
0034, name:"EnableHttpTrace", class:0x2, length:0x90, resultlength:0x80, handle:
0x3F4, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVer
sion\Internet Settings"
0034, name:"NoCheckAutodialOverRide", class:0x2, length:0x90, resultlength:0x80,
0034, name:"NoCheckAutodialOverRide", class:0x2, length:0x90, resultlength:0x80,
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_S
CH_SEND_AUX_RECORD_KB_2618444"
\Internet Explorer\Main\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444"
0034, name:"DontUseDNSLoadBalancing", class:0x2, length:0x90, resultlength:0xEE,
0034, name:"DontUseDNSLoadBalancing", class:0x2, length:0x90, resultlength:0xEE,
0034, name:"ShareCredsWithWinHttp", class:0x2, length:0x90, resultlength:0xEE, h
andle:0x3F4, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Curr
entVersion\Internet Settings"
0034, name:"MimeExclusionListForCache", class:0x2, length:0x90, resultlength:0x6
0034, name:"MimeExclusionListForCache", class:0x2, length:0x90, resultlength:0xF
FFFFFB6, handle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639
0034, name:"HeaderExclusionListForCache", class:0x2, length:0x90, resultlength:0
x728EE23B, handle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_E
NABLE_TOKEN_BINDING"
\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_TOKEN_BINDING"
0034, name:"DnsCacheEnabled", class:0x2, length:0x90, resultlength:0x41004D, han
dle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\S
oftware\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"DnsCacheEntries", class:0x2, length:0x90, resultlength:0x29CF4E8, ha
0034, name:"DnsCacheTimeout", class:0x2, length:0x90, resultlength:0x29CF4E8, ha
0034, name:"WarnOnPost", class:0x2, length:0x90, resultlength:0x29CF49C, handle:
0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Softw
are\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"WarnAlwaysOnPost", class:0x2, length:0x90, resultlength:0x29CF49C, h
x3, length:0x180, resultlength:0x92, handle:0x3C2, path:"\Registry\User\S-1-5-21
-2360094602-2602383397-2463990887-1001_Classes"
me:"WarnOnZoneCrossing", class:0x2, length:0x90, resultlength:0x10, handle:0x370
, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software\M
icrosoft\Windows\CurrentVersion\Internet Settings"
x7, length:0x4, resultlength:0x4, handle:0x3C2, path:"\Registry\User\S-1-5-21-23
60094602-2602383397-2463990887-1001_Classes"
0034, name:"WarnOnBadCertRecving", class:0x2, length:0x90, resultlength:0x10, ha
0034, name:"WarnOnPostRedirect", class:0x2, length:0x90, resultlength:0x10, hand
, handle:0x0, access:0x20019, path:"\Registry\User\S-1-5-21-2360094602-260238339
7-2463990887-1001_Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}"
0034, name:"AlwaysDrainOnRedirect", class:0x2, length:0x90, resultlength:0x10, h
0034, name:"WarnOnHTTPSToHTTPRedirect", class:0x2, length:0x90, resultlength:0x1
0, handle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908871001\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
:0x3F8, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{1F486A52
-3CB1-48FD-8F50-B8DC300D9F9D}"
0034, name:"TcpAutotuning", class:0x2, length:0x90, resultlength:0x29CF500, hand
le:0x3F4, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Current
Version\Internet Settings"

x3, length:0x180, resultlength:0xBA, handle:0x3FA, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}"
x7, length:0x4, resultlength:0x4, handle:0x3FA, path:"\REGISTRY\MACHINE\SOFTWARE
\Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}"
97-2463990887-1001", attributes:0x0
8C
63990887-1001_Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\T
reatAs"
, handle:0x0, access:0xF003F, path:"\REGISTRY\MACHINE\System\CurrentControlSet\S
ervices\WinSock2\Parameters"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\C
LSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TreatAs"
:0x38C, access:0x20019, path:"\REGISTRY\MACHINE\System\CurrentControlSet\Service
s\WinSock2\Parameters"
me:"WinSock_Registry_Version", class:0x2, length:0x90, resultlength:0x14, handle
:0x38C, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameter
s"
me:"WinSock_Registry_Version", class:0x2, length:0x90, resultlength:0x14, handle
:0x38C, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameter
s"
:0x3A4, access:0x20019, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wi
nSock2\Parameters\AppId_Catalog"
97-2463990887-1001", attributes:0x0
pid:4092, tid:4644, tick:0x33D6FF0, lvl:OK, func:GetCommandLineW, ret:0x124EAA0,
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Servi
ces\WinSock2\Parameters\AppId_Catalog\04CC76E4"
A4
397-2463990887-1001_Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9
F9D}"
me:"NameSpace_Callout", class:0x2, length:0x90, resultlength:0x52, handle:0x38C,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters"
me:"NameSpace_Callout", class:0x2, length:0x90, resultlength:0x52, handle:0x38C,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters"
me:"", class:0x2, length:0x90, resultlength:0x3C, handle:0x3FA, path:"\REGISTRY\
MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D
}"
:0x3C4, access:0x2000000, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\
WinSock2\Parameters\Protocol_Catalog9"
me:"Serial_Access_Num", class:0x2, length:0x90, resultlength:0x10, handle:0x3C4,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Proto
col_Catalog9"
pid:4092, tid:4644, tick:0x33D6FF0, lvl:OK, func:NtNotifyChangeKey, status:0x103
, event:0x3A4, iostatus:0x103, information:0x0, filter:0x1, watch:0x0, length:0x
0, async:0x1, handle:0x3C4, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Service
s\WinSock2\Parameters\Protocol_Catalog9"
97-2463990887-1001", attributes:0x0
me:"Serial_Access_Num", class:0x2, length:0x90, resultlength:0x10, handle:0x3C4,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Proto
col_Catalog9"
ces\WinSock2\Parameters\Protocol_Catalog9\00000009"
F9D}"
me:"Next_Catalog_Entry_ID", class:0x2, length:0x90, resultlength:0x10, handle:0x
3C4, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\P
rotocol_Catalog9"
me:"Num_Catalog_Entries", class:0x2, length:0x90, resultlength:0x10, handle:0x3C
4, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Pro
tocol_Catalog9"
me:"", class:0x2, length:0x90, resultlength:0x3C, handle:0x3FA, path:"\REGISTRY\
}"
:0x3FC, access:0x2000000, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\

WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries"
:0x404, access:0x20019, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wi
nSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001"
pid:4092, tid:4644, tick:0x33D6FF0, lvl:LOG, func:NtQueryValueKey, status:0x8000
0005, name:"PackedCatalogItem", class:0x2, length:0x90, resultlength:0x384, hand
le:0x404, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Paramet
ers\Protocol_Catalog9\Catalog_Entries\000000000001"
me:"PackedCatalogItem", class:0x2, length:0x384, resultlength:0x384, handle:0x40
tocol_Catalog9\Catalog_Entries\000000000001"
97-2463990887-1001", attributes:0x0
04
le:0x404, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Paramet
7-2463990887-1001_Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9
D}\InprocServer32"
04
:0x404, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLS
ID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InprocServer32"
:0x40C, access:0x20019, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wi
x3, length:0x188, resultlength:0xD8, handle:0x406, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServe
r32"
le:0x40C, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Paramet
x7, length:0x4, resultlength:0x4, handle:0x406, path:"\REGISTRY\MACHINE\SOFTWARE
\Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
"

C, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Pro
0C
97-2463990887-1001", attributes:0x0
F9D}\InProcServer32"
0034, name:"InprocServer32", class:0x2, length:0x90, resultlength:0x0, handle:0x
406, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F486A52-3CB1-4
8FD-8F50-B8DC300D9F9D}\InProcServer32"
r32"
0C
"
97-2463990887-1001", attributes:0x0
me:"", class:0x2, length:0x90, resultlength:0x50, handle:0x406, path:"\REGISTRY\
}\InProcServer32"
0C
r32"
"
97-2463990887-1001", attributes:0x0
0C
}\InProcServer32"
r32"
"
97-2463990887-1001", attributes:0x0

0C
}\InProcServer32"
0C
r32"
"
97-2463990887-1001", attributes:0x0
0C
me:"ThreadingModel", class:0x2, length:0x90, resultlength:0x16, handle:0x406, pa
th:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F5
0-B8DC300D9F9D}\InProcServer32"

06
0C
97-2463990887-1001", attributes:0x0
0C
63990887-1001_Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\I
nprocHandler32"
FC
ambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0x3FC, c
FC
LSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InprocHandler32"
:0x40C, access:0x2000000, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\
WinSock2\Parameters\NameSpace_Catalog5"
me:"Serial_Access_Num", class:0x2, length:0x90, resultlength:0x10, handle:0x40C,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameS
pace_Catalog5"
pid:4092, tid:4644, tick:0x33D6FF0, lvl:OK, func:NtNotifyChangeKey, status:0x103
, event:0x3FC, iostatus:0x103, information:0x0, filter:0x1, watch:0x0, length:0x
0, async:0x1, handle:0x40C, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Service
s\WinSock2\Parameters\NameSpace_Catalog5"
97-2463990887-1001", attributes:0x0
me:"Serial_Access_Num", class:0x2, length:0x90, resultlength:0x10, handle:0x40C,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameS
pace_Catalog5"
ces\WinSock2\Parameters\NameSpace_Catalog5\00000014"
me:"Num_Catalog_Entries", class:0x2, length:0x90, resultlength:0x10, handle:0x40
C, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Nam
eSpace_Catalog5"
63990887-1001_Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\I
nprocHandler"
:0x414, access:0x2000000, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\
WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries"
LSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InprocHandler"
nSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001"
FA
me:"LibraryPath", class:0x2, length:0x90, resultlength:0x50, handle:0x418, path:
"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_C
atalog5\Catalog_Entries\000000000001"
me:"DisplayString", class:0x2, length:0x90, resultlength:0x5E, handle:0x418, pat
h:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace
_Catalog5\Catalog_Entries\000000000001"
:0x3F8, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\OLE"
0034, name:"MaxSxSHashCount", class:0x2, length:0x90, resultlength:0x0, handle:0
x3F8, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\OLE"
me:"ProviderId", class:0x2, length:0x90, resultlength:0x1C, handle:0x418, path:"
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Ca
talog5\Catalog_Entries\000000000001"
F8
0034, name:"AddressFamily", class:0x2, length:0x90, resultlength:0x201CC, handle
:0x418, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameter
s\NameSpace_Catalog5\Catalog_Entries\000000000001"
me:"SupportedNameSpace", class:0x2, length:0x90, resultlength:0x10, handle:0x418
, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Name
Space_Catalog5\Catalog_Entries\000000000001"
me:"Enabled", class:0x2, length:0x90, resultlength:0x10, handle:0x418, path:"\RE
GISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catal
og5\Catalog_Entries\000000000001"
me:"Version", class:0x2, length:0x90, resultlength:0x10, handle:0x418, path:"\RE
ambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0x3F8, c
me:"StoresServiceClassInfo", class:0x2, length:0x90, resultlength:0x10, handle:0
x418, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
NameSpace_Catalog5\Catalog_Entries\000000000001"
lass:0x1A, length:0x4, returnlength:0x4
me:"ProviderInfo", class:0x2, length:0x90, resultlength:0xC, handle:0x418, path:
63990887-1001", attributes:0x0
18
pid:4092, tid:4644, tick:0x33D6FFF, lvl:OK, func:NtQueryValueKey, status:0x0, na
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:NtOpenKey, status:0x0, handle:0
x420, access:0x2000000, path:"\Registry\User\S-1-5-21-2360094602-2602383397-2463
990887-1001_Classes"
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:NtClose, status:0x0, handle:0x3
F8
pid:4092, tid:4644, tick:0x33D6FFF, lvl:LOG, func:NtQueryValueKey, status:0xC000
18
pid:4092, tid:4644, tick:0x33D6FFF, lvl:OK, func:NtOpenKeyEx, status:0x0, handle

18

me:"LibraryPath", class:0x2, length:0x90, resultlength:0x4E, handle:0x418, path:
me:"DisplayString", class:0x2, length:0x90, resultlength:0x5C, handle:0x418, pat
18
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:NtQueryKey, status:0x0, class:0
x3, length:0x180, resultlength:0x92, handle:0x422, path:"\Registry\User\S-1-5-21
-2360094602-2602383397-2463990887-1001_Classes"
x7, length:0x4, resultlength:0x4, handle:0x422, path:"\Registry\User\S-1-5-21-23
60094602-2602383397-2463990887-1001_Classes"
me:"DisplayString", class:0x2, length:0x90, resultlength:0x62, handle:0x418, pat
pid:4092, tid:2168, tick:0x33D6FFF, lvl:LOG, func:NtOpenKeyEx, status:0xC0000034
7-2463990887-1001_Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}"
:0x3F8, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{1F486A52
-3CB1-48FD-8F50-B8DC300D9F9D}"
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:New_NtQueryInformationToken::<l
97-2463990887-1001", attributes:0x0

7-2463990887-1001_Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9
D}\TreatAs"
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432No
de\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TreatAs"
FA
18
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:LdrLoadDll, status:0x0, flags:0
x0, module:"C:\WINDOWS\system32\propsys.dll", handle:0x717E0000
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:LdrGetProcedureAddressForCaller
, status:0x0, module:0x717E0000, name:"DllGetClassObject", ordinal:0x0, address:
0x7182EEC0, image:0x0, caller:0x74E6C7CB
pid:4092, tid:2168, tick:0x33D6FFF, lvl:LOG, func:LdrGetProcedureAddressForCalle
r, status:0xC0000139, module:0x717E0000, name:"DllGetActivationFactory", ordinal
:0x0, image:0x0, caller:0x74E6C7DD
, status:0x0, module:0x717E0000, name:"DllCanUnloadNow", ordinal:0x0, address:0x
718330E0, image:0x0, caller:0x74E6C841
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:CoCreateInstance, hr:0x0, clsid
:1F486A52-3CB1-48FD-8F50-B8DC300D9F9D, context:0x1, riid:ECF31D61-E474-453C-BEE7
-DE68E441C6D0

pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
pid:4092, tid:2168, tick:0x33D6FFF, lvl:LOG, func:NtOpenSection, status:0xC00000
34, handle:0x0, access:0x4, path:"\Sessions\1\BaseNamedObjects\Global\C:*Program
Data*Microsoft*Windows*Caches*cversions.2"
18
34, handle:0x0, access:0x4, path:"\Sessions\1\BaseNamedObjects\Local\C:*ProgramD
ata*Microsoft*Windows*Caches*cversions.2"
14
8C
:0x38C, access:0x1, path:"\REGISTRY\MACHINE\System\CurrentControlSet\Services\Wi
nsock2\Parameters"

Data*Microsoft*Windows*Caches*cversions.2.ro"
0034, name:"Ws2_32NumHandleBuckets", class:0x2, length:0x90, resultlength:0x20,
handle:0x38C, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Par
ameters"
0034, name:"Ws2_32SpinCount", class:0x2, length:0x90, resultlength:0x12, handle:
0x38C, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
"
8C
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:NtOpenSection, status:0x0, hand
le:0x3F8, access:0x4, path:"\Sessions\1\BaseNamedObjects\Local\C:*ProgramData*Mi
crosoft*Windows*Caches*cversions.2.ro"
pid:4092, tid:4644, tick:0x33D6FFF, lvl:OK, func:NtDuplicateObject, status:0x0,
pid:4092, tid:4644, tick:0x33D6FFF, lvl:OK, func:WSAStartup, ret:0x0, gle:0x0, V
ersionRequested:0x202, Version:0x202, Description:"WinSock 2.0", SystemStatus:"R
unning", MaxSockets:0x0, MaxUdpDg:0x0
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:NtMapViewOfSection, status:0x0,
sposition:0x1, type:0x0, protect:0x2, handle:0x3F8, path:"\Sessions\1\BaseNamedO
bjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro"
34, handle:0x0, access:0xF, path:"\KnownDlls32\ondemandconnroutehelper.dll"
Data*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000
000000000078.db"
le:0x428, access:0x4, path:"\Sessions\1\BaseNamedObjects\Local\C:*ProgramData*Mi
crosoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x00000000000
00078.db"
pid:4092, tid:4644, tick:0x33D6FFF, lvl:OK, func:NtQueryAttributesFile, status:0
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\ondemandconnroutehelper.dll"
address:0xEA0000, zerobits:0x0, commitsize:0x0, offset:0x0, viewsize:0x45000, d
isposition:0x1, type:0x0, protect:0x2, handle:0x428, path:"\Sessions\1\BaseNamed
Objects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689
AF493}.2.ver0x0000000000000078.db"
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:NtSetInformationProcess, status
x0, attribs:0x20, path:"C:\WINDOWS\SysWOW64\propsys.dll"
pid:4092, tid:4644, tick:0x33D6FFF, lvl:OK, func:NtOpenFile, status:0x0, handle:
path:"C:\WINDOWS\SYSTEM32\ondemandconnroutehelper.dll"
pid:4092, tid:4644, tick:0x33D6FFF, lvl:OK, func:NtCreateSection, status:0x0, ha
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:NtQueryFullAttributesFile, stat
us:0x0, allocsize:0x14B000, size:0x14AE48, attribs:0x20, path:"C:\WINDOWS\SysWOW
64\propsys.dll"
:0x1, type:0x800000, protect:0x4, handle:0x418, path:"C:\WINDOWS\SYSTEM32\ondema
ndconnroutehelper.dll"

us:0x0, allocsize:0x188000, size:0x187698, attribs:0x20, path:"C:\WINDOWS\system
32\propsys.dll"
18
14
Data*Microsoft*Windows*Caches*cversions.2"
x0, module:"ondemandconnroutehelper.dll", handle:0x72360000
, status:0x0, module:0x72360000, name:"OnDemandRegisterNotification", ordinal:0x
0, address:0x72362B40, image:0x0, caller:0x702FAF19
, status:0x0, module:0x72360000, name:"OnDemandUnRegisterNotification", ordinal:
0x0, address:0x72367530, image:0x0, caller:0x702FAF2C
34, handle:0x0, access:0x4, path:"\Sessions\1\BaseNamedObjects\Local\C:*ProgramD
ata*Microsoft*Windows*Caches*cversions.2"
:0x42C, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\
0034, name:"ProxySettingsPerUser", class:0x2, length:0x90, resultlength:0x29CFC5
0, handle:0x42C, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Cur
2C
0034, name:"EnableLegacyAutoProxyFeatures", class:0x2, length:0x90, resultlength
:0x77C8ED50, handle:0x3E4, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\W
indows\CurrentVersion\Internet Settings"
Data*Microsoft*Windows*Caches*cversions.2.ro"
0034, name:"BadProxyExpiresTime", class:0x2, length:0x90, resultlength:0x77C8ED5
0, handle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908871001\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
pid:4092, tid:4644, tick:0x33D6FFF, lvl:OK, func:NtAssociateWaitCompletionPacket
, status:0x0, completionpacket:0x430, iocompletion:0x38, handle:0x42C
le:0x438, access:0x4, path:"\Sessions\1\BaseNamedObjects\Local\C:*ProgramData*Mi
crosoft*Windows*Caches*cversions.2.ro"
sposition:0x1, type:0x0, protect:0x2, handle:0x438, path:"\Sessions\1\BaseNamedO
bjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro"
34, handle:0x0, access:0xF, path:"\KnownDlls32\winhttp.dll"
Data*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000
000000000003.db"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\winhttp.dll"
le:0x43C, access:0x4, path:"\Sessions\1\BaseNamedObjects\Local\C:*ProgramData*Mi
crosoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x00000000000
00003.db"
path:"C:\WINDOWS\SYSTEM32\winhttp.dll"
address:0x2AD0000, zerobits:0x0, commitsize:0x0, offset:0x0, viewsize:0x8E000,
disposition:0x1, type:0x0, protect:0x2, handle:0x43C, path:"\Sessions\1\BaseName
dObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39
C3FDA2}.2.ver0x0000000000000003.db"
address:0x74760000, zerobits:0x0, commitsize:0x0, viewsize:0x9B000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x440, path:"C:\WINDOWS\SYSTEM32\winhtt
p.dll"
x0, attribs:0x20, path:"C:\WINDOWS\SysWOW64\propsys.dll"
40
34
us:0x0, allocsize:0x14B000, size:0x14AE48, attribs:0x20, path:"C:\WINDOWS\SysWOW
64\propsys.dll"
x0, module:"winhttp.dll", handle:0x74760000
, status:0x0, module:0x74760000, name:"WinHttpCreateProxyResolver", ordinal:0x0,
address:0x7478EE00, image:0x0, caller:0x70307CF5
, status:0x0, module:0x74760000, name:"WinHttpGetProxyForUrlEx", ordinal:0x0, ad
dress:0x7478EC70, image:0x0, caller:0x70307D0B
, status:0x0, module:0x74760000, name:"WinHttpGetProxyResult", ordinal:0x0, addr
ess:0x747C0C00, image:0x0, caller:0x70307D22
, status:0x0, module:0x74760000, name:"WinHttpFreeProxyResult", ordinal:0x0, add
ress:0x74791F10, image:0x0, caller:0x70307D39
, status:0x0, module:0x74760000, name:"WinHttpCloseHandle", ordinal:0x0, address
:0x7477B3F0, image:0x0, caller:0x70307D50
, status:0x0, module:0x74760000, name:"WinHttpOpen", ordinal:0x0, address:0x7479
3AA0, image:0x0, caller:0x70307D67
, status:0x0, module:0x74760000, name:"WinHttpSetStatusCallback", ordinal:0x0, a
ddress:0x74777180, image:0x0, caller:0x70307D7E
, status:0x0, module:0x74760000, name:"WinHttpResetAutoProxy", ordinal:0x0, addr
ess:0x74799E70, image:0x0, caller:0x70307D95
us:0x0, allocsize:0x188000, size:0x187698, attribs:0x20, path:"C:\WINDOWS\system
32\propsys.dll"
, status:0x0, module:0x74760000, name:"WinHttpSetOption", ordinal:0x0, address:0
x74778010, image:0x0, caller:0x70307DAC

0034, name:"AutoProxyDetectType", class:0x2, length:0x90, resultlength:0x0, hand
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:NtQueryVirtualMemory, status:0x
0, address:0x2E1D0F0, class:0x3, length:0x14
0034, name:"DisableBranchCache", class:0x2, length:0x90, resultlength:0x34, hand
le:0x3F4, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Current
Version\Internet Settings"
x444, access:0x1, path:"\Registry\Machine\Software\Microsoft\Windows\Windows Err
or Reporting\WMR"
pid:4092, tid:8800, tick:0x33D6FFF, lvl:LOG, func:BaseThreadInitThunk, log:"New
thread started (via BaseThreadInitThunk) at address: 0x77C3C6D0, parameter: 0x76
52D8"
, status:0x0, module:0x75050000, name:"IsImmersiveProcess", ordinal:0x0, address
:0x7506FEA0, image:0x0, caller:0x7030B393
me:"Disable", class:0x2, length:0x13, resultlength:0x10, handle:0x444, path:"\RE
GISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\WM
R"
pid:4092, tid:4644, tick:0x33D6FFF, lvl:OK, func:LdrUnloadDll, status:0x0, handl
e:0x75050000
pid:4092, tid:2168, tick:0x33D6FFF, lvl:LOG, func:New_NtQueryInformationToken::<
0034, name:"UseFirstAvailable", class:0x2, length:0x90, resultlength:0x34, handl
63990887-1001", attributes:0x0
48
0034, name:"CombineFalseStartData", class:0x2, length:0x90, resultlength:0x34, h
0034, name:"DisableFalseStartBlocklist", class:0x2, length:0x90, resultlength:0x
-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
0034, name:"EnableHttp2Upgrade", class:0x2, length:0x90, resultlength:0x34, hand
pid:4092, tid:2168, tick:0x33D6FFF, lvl:LOG, func:NtOpenKey, status:0xC0000034,
handle:0x0, access:0x1, path:"\Registry\User\S-1-5-21-2360094602-2602383397-2463
990887-1001\Software\Microsoft\Windows\Windows Error Reporting\WMR"
44
0034, name:"DuoProtocols", class:0x2, length:0x90, resultlength:0x29CF4AC, handl
0034, name:"EnableSpdyDebugAsserts", class:0x2, length:0x90, resultlength:0x34,
0034, name:"EnableNpn", class:0x2, length:0x90, resultlength:0x29CFC50, handle:0
x404, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWA
RE\Microsoft\Windows\CurrentVersion\Internet Settings"
04

, status:0x0, module:0x72360000, name:"GetInterfaceContextTableForHostName", ord
inal:0x0, address:0x72363490, image:0x0, caller:0x702FADF3
, status:0x0, module:0x72360000, name:"FreeInterfaceContextTable", ordinal:0x0,
address:0x72363D40, image:0x0, caller:0x702FAE09
t\PeerDist\Service"
0034, name:"DontShowSuperHidden", class:0x2, length:0x90, resultlength:0x19DA14,
handle:0x444, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion
\Policies\Explorer"
, handle:0x0, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\PeerDist\Service"
x0, module:"C:\WINDOWS\system32\mswsock.dll", handle:0x73700000
44
, status:0x0, module:0x73700000, name:"WSPStartup", ordinal:0x0, address:0x7370D
350, image:0x0, caller:0x775F7454
address:0xEF0000, zerobits:0x0, commitsize:0x0, offset:0x220000, viewsize:0x100
s\Winsock\Parameters"
pid:4092, tid:9004, tick:0x33D6FFF, lvl:OK, func:NtUnmapViewOfSection, status:0x
0, address:0x5A0000
me:"Transports", class:0x2, length:0x90, resultlength:0x42, handle:0x404, path:"
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winsock\Parameters"
87-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\"
me:"Transports", class:0x2, length:0x90, resultlength:0x42, handle:0x404, path:"
me:"ShellState", class:0x2, length:0x90, resultlength:0x30, handle:0x444, path:"
\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software\Microsoft
\Windows\CurrentVersion\Explorer"
0, address:0xEF0000
04
me:"ShellState", class:0x2, length:0x90, resultlength:0x30, handle:0x444, path:"
\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software\Microsoft
\Windows\CurrentVersion\Explorer"
pid:4092, tid:9004, tick:0x33D6FFF, lvl:LOG, func:RecurseRegistryConfig, log:"Du
plicate regkey Connections will not be added as it is at lower layer."
44
s\Psched\Parameters\Winsock"
pid:4092, tid:8800, tick:0x33D6FFF, lvl:LOG, func:NtQueryValueKey, status:0x8000
0005, name:"Mapping", class:0x2, length:0x90, resultlength:0xA4, handle:0x404, p
ath:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Winsock"
pid:4092, tid:8800, tick:0x33D6FFF, lvl:LOG, func:NtQueryValueKey, status:0x8000
0005, name:"Mapping", class:0x2, length:0x90, resultlength:0xA4, handle:0x404, p
0034, name:"NoWebView", class:0x2, length:0x90, resultlength:0x19D9A8, handle:0x
444, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\
Explorer"
me:"Mapping", class:0x2, length:0xA4, resultlength:0xA4, handle:0x404, path:"\RE
GISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Winsock"
44
04
address:0xEF0000, zerobits:0x0, commitsize:0x0, offset:0x220000, viewsize:0x100
0, address:0x5A0000
s\Winsock\Setup Migration\Providers"
0, address:0xEF0000
nsock\Setup Migration\Providers\Psched"
pid:4092, tid:9004, tick:0x33D6FFF, lvl:LOG, func:_FaultInValuesIf, log:"Duplica
te reg value SavedLegacySettings will not be added as it is at lower layer. type
: 0x1"
me:"WinSock 2.0 Provider ID", class:0x2, length:0x90, resultlength:0x1C, handle:

0x440, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migra
tion\Providers\Psched"
40
0034, name:"ClassicShell", class:0x2, length:0x90, resultlength:0x19D9A8, handle
:0x44C, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Polici
es\Explorer"
04
4C
pid:4092, tid:9004, tick:0x33D6FFF, lvl:OK, func:NtCreateKey, status:0x0, handle
:0x450, access:0x1, title:0x0, class:"", options:0x0, disposition:0x2, path:"\RE
GISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software\Microsoft\Wi
ndows\CurrentVersion\Internet Settings\Connections"
me:"DefaultConnectionSettings", class:0x2, length:0x90, resultlength:0x44, handl
tware\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
s\Tcpip\Parameters\Winsock"
me:"Mapping", class:0x2, length:0x90, resultlength:0x74, handle:0x404, path:"\RE
GISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock"
50
04
0034, name:"SeparateProcess", class:0x2, length:0x90, resultlength:0x19D9A8, han
dle:0x44C, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Pol
icies\Explorer"
4C
s\Tcpip6\Parameters\Winsock"
:0x440, access:0x1, title:0x0, class:"", options:0x0, disposition:0x2, path:"\RE
GISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Winsock"

GISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Winsock"
04
40
0034, name:"NoNetCrawling", class:0x2, length:0x90, resultlength:0x19D9A8, handl
e:0x44C, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Polic
ies\Explorer"
652D8"
4C
nsock\Setup Migration\Providers\Tcpip6"
pid:4092, tid:11200, tick:0x33D6FFF, lvl:OK, func:LdrResolveDelayLoadedAPI, stat
us:0x0, module:0x701C0000
tion\Providers\Tcpip6"
44
pid:4092, tid:11200, tick:0x33D6FFF, lvl:OK, func:NtDeviceIoControlFile, status:
0x0, event:0x45C, iostatus:0x0, information:0x50, code:0x120007, inlen:0x30, out
len:0x4, handle:0x2F4, path:"\??\Nsi"
04
87-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
pid:4092, tid:11200, tick:0x33D6FFF, lvl:OK, func:NtClose, status:0x0, handle:0x
45C
me:"Hidden", class:0x2, length:0x90, resultlength:0x10, handle:0x460, path:"\REG
ISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft\Win
dows\CurrentVersion\Explorer\Advanced"
52D8"
s\Tcpip6\Parameters\Winsock"
me:"ShowCompColor", class:0x2, length:0x90, resultlength:0x10, handle:0x460, pat
oft\Windows\CurrentVersion\Explorer\Advanced"
me:"HideFileExt", class:0x2, length:0x90, resultlength:0x10, handle:0x460, path:
"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsof
t\Windows\CurrentVersion\Explorer\Advanced"
me:"MinSockaddrLength", class:0x2, length:0x90, resultlength:0x10, handle:0x404,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Winsock
"
45C
me:"DontPrettyPath", class:0x2, length:0x90, resultlength:0x10, handle:0x460, pa
th:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Micro
soft\Windows\CurrentVersion\Explorer\Advanced"
me:"MaxSockaddrLength", class:0x2, length:0x90, resultlength:0x10, handle:0x404,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Winsock
"
me:"ShowInfoTip", class:0x2, length:0x90, resultlength:0x10, handle:0x460, path:
t\Windows\CurrentVersion\Explorer\Advanced"
me:"HideIcons", class:0x2, length:0x90, resultlength:0x10, handle:0x460, path:"\
REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced"
45C
me:"UseDelayedAcceptance", class:0x2, length:0x90, resultlength:0x10, handle:0x4
04, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Wins
ock"
me:"MapNetDrvBtn", class:0x2, length:0x90, resultlength:0x10, handle:0x460, path
:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microso
ft\Windows\CurrentVersion\Explorer\Advanced"
04
me:"WebView", class:0x2, length:0x90, resultlength:0x10, handle:0x460, path:"\RE
GISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft\Wi
ndows\CurrentVersion\Explorer\Advanced"

0x0, event:0x45C, iostatus:0x0, information:0x68, code:0x12000F, inlen:0x38, out
me:"Filter", class:0x2, length:0x90, resultlength:0x10, handle:0x460, path:"\REG
dows\CurrentVersion\Explorer\Advanced"
04
45C
me:"ShowSuperHidden", class:0x2, length:0x90, resultlength:0x10, handle:0x460, p
osoft\Windows\CurrentVersion\Explorer\Advanced"
me:"SeparateProcess", class:0x2, length:0x90, resultlength:0x10, handle:0x460, p
pid:4092, tid:11200, tick:0x33D6FFF, lvl:LOG, func:NtDeviceIoControlFile, status
:0xC0000225, event:0x45C, iostatus:0x31DF0BC, information:0x20, code:0x12000F, i
nlen:0x38, outlen:0x38, handle:0x2F4, path:"\??\Nsi"
0034, name:"NoNetCrawling", class:0x2, length:0x90, resultlength:0x10, handle:0x
460, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWAR
E\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
45C
me:"AutoCheckSelect", class:0x2, length:0x90, resultlength:0x10, handle:0x460, p
pid:4092, tid:8800, tick:0x33D6FFF, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0x404, access:0xC0140000, iostatus:0x0, information:0x0, attribs:0x0, share:0x
3, disposition:0x3, options:0x0, path:"\Device\Afd\Endpoint"
me:"IconsOnly", class:0x2, length:0x90, resultlength:0x10, handle:0x460, path:"\
Windows\CurrentVersion\Explorer\Advanced"
0x0, event:0x45C, iostatus:0x0, information:0x68, code:0x12000F, inlen:0x38, out
me:"ShowTypeOverlay", class:0x2, length:0x90, resultlength:0x10, handle:0x460, p
pid:4092, tid:8800, tick:0x33D6FFF, lvl:OK, func:NtDeviceIoControlFile, status:0
x0, event:0x408, iostatus:0x0, information:0x10, code:0x1207B, inlen:0x10, outle
n:0x10, handle:0x404, path:"\Device\Afd\Endpoint"
45C
me:"ShowStatusBar", class:0x2, length:0x90, resultlength:0x10, handle:0x460, pat
oft\Windows\CurrentVersion\Explorer\Advanced"
x0, event:0x408, iostatus:0x0, information:0x10, code:0x1207B, inlen:0x10, outle
n:0x10, handle:0x404, path:"\Device\Afd\Endpoint"

60
x0, event:0x408, iostatus:0x0, information:0x0, code:0x12047, inlen:0xC4, outlen
:0x1C, handle:0x404, path:"\Device\Afd\Endpoint"
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
45C
x0, event:0x408, iostatus:0x0, information:0x0, code:0x120BF, inlen:0x18, outlen
:0x0, handle:0x404, path:"\Device\Afd\Endpoint"
0x0, event:0x460, iostatus:0x0, information:0x50, code:0x120007, inlen:0x30, out
7-2463990887-1001_Classes\.exe"
x0, event:0x408, iostatus:0x0, information:0xB8, code:0x120B3, inlen:0x2, outlen
460
0x0, event:0x460, iostatus:0x0, information:0x50, code:0x120007, inlen:0x30, out
:0x464, access:0x20019, path:"\Registry\Machine\Software\Classes\.exe"
460
x103, event:0x408, iostatus:0x0, information:0x34, code:0x120BF, inlen:0x18, out
len:0xDC, handle:0x404, path:"\Device\Afd\Endpoint"
x3, length:0x188, resultlength:0x52, handle:0x466, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\.exe"
04
0x0, event:0x460, iostatus:0x0, information:0x68, code:0x12000F, inlen:0x38, out
\Classes\.exe"
460
97-2463990887-1001", attributes:0x0
pid:4092, tid:11200, tick:0x33D6FFF, lvl:OK, func:NtOpenKeyEx, status:0x0, handl

e:0x460, access:0x20019, path:"\REGISTRY\MACHINE\System\Setup"
397-2463990887-1001_Classes\.exe"
pid:4092, tid:11200, tick:0x33D6FFF, lvl:OK, func:NtQueryValueKey, status:0x0, n
ame:"SystemSetupInProgress", class:0x2, length:0x90, resultlength:0x10, handle:0
x460, path:"\REGISTRY\MACHINE\SYSTEM\Setup"
me:"", class:0x2, length:0x90, resultlength:0x1C, handle:0x466, path:"\REGISTRY\
MACHINE\SOFTWARE\Classes\.exe"
460
34, handle:0x0, access:0xF, path:"\KnownDlls32\WINNSI.DLL"
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\exefile"
:0x46C, access:0x20019, path:"\Registry\Machine\Software\Classes\exefile"
e:0x468, access:0x1, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990
887-1001\Software\Microsoft\windows\CurrentVersion\Internet Settings"
ARE\Classes\exefile"
ame:"MigrateProxy", class:0x2, length:0x90, resultlength:0x10, handle:0x468, pat
h:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software\Micros
oft\windows\CurrentVersion\Internet Settings"
pid:4092, tid:8800, tick:0x33D6FFF, lvl:LOG, func:NtQueryAttributesFile, status:
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\WINNSI.DLL"
\Classes\exefile"
468
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\exefile\CurVer"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\CurVe
r"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\WINNSI.DLL"

\Classes\exefile"
ame:"ProxyEnable", class:0x2, length:0x90, resultlength:0x10, handle:0x468, path
97-2463990887-1001", attributes:0x0
00034, name:"ProxyServer", class:0x2, length:0x90, resultlength:0x10, handle:0x4
\Microsoft\Windows\CurrentVersion\Internet Settings"
00034, name:"ProxyOverride", class:0x2, length:0x90, resultlength:0x10, handle:0
00034, name:"AutoConfigURL", class:0x2, length:0x90, resultlength:0x10, handle:0
:0x470, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\"
00034, name:"AutoDetect", class:0x2, length:0x90, resultlength:0x10, handle:0x46
Microsoft\Windows\CurrentVersion\Internet Settings"
6E
468
\Classes\exefile"
97-2463990887-1001", attributes:0x0
path:"C:\WINDOWS\SYSTEM32\WINNSI.DLL"
63990887-1001_Classes\exefile\ShellEx\IconHandler"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell
Ex\IconHandler"
pid:4092, tid:11200, tick:0x33D6FFF, lvl:OK, func:NtCreateKey, status:0x0, handl
e:0x46C, access:0x1, title:0x0, class:"", options:0x0, disposition:0x2, path:"\R
EGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software\Microsoft\W
indows\CurrentVersion\Internet Settings\Connections"
-2360094602-2602383397-2463990887-1001_Classes"
ame:"SavedLegacySettings", class:0x2, length:0x90, resultlength:0x44, handle:0x4
6C, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software
\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
address:0x72470000, zerobits:0x0, commitsize:0x0, viewsize:0x8000, disposition:
0x1, type:0x800000, protect:0x4, handle:0x468, path:"C:\WINDOWS\SYSTEM32\WINNSI.
DLL"
60094602-2602383397-2463990887-1001_Classes"
6C, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software
46C
7-2463990887-1001_Classes\SystemFileAssociations\.exe"
68
:0x474, access:0x20019, path:"\Registry\Machine\Software\Classes\SystemFileAssoc
iations\.exe"
5C
ARE\Classes\SystemFileAssociations\.exe"
\Classes\SystemFileAssociations\.exe"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\SystemFileAssociations\.exe\ShellEx\IconHandler"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAss
ociations\.exe\ShellEx\IconHandler"
e:0x404, access:0x1, title:0x0, class:"", options:0x0, disposition:0x2, path:"\R
x0, event:0x46C, iostatus:0x0, information:0x68, code:0x12000F, inlen:0x38, outl

\Classes\exefile"
ame:"DefaultConnectionSettings", class:0x2, length:0x90, resultlength:0x44, hand
ftware\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
6C
97-2463990887-1001", attributes:0x0
ame:"DefaultConnectionSettings", class:0x2, length:0x90, resultlength:0x44, hand
ftware\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
404
397-2463990887-1001_Classes\exefile"
0034, name:"DocObject", class:0x2, length:0x90, resultlength:0x0, handle:0x472,
path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"
\Classes\exefile"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\exefile\DocObject"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DocOb
ject"
e:0x404, access:0x20006, title:0x0, class:"", options:0x0, disposition:0x2, path
52D8"

97-2463990887-1001", attributes:0x0
pid:4092, tid:11200, tick:0x33D6FFF, lvl:OK, func:NtSetValueKey, status:0x0, nam
e:"ProxyEnable", index:0x0, type:0x4, size:0x4, handle:0x404, path:"\REGISTRY\US
ER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software\Microsoft\Windows\Cur
pid:4092, tid:11200, tick:0x33D6FFF, lvl:LOG, func:NtDeleteValueKey, status:0xC0
000034, name:"ProxyServer", handle:0x404, path:"\REGISTRY\USER\S-1-5-21-23600946
02-2602383397-2463990887-1001\Software\Microsoft\Windows\CurrentVersion\Internet
Settings"
path:"\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe"
000034, name:"ProxyOverride", handle:0x404, path:"\REGISTRY\USER\S-1-5-21-236009
4602-2602383397-2463990887-1001\Software\Microsoft\Windows\CurrentVersion\Intern
et Settings"
pid:4092, tid:556, tick:0x33D6FFF, lvl:LOG, func:BaseThreadInitThunk, log:"New t
hread started (via BaseThreadInitThunk) at address: 0x77C3C6D0, parameter: 0x765
2D8"
000034, name:"AutoConfigURL", handle:0x404, path:"\REGISTRY\USER\S-1-5-21-236009
4602-2602383397-2463990887-1001\Software\Microsoft\Windows\CurrentVersion\Intern
et Settings"
97-2463990887-1001", attributes:0x0
000034, name:"AutoDetect", handle:0x404, path:"\REGISTRY\USER\S-1-5-21-236009460
2-2602383397-2463990887-1001\Software\Microsoft\Windows\CurrentVersion\Internet
Settings"
63990887-1001_Classes\SystemFileAssociations\.exe\DocObject"
404
pid:4092, tid:556, tick:0x33D6FFF, lvl:OK, func:NtDuplicateObject, status:0x0, t
argethandle:0x488, access:0x0, inherit:0x0, options:0x2, handle:0xFFFFFFFE
ociations\.exe\DocObject"
\Classes\exefile"
pid:4092, tid:556, tick:0x33D6FFF, lvl:OK, func:New_NtQueryInformationToken::<la

mbda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0xFFFFFFF
A, class:0x1D, length:0x4, returnlength:0x4
97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\exefile"
0034, name:"BrowseInPlace", class:0x2, length:0x90, resultlength:0x0, handle:0x4
72, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"
\Classes\exefile"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\exefile\BrowseInPlace"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Brows
eInPlace"
, status:0x0, completionpacket:0x458, iocompletion:0x38, handle:0x410
6C
97-2463990887-1001", attributes:0x0
6C
pid:4092, tid:11200, tick:0x33D6FFF, lvl:OK, func:NtSetValueKey, status:0x0, nam
e:"SavedLegacySettings", index:0x0, type:0x3, size:0x38, handle:0x498, path:"\RE
76, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe"
498
404
97-2463990887-1001", attributes:0x0
6C
us:0x0, module:0x701C0000
63990887-1001_Classes\SystemFileAssociations\.exe\BrowseInPlace"
s:0x0, module:0x72170000
us:0x0, module:0x72170000
6C
ociations\.exe\BrowseInPlace"
targethandle:0x4A4, access:0x0, inherit:0x0, options:0x2, handle:0xFFFFFFFE
ARE\Classes\.exe"

\Classes\.exe"
97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\.exe"
4AC
, status:0x0, completionpacket:0x4B8, iocompletion:0x38, handle:0x4AC
me:"Content Type", class:0x2, length:0x90, resultlength:0x3E, handle:0x466, path
9C
\Classes\exefile"
9C
97-2463990887-1001", attributes:0x0
:0x4BC, access:0xF003F, title:0x0, class:"", options:0x1, disposition:0x2, path:
t\Windows\CurrentVersion\OnDemandInterfaceCache"
63990887-1001_Classes\exefile\Clsid"
s:0x0, module:0x72360000
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Clsid
"
0xFFFFFFFC, class:0x27, length:0x0, returnlength:0x68

97-2463990887-1001", attributes:0x0
, status:0x0, completionpacket:0x4CC, iocompletion:0x38, handle:0x4C0
0034, name:"ForceAppTestMode", class:0x2, length:0x90, resultlength:0x25B, handl
e:0x4BC, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOF
TWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache"
63990887-1001_Classes\SystemFileAssociations\.exe\Clsid"
BC
9C
ociations\.exe\Clsid"
x0, event:0x49C, iostatus:0x0, information:0x50, code:0x120007, inlen:0x30, outl
4, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Microsoft\WCMSvc
\Selection"
9C
\Classes\exefile"
97-2463990887-1001", attributes:0x0
9C
397-2463990887-1001_Classes\exefile"
0034, name:"IsShortcut", class:0x2, length:0x90, resultlength:0x0, handle:0x472,
path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"
:0x4D4, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVe
rsion\Internet Settings"
9C

0034, name:"ShareCredsWithWinHttp", class:0x2, length:0x90, resultlength:0x1D4,
handle:0x4D4, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Cur
97-2463990887-1001", attributes:0x0
D4
9C
D4
pid:4092, tid:8800, tick:0x33D6FFF, lvl:LOG, func:NtDeviceIoControlFile, status:
0xC0000225, event:0x49C, iostatus:0x2C9F23C, information:0x20, code:0x12000F, in
path:"\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe"
D8
9C
pid:4092, tid:1488, tick:0x33D6FFF, lvl:OK, func:New_CheckTokenMembership::<lamb
da_02604bca4152832ac92161eb66d89101>::operator (), ret:0x1, gle:0x0, SidToCheck:
"S-1-5-18", IsMember:0x0
D8
\Classes\exefile"
9C
D4
97-2463990887-1001", attributes:0x0

D4
397-2463990887-1001_Classes\exefile"
9C
D8
0034, name:"AlwaysShowExt", class:0x2, length:0x90, resultlength:0x0, handle:0x4
x0, event:0x4DC, iostatus:0x0, information:0x50, code:0x120007, inlen:0x30, outl
DC
x0, event:0x4DC, iostatus:0x0, information:0x50, code:0x120007, inlen:0x30, outl
rsion\Internet Settings\WinHttp"
DC
97-2463990887-1001", attributes:0x0
0034, name:"DisableBranchCache", class:0x2, length:0x90, resultlength:0x1D4, han
dle:0x4D8, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Curren
tVersion\Internet Settings\WinHttp"
D8
x0, event:0x4DC, iostatus:0x0, information:0x68, code:0x12000F, inlen:0x38, outl
DC
rsion\Internet Settings\WinHttp"
\Classes\exefile"
0034, name:"DisableAutoProxyAuth", class:0x2, length:0x90, resultlength:0x1D4, h
andle:0x4D8, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Curr
entVersion\Internet Settings\WinHttp"
97-2463990887-1001", attributes:0x0
D8
397-2463990887-1001_Classes\exefile"
0034, name:"NeverShowExt", class:0x2, length:0x90, resultlength:0x0, handle:0x47
s:0x0, module:0x74760000
s:0x0, module:0x74760000
97-2463990887-1001", attributes:0x0
unning", MaxSockets:0x7FFF, MaxUdpDg:0xFFBB
, status:0x0, module:0x72360000, name:"GetInterfaceContextTableForHostName", ord
inal:0x0, address:0x72363490, image:0x0, caller:0x747925AB
, status:0x0, module:0x72360000, name:"FreeInterfaceContextTable", ordinal:0x0,
address:0x72363D40, image:0x0, caller:0x747925C1
0034, name:"NeverShowExt", class:0x2, length:0x90, resultlength:0x0, handle:0x47
66
DC

72
76
s:0x0, module:0x74760000
, status:0x0, completionpacket:0x474, iocompletion:0x38, handle:0x4DC
, status:0x0, module:0x74760000, name:"WinHttpCreateProxyResolver", ordinal:0x0,
address:0x7478EE00, image:0x0, caller:0x7478C5F1
, status:0x0, module:0x74760000, name:"WinHttpGetProxyForUrlEx", ordinal:0x0, ad
dress:0x7478EC70, image:0x0, caller:0x7478C607
, status:0x0, module:0x74760000, name:"WinHttpGetProxyResult", ordinal:0x0, addr
ess:0x747C0C00, image:0x0, caller:0x7478C61E
:0x4E0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\W
indows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99
A87C641}"
, status:0x0, module:0x74760000, name:"WinHttpFreeProxyResult", ordinal:0x0, add
ress:0x74791F10, image:0x0, caller:0x7478C635
64
, status:0x0, module:0x74760000, name:"WinHttpCloseHandle", ordinal:0x0, address
:0x7477B3F0, image:0x0, caller:0x7478C64C
, status:0x0, module:0x74760000, name:"WinHttpOpen", ordinal:0x0, address:0x7479
3AA0, image:0x0, caller:0x7478C663
me:"Category", class:0x2, length:0x90, resultlength:0x10, handle:0x4E0, path:"\R
olderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
, status:0x0, module:0x74760000, name:"WinHttpSetStatusCallback", ordinal:0x0, a
ddress:0x74777180, image:0x0, caller:0x7478C67A
, status:0x0, module:0x74760000, name:"WinHttpResetAutoProxy", ordinal:0x0, addr
ess:0x74799E70, image:0x0, caller:0x7478C691
me:"Name", class:0x2, length:0x90, resultlength:0x1C, handle:0x4E0, path:"\REGIS
rDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
, status:0x0, module:0x74760000, name:"WinHttpSetOption", ordinal:0x0, address:0
x74778010, image:0x0, caller:0x7478C6A8
E0, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersio
n\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
0034, name:"Description", class:0x2, length:0x90, resultlength:0x10, handle:0x4E
\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
me:"RelativePath", class:0x2, length:0x90, resultlength:0x1C, handle:0x4E0, path
er\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
:0x4E4, access:0x2000000, path:"\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Servi
ces\WinHttpAutoProxySvc\Parameters"
0034, name:"ParsingName", class:0x2, length:0x90, resultlength:0x1C, handle:0x4E
me:"ProxyDllFile", class:0x2, length:0x90, resultlength:0x50, handle:0x4E4, path
:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinHttpAutoProxySvc\Parameters
"
0034, name:"InfoTip", class:0x2, length:0x90, resultlength:0x1C, handle:0x4E0, p
lorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
E4
me:"LocalizedName", class:0x2, length:0x90, resultlength:0x60, handle:0x4E0, pat
h:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explo
rer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
me:"Icon", class:0x2, length:0x90, resultlength:0x5C, handle:0x4E0, path:"\REGIS
rDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
:0x4E4, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\Curre
ntVersion\Internet Settings\WinHttp"
0034, name:"Security", class:0x2, length:0x90, resultlength:0x5C, handle:0x4E0,
plorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
0034, name:"AutoProxyAutoLogonIfChallenged", class:0x2, length:0x90, resultlengt
h:0x0, handle:0x4E4, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Wind
ows\CurrentVersion\Internet Settings\WinHttp"
E4
0034, name:"StreamResource", class:0x2, length:0x90, resultlength:0x5C, handle:0
x4E0, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVers
ion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
0034, name:"StreamResourceType", class:0x2, length:0x90, resultlength:0x5C, hand
le:0x4E0, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Current
Version\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
:0x4E4, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\windows\Curre
0034, name:"LocalRedirectOnly", class:0x2, length:0x90, resultlength:0x5C, handl
e:0x4E0, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentV
ersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
0034, name:"WinHttpLowerCaseHost", class:0x2, length:0x90, resultlength:0x20, ha

ndle:0x4E4, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Curre
me:"Roamable", class:0x2, length:0x90, resultlength:0x10, handle:0x4E0, path:"\R
olderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
E4
me:"PreCreate", class:0x2, length:0x90, resultlength:0x10, handle:0x4E0, path:"\
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\
FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
0034, name:"Stream", class:0x2, length:0x90, resultlength:0x10, handle:0x4E0, pa
orer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
me:"PublishExpandedPath", class:0x2, length:0x90, resultlength:0x10, handle:0x4E
s:0x0, module:0x74760000
0x4E0, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVer
sion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
me:"Attributes", class:0x2, length:0x90, resultlength:0x10, handle:0x4E0, path:"
\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer
\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
pid:4092, tid:1488, tick:0x33D6FFF, lvl:OK, func:NtOpenEvent, status:0x0, handle
:0x4EC, access:0x100000, path:"\Sessions\1\BaseNamedObjects\Global\SvcctrlStartE
vent_A3752DX"
pid:4092, tid:8800, tick:0x33D6FFF, lvl:OK, func:NtOpenEvent, status:0x0, handle
:0x4E8, access:0x100000, path:"\Sessions\1\BaseNamedObjects\Global\SvcctrlStartE
vent_A3752DX"
EC
E0, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersio
n\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
E8
e:0x4E0, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentV
ersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
:0x4F8, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\W
indows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99
A87C641}\PropertyBag"
E0
E8

ambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0x4E0, c
pid:4092, tid:8800, tick:0x33D6FFF, lvl:OK, func:OpenSCManagerW, ret:0x7E4BA8, g
le:0x0, desiredAccess:0x1
pid:4092, tid:1488, tick:0x33D6FFF, lvl:OK, func:OpenSCManagerW, ret:0x7E4E00, g
:0x4FC, access:0x1, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908
nownFolders"
FC
97-2463990887-1001", attributes:0x0
0887-1001"
:0x4E8, access:0x1, path:"\REGISTRY\MACHINE\System\CurrentControlSet\Control\SQM
ServiceList"
me:"SQMServiceList", class:0x2, length:0x90, resultlength:0x42, handle:0x4E8, pa
th:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SQMServiceList"
s"
E8
00
pid:4092, tid:8800, tick:0x33D6FFF, lvl:OK, func:OpenServiceW, ret:0x7E49C8, gle
:0x0, SCManager:0x7E4BA8, serviceName:"WinHttpAutoProxySvc", desiredAccess:0x94
pid:4092, tid:1488, tick:0x33D6FFF, lvl:OK, func:OpenServiceW, ret:0x7E4A68, gle
:0x0, SCManager:0x7E4E00, serviceName:"WinHttpAutoProxySvc", desiredAccess:0x94
me:"Desktop", class:0x2, length:0x90, resultlength:0x38, handle:0x504, path:"\RE
ndows\CurrentVersion\Explorer\User Shell Folders"
E0
pid:4092, tid:8800, tick:0x33D6FFF, lvl:OK, func:CloseServiceHandle, ret:0x1, gl
e:0x0, SCObject:0x7E4BA8
04
e:0x0, SCObject:0x7E4E00
s:0x0, module:0x74760000
s:0x0, module:0x776F0000
, status:0x0, completionpacket:0x500, iocompletion:0x38, handle:0x4FC
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:CoCreateInstance, hr:0x0, clsid
:1F486A52-3CB1-48FD-8F50-B8DC300D9F9D, context:0x1, riid:ECF31D61-E474-453C-BEE7

-DE68E441C6D0
e:0x74760000
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:NtClose, status:0x0, handle:0xF
FFFFFFC
s:0x0, module:0x74760000
pid:4092, tid:11200, tick:0x33D6FFF, lvl:OK, func:NtAssociateWaitCompletionPacke
t, status:0x0, completionpacket:0x500, iocompletion:0x38, handle:0x4FC
e:0x74760000
FFFFFFC
pid:4092, tid:1488, tick:0x33D6FFF, lvl:OK, func:QueryServiceStatus, ret:0x1, gl
e:0x0, service:0x7E4A68, serviceType:0x20, currentState:0x4, controlsAccepted:0x
41, win32ExitCode:0x0, serviceSpecificExitCode:0x0, checkPoint:0x0, waitHint:0x0
pid:4092, tid:8800, tick:0x33D6FFF, lvl:OK, func:QueryServiceStatus, ret:0x1, gl
e:0x0, service:0x7E49C8, serviceType:0x20, currentState:0x4, controlsAccepted:0x
41, win32ExitCode:0x0, serviceSpecificExitCode:0x0, checkPoint:0x0, waitHint:0x0
pid:4092, tid:11200, tick:0x33D6FFF, lvl:LOG, func:QueryServiceStatusEx, log:"Ca
ll to New_QueryServiceStatusEx made: Ret: 0x1."
F4
E0
e:0x0, SCObject:0x7E49C8
E8
e:0x0, SCObject:0x7E4A68
34, handle:0x0, access:0x4, path:"\Sessions\1\BaseNamedObjects\Local\C:*Users*i9
2segoa*AppData*Local*Microsoft*Windows*Caches*cversions.1"
04
, status:0x0, completionpacket:0x4E0, iocompletion:0x38, handle:0x4E4
, status:0x0, completionpacket:0x4F4, iocompletion:0x38, handle:0x464
, status:0x0, completionpacket:0x50C, iocompletion:0x38, handle:0x470
, status:0x0, completionpacket:0x510, iocompletion:0x38, handle:0x4D8
, status:0x0, completionpacket:0x514, iocompletion:0x38, handle:0x4D8
le:0x520, access:0x4, path:"\Sessions\1\BaseNamedObjects\Local\C:*Users*i92segoa
*AppData*Local*Microsoft*Windows*Caches*cversions.1.ro"
address:0xEF0000, zerobits:0x0, commitsize:0x0, offset:0x0, viewsize:0x4000, di
sposition:0x1, type:0x0, protect:0x2, handle:0x520, path:"\Sessions\1\BaseNamedO
bjects\C:*Users*i92segoa*AppData*Local*Microsoft*Windows*Caches*cversions.1.ro"
8
0

50C
514
pid:4092, tid:556, tick:0x33D6FFF, lvl:OK, func:NtClose, status:0x0, handle:0x4E
4
e:0x701C0000
C
464
e:0x701C0000
4
470
34, handle:0x0, access:0x4, path:"\Sessions\1\BaseNamedObjects\Local\C:*Users*i9
2segoa*AppData*Local*Microsoft*Windows*Caches*{AFBF9F1A-8EE8-4C77-AF34-C647E37CA
0D9}.1.ver0x0000000000000012.db"
pid:4092, tid:556, tick:0x33D6FFF, lvl:OK, func:NtClose, status:0x0, handle:0x4E
0
4E8
4F4
34, handle:0x0, access:0xF, path:"\KnownDlls32\urlmon.dll"
pid:4092, tid:1488, tick:0x33D6FFF, lvl:LOG, func:NtQueryAttributesFile, status:
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\urlmon.dll"
e:0x524, access:0x80100080, iostatus:0x0, information:0x1, attribs:0x0, share:0x
1, disposition:0x1, options:0x60, path:"C:\Users\i92segoa\AppData\Local\Microsof
t\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000012.
db"
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:NtQueryInformationFile, status:
0x0, iostatus:0x0, information:0x18, length:0x18, class:0x5, handle:0x524, path:
"C:\Users\i92segoa\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF
34-C647E37CA0D9}.1.ver0x0000000000000012.db"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\urlmon.dll"
63990887-1001", attributes:0x0
28
ndle:0x528, access:0xF0005, pageattribs:0x2, sectionattribs:0x8000000, file:0x52
4, path:"\Sessions\1\BaseNamedObjects\Local\C:*Users*i92segoa*AppData*Local*Micr
osoft*Windows*Caches*{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000
012.db"
24, path:"C:\Users\i92segoa\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE
8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000012.db"

0x4F4, access:0x100021, iostatus:0x0, information:0x1, share:0x5, options:0x60,
path:"C:\WINDOWS\SYSTEM32\urlmon.dll"
address:0x35A0000, zerobits:0x0, commitsize:0x0, offset:0x0, viewsize:0x1A9000,
disposition:0x1, type:0x0, protect:0x2, handle:0x528, path:"C:\Users\i92segoa\A
ppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.v
er0x0000000000000012.db"
ndle:0x4E8, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x4F4
address:0x73500000, zerobits:0x0, commitsize:0x0, viewsize:0x17D000, dispositio
n:0x1, type:0x800000, protect:0x4, handle:0x4E8, path:"C:\WINDOWS\SYSTEM32\urlmo
n.dll"
28
FFFFFFC
20
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:NtUnmapViewOfSectionEx, status:
0x0, address:0xEF0000
E8
F4
address:0xEF0000, zerobits:0x0, commitsize:0x0, offset:0x1E0000, viewsize:0x100
0, address:0x5A0000
0, address:0xEF0000
7, disposition:0x1, options:0x64, path:"C:\Users\i92segoa\Desktop\desktop.ini"
"C:\Users\i92segoa\Desktop\desktop.ini"
pid:4092, tid:2168, tick:0x33D6FFF, lvl:OK, func:NtReadFile, status:0x0, iostatu
s:0x0, information:0x11A, length:0x11C, handle:0x518, path:"C:\Users\i92segoa\De
sktop\desktop.ini"
"C:\Users\i92segoa\Desktop\desktop.ini"
18
le:0x518, access:0x6, path:"\Sessions\1\BaseNamedObjects\Global\windows_shell_gl
obal_counters"
address:0xEF0000, zerobits:0x0, commitsize:0x0, offset:0x0, viewsize:0x1000, di
sposition:0x1, type:0x0, protect:0x4, handle:0x518, path:"\BaseNamedObjects\wind
ows_shell_global_counters"
:0x464, access:0x1, path:"\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\
CurrentVersion\Internet Settings\"
0034, name:"Security_HKLM_only", class:0x2, length:0x90, resultlength:0x1D4, han
dle:0x464, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVe
64
:0x4E0, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows\Curre
GNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915"
indows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC
332AEAE}"
E0
\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_EN
ABLED_KB918915"
olderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
rDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
er\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
t\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"
\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
lorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
7-2463990887-1001\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Se
ttings\ZoneMap\Domains\"
on\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
plorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
t\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"
ion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
Version\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\ZoneMap\Ranges\"
ersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
plorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
me:"PreCreate", class:0x2, length:0x90, resultlength:0x10, handle:0x504, path:"\
FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
7-2463990887-1001\ZoneMap\Ranges\"
orer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
me:"PublishExpandedPath", class:0x2, length:0x90, resultlength:0x10, handle:0x50
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\ZoneMap\Ranges\"
sion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
pid:4092, tid:1488, tick:0x33D6FFF, lvl:OK, func:LdrGetDllHandle, status:0x0, na
Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
, status:0x0, module:0x77C10000, name:"RtlGetDeviceFamilyInfoEnum", ordinal:0x0,
address:0x77C7B110, image:0x0, caller:0x72A1504F
n\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
ersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
soft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF
-BD1DC332AEAE}\PropertyBag"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Z
ONES_CHECK_ZONEMAP_POLICY_KB941001"
04
\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB9410
01"
nownFolders"
E0
ndows\CurrentVersion\Internet Settings\ZoneMap"
97-2463990887-1001", attributes:0x0
63990887-1001\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settin
gs\ZoneMap"
x49C, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246399
0887-1001"
s"
:0x520, access:0x2001F, title:0x0, class:"", options:0x0, disposition:0x2, path:
"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\Software\Microsof
t\Windows\CurrentVersion\Internet Settings\ZoneMap\"
9C
0034, name:"{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}", class:0x2, length:0x90, res
ultlength:0x0, handle:0x4E4, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397
-2463990887-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell F
olders"
ntVersion\Internet Settings\ZoneMap\"
ttings\ZoneMap\"
:0x49C, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\W
indows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF6
5729F3D}"
E0
me:"Category", class:0x2, length:0x90, resultlength:0x10, handle:0x49C, path:"\R
olderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
me:"Name", class:0x2, length:0x90, resultlength:0x1C, handle:0x49C, path:"\REGIS
rDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
9C, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersio
n\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
0034, name:"Description", class:0x2, length:0x90, resultlength:0x10, handle:0x49
\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
me:"RelativePath", class:0x2, length:0x90, resultlength:0x2C, handle:0x49C, path
er\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
0034, name:"ParsingName", class:0x2, length:0x90, resultlength:0x2C, handle:0x49
\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
0034, name:"InfoTip", class:0x2, length:0x90, resultlength:0x2C, handle:0x49C, p
lorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
63990887-1001\Software\Policies\Microsoft\Internet Explorer"
0034, name:"LocalizedName", class:0x2, length:0x90, resultlength:0x2C, handle:0x
49C, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersi
on\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
0034, name:"Icon", class:0x2, length:0x90, resultlength:0x2C, handle:0x49C, path
er\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
0034, name:"Security", class:0x2, length:0x90, resultlength:0x2C, handle:0x49C,
plorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
990887-1001\Software\Microsoft\Internet Explorer\Security"
x49C, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVers
ion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
le:0x49C, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Current
Version\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
0034, name:"DisableSecuritySettingsCheck", class:0x2, length:0x90, resultlength:
7-1001\SOFTWARE\Microsoft\Internet Explorer\Security"
e:0x49C, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentV
ersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
24
0034, name:"Roamable", class:0x2, length:0x90, resultlength:0x2C, handle:0x49C,
plorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
0034, name:"PreCreate", class:0x2, length:0x90, resultlength:0x2C, handle:0x49C,
xplorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
0034, name:"Stream", class:0x2, length:0x90, resultlength:0x2C, handle:0x49C, pa
orer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
orer\Security"
pid:4092, tid:2168, tick:0x33D700F, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"PublishExpandedPath", class:0x2, length:0x90, resultlength:0x2C, han
tVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
0x0, handle:0x524, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Intern
et Explorer\Security"
0034, name:"DefinitionFlags", class:0x2, length:0x90, resultlength:0x2C, handle:
0x49C, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVer
sion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:NtClose, status:0x0, handle:0x5
24
0034, name:"Attributes", class:0x2, length:0x90, resultlength:0x2C, handle:0x49C
Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:NtQueryVirtualMemory, status:0x
0, address:0x7361B000, class:0x0, length:0x1C, resultlength:0x1C
0034, name:"FolderTypeID", class:0x2, length:0x90, resultlength:0x2C, handle:0x4
n\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:LdrLoadDll, status:0x0, flags:0
x0, module:"SspiCli.dll", handle:0x74940000
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:LdrGetProcedureAddressForCaller
, status:0x0, module:0x74940000, name:"GetUserNameExW", ordinal:0x0, address:0x7
494C5F0, image:0x0, caller:0x735747A8
0034, name:"InitFolderHandler", class:0x2, length:0x90, resultlength:0x2C, handl
ersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
pid:4092, tid:2168, tick:0x33D700F, lvl:LOG, func:NtOpenKeyEx, status:0xC0000034
soft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A
-E3EF65729F3D}\PropertyBag"
9C
pid:4092, tid:2168, tick:0x33D700F, lvl:OK, func:NtOpenKeyEx, status:0x0, handle
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:NtCreateSection, status:0x40000
000, handle:0x524, access:0xF0007, size:0x1C, pageattribs:0x4, sectionattribs:0x
8000000, path:"\Sessions\1\BaseNamedObjects\Local\UrlZonesSM_i92segoa"
nownFolders"
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:NtMapViewOfSection, status:0x0,
address:0x3750000, zerobits:0x0, commitsize:0x0, offset:0x0, viewsize:0x1000, d
isposition:0x1, type:0x0, protect:0x4, handle:0x524, path:"\Sessions\1\BaseNamed
Objects\UrlZonesSM_i92segoa"
9C
:0x52C, access:0x20019, path:"\REGISTRY\MACHINE\System\Setup"
pid:4092, tid:2168, tick:0x33D700F, lvl:OK, func:NtQueryValueKey, status:0x0, na
me:"AppData", class:0x2, length:0x90, resultlength:0x48, handle:0x4E4, path:"\RE
52C, path:"\REGISTRY\MACHINE\SYSTEM\Setup"
2C
990887-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"
04

E4
990887-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"
30
30
30
indows\CurrentVersion\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22F
C0BF756}"
E4
34
olderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
34
me:"Name", class:0x2, length:0x90, resultlength:0x2C, handle:0x530, path:"\REGIS
rDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
2C
n\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
t\Windows\CurrentVersion\Internet Settings\Zones\"
er\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
pid:4092, tid:2168, tick:0x33D700F, lvl:LOG, func:NtQueryValueKey, status:0x8000
0005, name:"ParsingName", class:0x2, length:0x90, resultlength:0xBC, handle:0x53
\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
ttings\Zones\"
me:"ParsingName", class:0x2, length:0xBC, resultlength:0xBC, handle:0x530, path:
"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explore
r\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
0034, name:"InfoTip", class:0x2, length:0x90, resultlength:0xBC, handle:0x530, p
lorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
me:"LocalizedName", class:0x2, length:0x90, resultlength:0x60, handle:0x530, pat
rer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
ttings\Zones\"
me:"Icon", class:0x2, length:0x90, resultlength:0x5C, handle:0x530, path:"\REGIS
rDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
0034, name:"Security", class:0x2, length:0x90, resultlength:0x5C, handle:0x530,
plorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
ion\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
Version\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
990887-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"
ersion\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:NtEnumerateKey, status:0x0, ind
ex:0x0, class:0x0, length:0x120, resultlength:0x12, handle:0x52C, path:"\REGISTR
Y\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft\Windows
\CurrentVersion\Internet Settings\Zones"
0034, name:"Roamable", class:0x2, length:0x90, resultlength:0x5C, handle:0x530,
plorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:NtCreateMutant, status:0x400000
00, handle:0x534, access:0x1F0001, owner:0x0, path:"\Sessions\1\BaseNamedObjects
\Local\ZonesCacheCounterMutex"
FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
orer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
990887-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"
tVersion\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
sion\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
t\Windows\CurrentVersion\Internet Settings\Zones\0"
me:"Attributes", class:0x2, length:0x90, resultlength:0x10, handle:0x530, path:"
\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
n\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
ttings\Zones\0"
ersion\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756}"
:0x4E4, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\W
indows\CurrentVersion\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22F
C0BF756}\PropertyBag"
30
pid:4092, tid:2168, tick:0x33D700F, lvl:OK, func:New_NtQueryInformationToken::<l
me:"Flags", class:0x2, length:0x90, resultlength:0x10, handle:0x540, path:"\REGI
ows\CurrentVersion\Internet Settings\Zones\0"
40
3C
nownFolders"
38
97-2463990887-1001", attributes:0x0
pid:4092, tid:2168, tick:0x33D700F, lvl:OK, func:NtOpenKey, status:0x0, handle:0
0887-1001"
ttings\Zones\1"
s"
3C
0034, name:"{F42EE2D3-909F-4907-8871-4C22FC0BF756}", class:0x2, length:0x90, res
ultlength:0x0, handle:0x544, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397
olders"
63990887-1001", attributes:0x0
:0x53C, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows NT\Cu
:0x54C, access:0x2001F, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463
990887-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
"
me:"ProfileImagePath", class:0x2, length:0x90, resultlength:0x30, handle:0x53C,
\S-1-5-21-2360094602-2602383397-2463990887-1001"
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:NtSetValueKey, status:0x0, name
:"ProxyBypass", index:0x0, type:0x4, size:0x4, handle:0x54C, path:"\REGISTRY\USE
R\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap"
\S-1-5-21-2360094602-2602383397-2463990887-1001"
3C
:"IntranetName", index:0x0, type:0x4, size:0x4, handle:0x54C, path:"\REGISTRY\US
ER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Internet Settings\ZoneMap"
38
30
:"UNCAsIntranet", index:0x0, type:0x4, size:0x4, handle:0x54C, path:"\REGISTRY\U
SER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft\Windows\Cu
rrentVersion\Internet Settings\ZoneMap"
44
:"AutoDetect", index:0x0, type:0x4, size:0x4, handle:0x54C, path:"\REGISTRY\USER
\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft\Windows\Curre
ntVersion\Internet Settings\ZoneMap"
4C
48
40
address:0x3760000, zerobits:0x0, commitsize:0x0, offset:0x1E0000, viewsize:0x10
pid:4092, tid:2168, tick:0x33D700F, lvl:OK, func:NtUnmapViewOfSection, status:0x
0, address:0x5A0000
pid:4092, tid:2168, tick:0x33D700F, lvl:LOG, func:RecurseDirectoryConfig, log:"A
dding directory Portalbe firefox with flags: 6."

44
ttings\Zones\2"
0, address:0x3760000
0, address:0x5A0000
48
40
pid:4092, tid:2168, tick:0x33D700F, lvl:OK, func:NtCreateFile, status:0x0, handl
7, disposition:0x1, options:0x64, path:"C:\Users\i92segoa\Documents\desktop.ini"
pid:4092, tid:2168, tick:0x33D700F, lvl:OK, func:NtQueryInformationFile, status:
"C:\Users\i92segoa\Documents\desktop.ini"
pid:4092, tid:2168, tick:0x33D700F, lvl:OK, func:NtReadFile, status:0x0, iostatu
s:0x0, information:0x192, length:0x194, handle:0x544, path:"C:\Users\i92segoa\Do
cuments\desktop.ini"
"C:\Users\i92segoa\Documents\desktop.ini"

ttings\Zones\3"
44
indows\CurrentVersion\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-79341
62FCF1D}"
48
44
40
olderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
rDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
n\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
er\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"

ttings\Zones\4"
\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
r\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
me:"InfoTip", class:0x2, length:0x90, resultlength:0x60, handle:0x530, path:"\RE
GISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Fo
lderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
rer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
rDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
48
plorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
40
ion\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
pid:4092, tid:1488, tick:0x33D700F, lvl:LOG, func:NtEnumerateKey, status:0x80000
01A, index:0x5, class:0x0, length:0x120, resultlength:0x0, handle:0x52C, path:"\
Windows\CurrentVersion\Internet Settings\Zones"
Version\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
2C
ersion\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"

63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_L
OCALMACHINE_LOCKDOWN"
plorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
:0x52C, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Inter
net Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN"
orer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
tVersion\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
0x52C, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\
Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN"
sion\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
0034, name:"*", class:0x2, length:0x90, resultlength:0xAA1199, handle:0x52C, pat
reControl\FEATURE_LOCALMACHINE_LOCKDOWN"
2C
n\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
ersion\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D}"
t\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\"
indows\CurrentVersion\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-79341
62FCF1D}\PropertyBag"
ttings\Lockdown_Zones\"
30
ttings\Lockdown_Zones\"
nownFolders"
38
97-2463990887-1001", attributes:0x0
990887-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown
_Zones\"
\CurrentVersion\Internet Settings\Lockdown_Zones"
0887-1001"
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:NtCreateMutant, status:0x400000
00, handle:0x540, access:0x1F0001, owner:0x0, path:"\Sessions\1\BaseNamedObjects
\Local\ZonesLockedCacheCounterMutex"
s"
_Zones\0"
3C
t\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0"
0034, name:"{A0C69A99-21C8-4671-8703-7934162FCF1D}", class:0x2, length:0x90, res
olders"

63990887-1001", attributes:0x0
ttings\Lockdown_Zones\0"
\S-1-5-21-2360094602-2602383397-2463990887-1001"
\S-1-5-21-2360094602-2602383397-2463990887-1001"
3C
38
54
30
48
50
_Zones\1"
0, address:0x5A0000
0, address:0x5A0000
:0x558, access:0x2001F, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463
990887-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
"
:"ProxyBypass", index:0x0, type:0x4, size:0x4, handle:0x558, path:"\REGISTRY\USE
entVersion\Internet Settings\ZoneMap"
7, disposition:0x1, options:0x64, path:"C:\Users\i92segoa\Music\desktop.ini"
"C:\Users\i92segoa\Music\desktop.ini"
:"IntranetName", index:0x0, type:0x4, size:0x4, handle:0x558, path:"\REGISTRY\US
rentVersion\Internet Settings\ZoneMap"
s:0x0, information:0x1F8, length:0x1FA, handle:0x550, path:"C:\Users\i92segoa\Mu
sic\desktop.ini"
:"UNCAsIntranet", index:0x0, type:0x4, size:0x4, handle:0x558, path:"\REGISTRY\U
SER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft\Windows\Cu
rrentVersion\Internet Settings\ZoneMap"
"C:\Users\i92segoa\Music\desktop.ini"
50
:"AutoDetect", index:0x0, type:0x4, size:0x4, handle:0x558, path:"\REGISTRY\USER
\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft\Windows\Curre
ntVersion\Internet Settings\ZoneMap"
58
54
48
indows\CurrentVersion\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F5971
3854639}"
_Zones\2"
50
olderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
me:"Name", class:0x2, length:0x90, resultlength:0x2A, handle:0x530, path:"\REGIS
rDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
n\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
me:"RelativePath", class:0x2, length:0x90, resultlength:0x1E, handle:0x530, path
er\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
r\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"

lderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
54
rer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
48
rDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
plorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
ion\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
_Zones\3"
Version\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
ersion\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
plorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
orer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
tVersion\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
sion\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
n\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
54
ersion\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639}"
48
indows\CurrentVersion\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F5971
3854639}\PropertyBag"
30
_Zones\4"

nownFolders"
38
97-2463990887-1001", attributes:0x0
0887-1001"
s"
3C
0034, name:"{0DDD015D-B06C-45D5-8C4C-F59713854639}", class:0x2, length:0x90, res
ultlength:0x0, handle:0x54C, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397
olders"
64
63990887-1001", attributes:0x0
48
01A, index:0x5, class:0x0, length:0x120, resultlength:0x0, handle:0x52C, path:"\
Windows\CurrentVersion\Internet Settings\Lockdown_Zones"
2C
\S-1-5-21-2360094602-2602383397-2463990887-1001"
0034, name:"CreateUriCacheSize", class:0x2, length:0x90, resultlength:0x680000,
handle:0x3E4, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Curren
tVersion\Internet Settings"
\S-1-5-21-2360094602-2602383397-2463990887-1001"
3C
handle:0x3A8, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-100
1\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
38
30
4C
0034, name:"EnablePunycode", class:0x2, length:0x90, resultlength:0x1264920, han
dle:0x3E4, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVe
dle:0x3A8, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\S
OFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
0, address:0x5A0000
dle:0x370, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\S
oftware\Microsoft\Windows\CurrentVersion\Internet Settings"
me:"EnablePunycode", class:0x2, length:0x90, resultlength:0x10, handle:0x3F4, pa
th:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Inte
rnet Settings"
63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_A
LLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562"

\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO
_KB932562"
0, address:0x5A0000
SE_IETLDLIST_FOR_DOMAIN_DETERMINATION"
\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMIN
ATION"
e:0x54C, access:0x80100080, iostatus:0x0, information:0x1, attribs:0x0, share:0x
7, disposition:0x1, options:0x64, path:"C:\Users\i92segoa\Pictures\desktop.ini"
0x0, iostatus:0x0, information:0x18, length:0x18, class:0x5, handle:0x54C, path:
"C:\Users\i92segoa\Pictures\desktop.ini"
s:0x0, information:0x1F8, length:0x1FA, handle:0x54C, path:"C:\Users\i92segoa\Pi
ctures\desktop.ini"
48
14
"C:\Users\i92segoa\Pictures\desktop.ini"
orer\Security"
orer\Security"
4C

48
14
indows\CurrentVersion\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE7
3D76C95}"
x0, module:"WININET.dll", handle:0x701C0000
x0, module:"WININET.dll", handle:0x701C0000
4C
, status:0x0, module:0x701C0000, name:"InternetInitializeAutoProxyDll", ordinal:
0x0, address:0x702D5790, image:0x0, caller:0x735747A8
pid:4092, tid:8264, tick:0x33D700F, lvl:OK, func:LdrUnloadDll, status:0x0, handl
e:0x701C0000
olderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
, status:0x0, module:0x701C0000, name:"InternetInitializeAutoProxyDll", ordinal:
0x0, address:0x702D5790, image:0x0, caller:0x735747A8
, status:0x0, module:0x754E0000, ordinal:0x4, address:0x754FAAD0, image:0x0, cal
ler:0x72A4ABED
rDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
ler:0x735747A8
n\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
e:0x754E0000
ler:0x735747A8

\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
990887-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Domains\"
me:"RelativePath", class:0x2, length:0x90, resultlength:0x1A, handle:0x530, path
er\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:NtQueryKey, status:0x0, class:0
x4, length:0xB0, resultlength:0x28, handle:0x548, path:"\REGISTRY\USER\S-1-5-212360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\ZoneMap\Domains"
\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
48
r\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
lderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
\CurrentVersion\Internet Settings\ZoneMap\Domains\"
rer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
me:"AutoDetect", class:0x2, length:0x90, resultlength:0x10, handle:0x520, path:"
\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft
\Windows\CurrentVersion\Internet Settings\ZoneMap"
rDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
Domains\"
me:"IntranetName", class:0x2, length:0x90, resultlength:0x10, handle:0x520, path
ft\Windows\CurrentVersion\Internet Settings\ZoneMap"
plorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
Internet Settings\ZoneMap\Domains"
me:"ProxyBypass", class:0x2, length:0x90, resultlength:0x10, handle:0x520, path:
t\Windows\CurrentVersion\Internet Settings\ZoneMap"
ion\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
14
, status:0x0, module:0x701C0000, name:"IsHostInProxyBypassList", ordinal:0x0, ad
dress:0x702C22D0, image:0x0, caller:0x735747A8
Version\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
ersion\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
\CurrentVersion\Internet Settings\ZoneMap\Domains\"
48
plorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
me:"AutoDetect", class:0x2, length:0x90, resultlength:0x10, handle:0x520, path:"
\Windows\CurrentVersion\Internet Settings\ZoneMap"
FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
ProtocolDefaults\"
me:"IntranetName", class:0x2, length:0x90, resultlength:0x10, handle:0x520, path
ft\Windows\CurrentVersion\Internet Settings\ZoneMap"
orer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
Internet Settings\ZoneMap\ProtocolDefaults"
me:"ProxyBypass", class:0x2, length:0x90, resultlength:0x10, handle:0x520, path:
t\Windows\CurrentVersion\Internet Settings\ZoneMap"

tVersion\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:NtEnumerateValueKey, status:0x0
, index:0x0, class:0x1, length:0xDC, resultlength:0x1A, handle:0x548, path:"\REG
dows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults"
14
sion\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
, index:0x1, class:0x1, length:0xDC, resultlength:0x24, handle:0x548, path:"\REG
\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
n\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
ersion\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95}"
indows\CurrentVersion\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE7
3D76C95}\PropertyBag"
30
48
ler:0x735747A8
ler:0x735747A8
nownFolders"
38
97-2463990887-1001", attributes:0x0
0034, name:"1A10", class:0x2, length:0x90, resultlength:0x331F654, handle:0x548,
path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Mi
crosoft\Windows\CurrentVersion\Internet Settings\Zones\3"
ntVersion\Internet Settings\Zones\3"
0887-1001"
me:"1A10", class:0x2, length:0x90, resultlength:0x10, handle:0x464, path:"\REGIS
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Setti
ngs\Zones\3"
48
64
s"
3C
0034, name:"{35286A68-3C57-41A1-BBB1-0EAE73D76C95}", class:0x2, length:0x90, res
olders"
63990887-1001", attributes:0x0

:0x464, access:0xF, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908
87-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"
\S-1-5-21-2360094602-2602383397-2463990887-1001"
\S-1-5-21-2360094602-2602383397-2463990887-1001"
3C
38
30
2C
pid:4092, tid:1488, tick:0x33D700F, lvl:LOG, func:NtCreateFile, status:0xC000003
5, handle:0x0, access:0x100001, iostatus:0x43005C, information:0x720075, attribs
:0x80, share:0x3, disposition:0x2, options:0x204021, path:"C:\Users\i92segoa"
0, address:0x5A0000
0, address:0x5A0000
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:NtQueryAttributesFile, status:0
7, disposition:0x1, options:0x64, path:"C:\Users\i92segoa\Videos\desktop.ini"
"C:\Users\i92segoa\Videos\desktop.ini"
s:0x0, information:0x1F8, length:0x1FA, handle:0x52C, path:"C:\Users\i92segoa\Vi
deos\desktop.ini"
"C:\Users\i92segoa\Videos\desktop.ini"
2C

a\Local"
indows\CurrentVersion\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-53930
42AF1E4}"
2C
olderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
rDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
n\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
er\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
r\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
lorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
rer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
rDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
a\Local\Microsoft\Windows\INetCache"

plorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
ion\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
Version\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
ersion\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
plorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
Cache"
pid:4092, tid:1488, tick:0x33D700F, lvl:OK, func:NtSetInformationProcess, status
FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
orer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
tVersion\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
sion\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
x0, attribs:0x10, path:"C:\Users\i92segoa\AppData\Local\Microsoft\Windows"
n\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
ersion\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}"
indows\CurrentVersion\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-53930
42AF1E4}\PropertyBag"

30
Cache\Content.IE5"
nownFolders"
38
97-2463990887-1001", attributes:0x0
Cache\IE"
0887-1001"
87-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Co
ntent"
s"
:"CachePrefix", index:0x0, type:0x1, size:0x2, handle:0x554, path:"\REGISTRY\USE
entVersion\Internet Settings\5.0\Cache\Content"
3C
me:"CacheLimit", class:0x2, length:0x90, resultlength:0x10, handle:0x554, path:"
\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content"
0034, name:"{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}", class:0x2, length:0x90, res
olders"
54
63990887-1001", attributes:0x0

\S-1-5-21-2360094602-2602383397-2463990887-1001"
indows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A61
1B84FF6}"
58
\S-1-5-21-2360094602-2602383397-2463990887-1001"
3C
olderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
38
30
rDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
48
me:"ParentFolder", class:0x2, length:0x90, resultlength:0x5A, handle:0x55C, path
er\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
me:"RelativePath", class:0x2, length:0x90, resultlength:0x48, handle:0x55C, path
\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
0, address:0x5A0000
0034, name:"InfoTip", class:0x2, length:0x90, resultlength:0x48, handle:0x55C, p
lorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"

on\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
0034, name:"Icon", class:0x2, length:0x90, resultlength:0x48, handle:0x55C, path
0034, name:"Security", class:0x2, length:0x90, resultlength:0x48, handle:0x55C,
plorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
ion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
Version\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
ersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
7, disposition:0x1, options:0x64, path:"C:\Users\i92segoa\Downloads\desktop.ini"
"C:\Users\i92segoa\Downloads\desktop.ini"
0034, name:"Roamable", class:0x2, length:0x90, resultlength:0x48, handle:0x55C,
plorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
s:0x0, information:0x11A, length:0x11C, handle:0x548, path:"C:\Users\i92segoa\Do
wnloads\desktop.ini"
0034, name:"PreCreate", class:0x2, length:0x90, resultlength:0x48, handle:0x55C,
xplorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
"C:\Users\i92segoa\Downloads\desktop.ini"
0034, name:"Stream", class:0x2, length:0x90, resultlength:0x48, handle:0x55C, pa
orer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
48
tVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
sion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
0034, name:"Attributes", class:0x2, length:0x90, resultlength:0x48, handle:0x55C
Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
n\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
ersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
soft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E
-08A611B84FF6}\PropertyBag"
5C
nownFolders"
5C
97-2463990887-1001", attributes:0x0
indows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA
648C0F6}"
48
olderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
me:"Name", class:0x2, length:0x90, resultlength:0x1E, handle:0x530, path:"\REGIS
rDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
0887-1001"
er\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
\Explorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
s"
er\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
58
me:"ParsingName", class:0x2, length:0x90, resultlength:0x6A, handle:0x530, path:
r\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
0034, name:"InfoTip", class:0x2, length:0x90, resultlength:0x6A, handle:0x530, p
lorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
me:"Cookies", class:0x2, length:0x90, resultlength:0x88, handle:0x564, path:"\RE
me:"LocalizedName", class:0x2, length:0x90, resultlength:0x6E, handle:0x530, pat
rer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
me:"Icon", class:0x2, length:0x90, resultlength:0x5E, handle:0x530, path:"\REGIS
rDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
0034, name:"Security", class:0x2, length:0x90, resultlength:0x5E, handle:0x530,
plorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
54
64
0034, name:"StreamResource", class:0x2, length:0x90, resultlength:0x5E, handle:0
ion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
0034, name:"StreamResourceType", class:0x2, length:0x90, resultlength:0x5E, hand
Version\Explorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
me:"LocalRedirectOnly", class:0x2, length:0x90, resultlength:0x10, handle:0x530,
xplorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
plorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
xplorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
orer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"

tVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
me:"DefinitionFlags", class:0x2, length:0x90, resultlength:0x10, handle:0x530, p
lorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
n\Explorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
ersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}"
soft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9
-28DAA648C0F6}\PropertyBag"
30
nownFolders"
48
97-2463990887-1001", attributes:0x0
5, handle:0x0, access:0x100001, iostatus:0x6F006C, information:0x650073, attribs
:0x80, share:0x3, disposition:0x2, options:0x204021, path:"C:\Users\i92segoa"
0887-1001"
s"
38
0034, name:"{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6}", class:0x2, length:0x90, res
olders"

63990887-1001", attributes:0x0
me:"ProfileImagePath", class:0x2, length:0x90, resultlength:0x30, handle:0x538,
\S-1-5-21-2360094602-2602383397-2463990887-1001"
me:"ProfileImagePath", class:0x2, length:0x90, resultlength:0x30, handle:0x538,
\S-1-5-21-2360094602-2602383397-2463990887-1001"
38
48
30
3C
a\Local"
7, disposition:0x1, options:0x64, path:"C:\Users\i92segoa\OneDrive\desktop.ini"
"C:\Users\i92segoa\OneDrive\desktop.ini"
s:0x0, information:0x63, length:0x65, handle:0x53C, path:"C:\Users\i92segoa\OneD
rive\desktop.ini"
"C:\Users\i92segoa\OneDrive\desktop.ini"
3C
a\Local\Microsoft\Windows\INetCookies"
indows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08
E667CA7}"
3C
olderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"

rDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
n\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
Cookies"
\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
me:"ParsingName", class:0x2, length:0x90, resultlength:0x5E, handle:0x530, path:
r\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
0034, name:"InfoTip", class:0x2, length:0x90, resultlength:0x5E, handle:0x530, p
lorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
0034, name:"LocalizedName", class:0x2, length:0x90, resultlength:0x5E, handle:0x
on\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
x0, attribs:0x10, path:"C:\Users\i92segoa\AppData\Local\Microsoft\Windows"
0034, name:"Icon", class:0x2, length:0x90, resultlength:0x5E, handle:0x530, path
er\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
0034, name:"Security", class:0x2, length:0x90, resultlength:0x5E, handle:0x530,
plorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
0034, name:"StreamResource", class:0x2, length:0x90, resultlength:0x5E, handle:0
ion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
0034, name:"StreamResourceType", class:0x2, length:0x90, resultlength:0x5E, hand
Version\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
0034, name:"LocalRedirectOnly", class:0x2, length:0x90, resultlength:0x5E, handl
ersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
Cookies"

0034, name:"Roamable", class:0x2, length:0x90, resultlength:0x5E, handle:0x530,
plorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
0034, name:"PreCreate", class:0x2, length:0x90, resultlength:0x5E, handle:0x530,
xplorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
87-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Co
okies"
0034, name:"Stream", class:0x2, length:0x90, resultlength:0x5E, handle:0x530, pa
orer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
0034, name:"PublishExpandedPath", class:0x2, length:0x90, resultlength:0x5E, han
tVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
:"CachePrefix", index:0x0, type:0x1, size:0x10, handle:0x564, path:"\REGISTRY\US
rentVersion\Internet Settings\5.0\Cache\Cookies"
0034, name:"DefinitionFlags", class:0x2, length:0x90, resultlength:0x5E, handle:
sion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
me:"CacheLimit", class:0x2, length:0x90, resultlength:0x10, handle:0x564, path:"
\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies"
0034, name:"Attributes", class:0x2, length:0x90, resultlength:0x5E, handle:0x530
Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
64
0034, name:"FolderTypeID", class:0x2, length:0x90, resultlength:0x5E, handle:0x5
0034, name:"InitFolderHandler", class:0x2, length:0x90, resultlength:0x5E, handl
ersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
soft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D
-79D08E667CA7}\PropertyBag"
30
indows\CurrentVersion\Explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A113
0A75963}"
54
olderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
rDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
er\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
\Explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
\Explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
lorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
on\Explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
plorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
ion\Explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
Version\Explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
me:"LocalRedirectOnly", class:0x2, length:0x90, resultlength:0x10, handle:0x55C,
xplorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
plorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"

0034, name:"PreCreate", class:0x2, length:0x90, resultlength:0x10, handle:0x55C,
xplorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
orer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
tVersion\Explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
sion\Explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
0034, name:"Attributes", class:0x2, length:0x90, resultlength:0x10, handle:0x55C
Explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
n\Explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
ersion\Explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}"
soft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781
-5A1130A75963}\PropertyBag"
5C
nownFolders"
pid:4092, tid:2168, tick:0x33D700F, lvl:OK, func:NtOpenFile, status:0x0, handle:
path:"C:"
5C
pid:4092, tid:2168, tick:0x33D700F, lvl:OK, func:NtDeviceIoControlFile, status:0
x0, iostatus:0x0, information:0x30, code:0x4D0008, inlen:0x0, outlen:0x208, hand
le:0x530, path:"C:"
97-2463990887-1001", attributes:0x0
30
, disposition:0x1, options:0x60, path:"\??\MountPointManager"
0887-1001"
pid:4092, tid:2168, tick:0x33D700F, lvl:LOG, func:NtDeviceIoControlFile, status:
0x80000005, iostatus:0x80000005, information:0x8, code:0x6D0008, inlen:0x46, out
len:0x20, handle:0x530, path:"\??\MountPointManager"
pid:4092, tid:2168, tick:0x33D700F, lvl:OK, func:NtDeviceIoControlFile, status:0
x0, iostatus:0x0, information:0xFA, code:0x6D0008, inlen:0x46, outlen:0xFA, hand
le:0x530, path:"\??\MountPointManager"
s"
30
54
me:"History", class:0x2, length:0x90, resultlength:0x78, handle:0x558, path:"\RE
990887-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\
Volume"
990887-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\
Volume\{3095dd51-a141-42a6-8c53-8590cc53fbc1}\"
30
64
58
0005, name:"Data", class:0x2, length:0x90, resultlength:0x566, handle:0x53C, pat
oft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3095dd51-a141-42a68c53-8590cc53fbc1}"
me:"Data", class:0x2, length:0x566, resultlength:0x566, handle:0x53C, path:"\REG
dows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3095dd51-a141-42a6-8c53-85
90cc53fbc1}"
3C
Volume"
pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:NtClose, status:0x0, handle:0x5
3C
pid:4092, tid:1488, tick:0x33D701E, lvl:LOG, func:NtCreateFile, status:0xC000003
5, handle:0x0, access:0x100001, iostatus:0x331E528, information:0xA9206F, attrib
s:0x80, share:0x3, disposition:0x2, options:0x204021, path:"C:\Users\i92segoa"
pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:NtQueryValueKey, status:0x0, na
me:"Generation", class:0x2, length:0x90, resultlength:0x10, handle:0x530, path:"
\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3095dd51-a141-42a6-8c5
3-8590cc53fbc1}"
30
pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:New_NtQueryInformationToken::<l
30
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:LdrResolveDelayLoadedAPI, stat
us:0x0, module:0x76B00000
pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:NtOpenKeyEx, status:0x0, handle
Volume"
30
me:"Generation", class:0x2, length:0x90, resultlength:0x10, handle:0x53C, path:"
3-8590cc53fbc1}"
3C
pid:4092, tid:1488, tick:0x33D701E, lvl:OK, func:NtQueryAttributesFile, status:0
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:NtDeviceIoControlFile, status:
0x0, iostatus:0x0, information:0x14, code:0x470807, inlen:0x24, outlen:0x14, han
dle:0xE4, path:"\Device\DeviceApi\CMApi"
a\Local"
0x0, iostatus:0x0, information:0x652, code:0x470807, inlen:0x24, outlen:0x652, h
andle:0xE4, path:"\Device\DeviceApi\CMApi"
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:NtDuplicateObject, status:0x0,
targethandle:0x53C, access:0x0, inherit:0x0, options:0x2, handle:0x51C
pid:4092, tid:556, tick:0x33D701E, lvl:OK, func:NtOpenFile, status:0x0, handle:0
x508, access:0x100080, iostatus:0x0, information:0x0, share:0x3, options:0x60, p
ath:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#0000000012D00000#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
0
pid:4092, tid:556, tick:0x33D701E, lvl:OK, func:NtQueryVolumeInformationFile, st
atus:0x0, iostatus:0x0, information:0x8, length:0x8, class:0x4, handle:0x508, pa
th:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#0000000012D00000#{
53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
8
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
pid:4092, tid:556, tick:0x33D701E, lvl:OK, func:NtDeviceIoControlFile, status:0x
0, iostatus:0x0, information:0x30, code:0x4D0008, inlen:0x0, outlen:0x208, handl
e:0x508, path:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#0000000
012D00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
8
a\Local\Microsoft\Windows\History"
pid:4092, tid:556, tick:0x33D701E, lvl:OK, func:NtCreateFile, status:0x0, handle
:0x508, access:0x100080, iostatus:0x0, information:0x0, attribs:0x80, share:0x3,
disposition:0x1, options:0x60, path:"\??\MountPointManager"
pid:4092, tid:556, tick:0x33D701E, lvl:LOG, func:NtDeviceIoControlFile, status:0
x80000005, iostatus:0x80000005, information:0x8, code:0x6D0008, inlen:0x46, outl
en:0x20, handle:0x508, path:"\??\MountPointManager"
0, iostatus:0x0, information:0xC6, code:0x6D0008, inlen:0x46, outlen:0xC6, handl
e:0x508, path:"\??\MountPointManager"
8
x0, attribs:0x14, path:"C:\Users\i92segoa\AppData\Local\Microsoft\Windows\Histor
y"
pid:4092, tid:556, tick:0x33D701E, lvl:OK, func:LdrUnloadDll, status:0x0, handle
:0x76B00000
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:NtClose, status:0x0, handle:0x
51C
pid:4092, tid:1488, tick:0x33D701E, lvl:OK, func:NtSetInformationProcess, status
53C
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:NtOpenKeyEx, status:0x0, handl
e:0x53C, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246
3990887-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC
\Volume"
x0, attribs:0x14, path:"C:\Users\i92segoa\AppData\Local\Microsoft\Windows\Histor
y"
3990887-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC
\Volume\{53fca6f1-4120-49f1-9dc9-20f142cb1ade}\"
53C
pid:4092, tid:11200, tick:0x33D701E, lvl:LOG, func:NtQueryValueKey, status:0x800
00005, name:"Data", class:0x2, length:0x90, resultlength:0x566, handle:0x51C, pa
soft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{53fca6f1-4120-49f1
-9dc9-20f142cb1ade}"
x0, attribs:0x2016, path:"C:\Users\i92segoa\AppData\Local\Microsoft\Windows\Hist
ory\History.IE5"
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:NtQueryValueKey, status:0x0, n
ame:"Data", class:0x2, length:0x566, resultlength:0x566, handle:0x51C, path:"\RE
ndows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{53fca6f1-4120-49f1-9dc9-2
0f142cb1ade}"
51C
:0x49C, access:0xF, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908
87-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Hi
story"
pid:4092, tid:1488, tick:0x33D701E, lvl:OK, func:NtSetValueKey, status:0x0, name
:"CachePrefix", index:0x0, type:0x1, size:0x12, handle:0x49C, path:"\REGISTRY\US
rentVersion\Internet Settings\5.0\Cache\History"
me:"CacheLimit", class:0x2, length:0x90, resultlength:0x10, handle:0x49C, path:"
\Windows\CurrentVersion\Internet Settings\5.0\Cache\History"
\Volume"
9C
63990887-1001", attributes:0x0
\Volume\{53fca6f1-4120-49f1-9dc9-20f142cb1ade}\"
pid:4092, tid:1488, tick:0x33D701E, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
51C
9C
63990887-1001", attributes:0x0
pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:NtQueryKey, status:0x0, class:0
-2360094602-2602383397-2463990887-1001_Classes"
ame:"Generation", class:0x2, length:0x90, resultlength:0x10, handle:0x53C, path:
t\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{53fca6f1-4120-49f1-9d
c9-20f142cb1ade}"
53C
9C

ath:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#0000005D4AE00000#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
0
63990887-1001", attributes:0x0
th:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#0000005D4AE00000#{
53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
9C
8
63990887-1001", attributes:0x0
9C
ath:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#0000005D4AE00000#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
D4AE00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
8
8
:0x76B00000
53C
51C
\Volume"
\Volume\{558339c2-fe4c-4d34-b973-1ff5b9ee3b95}\"
51C
soft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{558339c2-fe4c-4d34
-b973-1ff5b9ee3b95}"
ndows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{558339c2-fe4c-4d34-b973-1
ff5b9ee3b95}"
53C
\Volume"
\Volume\{558339c2-fe4c-4d34-b973-1ff5b9ee3b95}\"
53C
t\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{558339c2-fe4c-4d34-b9
73-1ff5b9ee3b95}"
51C
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
0
th:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#0000005D67000000#{
53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
8
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
D67000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
8
0, iostatus:0x0, information:0xFA, code:0x6D0008, inlen:0x46, outlen:0xFA, handl
8
:0x76B00000
51C
53C
\Volume"
\Volume\{9391e3b4-adf4-4a69-b550-eac380a975b8}\"
53C
soft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9391e3b4-adf4-4a69
-b550-eac380a975b8}"
ndows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9391e3b4-adf4-4a69-b550-e
ac380a975b8}"
51C
\Volume"
pid:4092, tid:1488, tick:0x33D701E, lvl:WRN, func:New_NtQueryInformationToken::<
0x1, length:0x40, returnlength:0xFFFFFFF8
pid:4092, tid:1488, tick:0x33D701E, lvl:WRN, func:New_NtQueryInformationToken::<
0x1D, length:0x4, returnlength:0x0
\Volume\{9391e3b4-adf4-4a69-b550-eac380a975b8}\"
51C

60094602-2602383397-2463990887-1001_Classes"
t\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9391e3b4-adf4-4a69-b5
50-eac380a975b8}"
53C
pid:4092, tid:1488, tick:0x33D701E, lvl:LOG, func:NtOpenKeyEx, status:0xC0000034
nownFolders"
990887-1001_Classes\Directory"
64
x3, length:0x180, resultlength:0xA2, handle:0x53A, path:"\REGISTRY\USER\S-1-5-21
-2360094602-2602383397-2463990887-1001_CLASSES\Directory"
x7, length:0x4, resultlength:0x4, handle:0x53A, path:"\REGISTRY\USER\S-1-5-21-23
60094602-2602383397-2463990887-1001_CLASSES\Directory"
:0x564, access:0x20019, path:"\REGISTRY\USER\.DEFAULT"
63990887-1001_CLASSES\Directory\ShellEx\IconHandler"
:0x504, access:0x20019, path:"\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows
\CurrentVersion\Explorer\User Shell Folders"
ath:"\??\STORAGE#Volume#{db216a5d-7a80-11e5-8d6c-806e6f6e6963}#0000000001100000#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
, handle:0x0, access:0x1, path:"\Registry\Machine\Software\Classes\Directory\She
llEx\IconHandler"
64
0
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
me:"Local AppData", class:0x2, length:0x90, resultlength:0x44, handle:0x504, pat
h:"\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Us
er Shell Folders"
th:"\??\STORAGE#Volume#{db216a5d-7a80-11e5-8d6c-806e6f6e6963}#0000000001100000#{
53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
7-2463990887-1001_Classes\Folder"
8
:0x558, access:0x20019, path:"\Registry\Machine\Software\Classes\Folder"
rrentVersion\ProfileList"
x3, length:0x180, resultlength:0x56, handle:0x55A, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\Folder"
x7, length:0x4, resultlength:0x4, handle:0x55A, path:"\REGISTRY\MACHINE\SOFTWARE
\Classes\Folder"
ath:"\??\STORAGE#Volume#{db216a5d-7a80-11e5-8d6c-806e6f6e6963}#0000000001100000#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
97-2463990887-1001", attributes:0x0
e:0x508, path:"\??\STORAGE#Volume#{db216a5d-7a80-11e5-8d6c-806e6f6e6963}#0000000
001100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
63990887-1001_Classes\Folder\ShellEx\IconHandler"
8
64
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellE
x\IconHandler"
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
04
7-2463990887-1001_Classes\AllFilesystemObjects"

:0x55C, access:0x20019, path:"\Registry\Machine\Software\Classes\AllFilesystemOb
jects"
ARE\Classes\AllFilesystemObjects"
\Classes\AllFilesystemObjects"
8
97-2463990887-1001", attributes:0x0
:0x76B00000
53C
63990887-1001_Classes\AllFilesystemObjects\ShellEx\IconHandler"
51C
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystem
Objects\ShellEx\IconHandler"
\Volume"
:0x554, access:0x2000000, path:"\Registry\Machine\Software\Classes\Directory"
pid:4092, tid:2168, tick:0x33D701E, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"DocObject", class:0x2, length:0x90, resultlength:0x0, handle:0x53A,
path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001_CLASSES\Dire
ctory"
\Volume\{3095dd51-a141-42a6-8c53-8590cc53fbc1}\"
path:"\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"
51C
56

soft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3095dd51-a141-42a6
-8c53-8590cc53fbc1}"
63990887-1001_CLASSES\Directory\DocObject"
ndows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3095dd51-a141-42a6-8c53-8
590cc53fbc1}"
, handle:0x0, access:0x1, path:"\Registry\Machine\Software\Classes\Directory\Doc
Object"
53C
ARE\Classes\Folder"
\Classes\Folder"
97-2463990887-1001", attributes:0x0
\Volume"
397-2463990887-1001_Classes\Folder"
0034, name:"DocObject", class:0x2, length:0x90, resultlength:0x0, handle:0x55A,
path:"\REGISTRY\MACHINE\SOFTWARE\Classes\Folder"
\Volume\{3095dd51-a141-42a6-8c53-8590cc53fbc1}\"
ARE\Classes\Folder"
53C
\Classes\Folder"
97-2463990887-1001", attributes:0x0

t\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3095dd51-a141-42a6-8c
53-8590cc53fbc1}"
63990887-1001_Classes\Folder\DocObject"
51C
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\DocObj
ect"
97-2463990887-1001", attributes:0x0
ath:"\??\STORAGE#Volume#{db216a5d-7a80-11e5-8d6c-806e6f6e6963}#0000003A1BD00000#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
0
0034, name:"DocObject", class:0x2, length:0x90, resultlength:0x0, handle:0x55E,
path:"\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects"
th:"\??\STORAGE#Volume#{db216a5d-7a80-11e5-8d6c-806e6f6e6963}#0000003A1BD00000#{
53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
8
ath:"\??\STORAGE#Volume#{db216a5d-7a80-11e5-8d6c-806e6f6e6963}#0000003A1BD00000#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
97-2463990887-1001", attributes:0x0
e:0x508, path:"\??\STORAGE#Volume#{db216a5d-7a80-11e5-8d6c-806e6f6e6963}#0000003
A1BD00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
8
63990887-1001_Classes\AllFilesystemObjects\DocObject"
Objects\DocObject"
8
:0x76B00000
51C
53C
3A, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001_CLASSES\
Directory"
06, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"
\Volume"
06
\Volume\{cf83ff88-1dd4-4efd-a654-a8dcebea22af}\"
63990887-1001_CLASSES\Directory\BrowseInPlace"

53C
, handle:0x0, access:0x1, path:"\Registry\Machine\Software\Classes\Directory\Bro
wseInPlace"
soft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{cf83ff88-1dd4-4efd
-a654-a8dcebea22af}"
ARE\Classes\Folder"
\Classes\Folder"
ndows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{cf83ff88-1dd4-4efd-a654-a
8dcebea22af}"
97-2463990887-1001", attributes:0x0
51C
397-2463990887-1001_Classes\Folder"
5A, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\Folder"
ARE\Classes\Folder"
\Volume"
\Classes\Folder"
97-2463990887-1001", attributes:0x0
\Volume\{cf83ff88-1dd4-4efd-a654-a8dcebea22af}\"
63990887-1001_Classes\Folder\BrowseInPlace"
51C
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\Browse
InPlace"

t\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{cf83ff88-1dd4-4efd-a6
54-a8dcebea22af}"
97-2463990887-1001", attributes:0x0
53C
5E, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects"
ath:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#000000E3E0D00000#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
97-2463990887-1001", attributes:0x0
0
th:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#000000E3E0D00000#{
53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
8
63990887-1001_Classes\AllFilesystemObjects\BrowseInPlace"
ath:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#000000E3E0D00000#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
e:0x508, path:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#000000E
3E0D00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
Objects\BrowseInPlace"

8
63990887-1001_CLASSES\Directory\Clsid"
, handle:0x0, access:0x1, path:"\Registry\Machine\Software\Classes\Directory\Cls
id"
8
ARE\Classes\Folder"
:0x76B00000
\Classes\Folder"
53C
97-2463990887-1001", attributes:0x0
51C
63990887-1001_Classes\Folder\Clsid"
\Volume"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\Clsid"
\Volume\{24912961-6cfd-4b5f-aacb-0a741b920810}\"

51C
97-2463990887-1001", attributes:0x0
00005, name:"Data", class:0x2, length:0x90, resultlength:0x566, handle:0x560, pa
soft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{24912961-6cfd-4b5f
-aacb-0a741b920810}"
63990887-1001_Classes\AllFilesystemObjects\Clsid"
ame:"Data", class:0x2, length:0x566, resultlength:0x566, handle:0x560, path:"\RE
ndows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{24912961-6cfd-4b5f-aacb-0
a741b920810}"
560
Objects\Clsid"
\Volume"
\Volume\{24912961-6cfd-4b5f-aacb-0a741b920810}\"
560
0034, name:"IsShortcut", class:0x2, length:0x90, resultlength:0x0, handle:0x53A,
path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001_CLASSES\Dir
ectory"
t\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{24912961-6cfd-4b5f-aa
cb-0a741b920810}"
51C
path:"\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"
56
targethandle:0x560, access:0x0, inherit:0x0, options:0x2, handle:0x51C

ARE\Classes\Folder"
\Classes\Folder"
97-2463990887-1001", attributes:0x0
ath:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#0000000040500000#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
397-2463990887-1001_Classes\Folder"
4
0034, name:"IsShortcut", class:0x2, length:0x90, resultlength:0x0, handle:0x55A,
path:"\REGISTRY\MACHINE\SOFTWARE\Classes\Folder"
th:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#0000000040500000#{
53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
4
97-2463990887-1001", attributes:0x0
ath:"\??\STORAGE#Volume#{db216a5e-7a80-11e5-8d6c-806e6f6e6963}#0000000040500000#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
040500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
0034, name:"IsShortcut", class:0x2, length:0x90, resultlength:0x0, handle:0x55E,
path:"\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects"
4

3A, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001_CLASSES\
Directory"
4
me:"AlwaysShowExt", class:0x2, length:0x90, resultlength:0xE, handle:0x556, path
:"\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"
:0x76B00000
56
51C
560
\Volume"
\Volume\{7200359d-96f0-4a96-9857-6e59f29ae985}\"
560
0034, name:"NeverShowExt", class:0x2, length:0x90, resultlength:0xE, handle:0x53
A, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001_CLASSES\D
irectory"
00005, name:"Data", class:0x2, length:0x90, resultlength:0x566, handle:0x564, pa
soft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{7200359d-96f0-4a96
-9857-6e59f29ae985}"
6, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"
ame:"Data", class:0x2, length:0x566, resultlength:0x566, handle:0x564, path:"\RE
ndows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{7200359d-96f0-4a96-9857-6
e59f29ae985}"
56
564
ARE\Classes\Folder"
\Volume"
\Classes\Folder"
\Volume\{7200359d-96f0-4a96-9857-6e59f29ae985}\"
97-2463990887-1001", attributes:0x0
564
ame:"Generation", class:0x2, length:0x90, resultlength:0x10, handle:0x560, path:
t\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{7200359d-96f0-4a96-98
57-6e59f29ae985}"
560
397-2463990887-1001_Classes\Folder"
A, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\Folder"
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:NtCreateFile, status:0x0, hand
le:0x560, access:0x100080, iostatus:0x0, information:0x0, attribs:0x80, share:0x
3, disposition:0x1, options:0x60, path:"\??\MountPointManager"
0x0, iostatus:0x0, information:0x6, code:0x6D0034, inlen:0x208, outlen:0x8, hand
560
97-2463990887-1001", attributes:0x0

560
E, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects"
3A
5A
560
5E
560
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
pid:4092, tid:11200, tick:0x33D701E, lvl:LOG, func:NtDeviceIoControlFile, status
:0x80000005, iostatus:0x80000005, information:0x4, code:0x6D0034, inlen:0x208, o
utlen:0x8, handle:0x560, path:"\??\MountPointManager"
0x0, iostatus:0x0, information:0xC, code:0x6D0034, inlen:0x208, outlen:0x10, han
dle:0x560, path:"\??\MountPointManager"
7-2463990887-1001_Classes\CLSID\{F324E4F9-8496-40B2-A1FF-9617C1C9AFFE}\Instance"
560
, handle:0x0, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{F3
24E4F9-8496-40B2-A1FF-9617C1C9AFFE}\Instance"
pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:LdrLoadDll, status:0x0, flags:0

pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:LdrGetProcedureAddressForCaller
, status:0x0, module:0x75670000, name:"DllGetClassObject", ordinal:0x0, address:
0x757FDCA0, image:0x0, caller:0x76CCD1BF
560
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:New_NtQueryInformationToken::<
lambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0x560,
class:0x19, length:0x800, returnlength:0x14, sid:"S-1-16-8192", attributes:0x60
pid:4092, tid:2168, tick:0x33D701E, lvl:LOG, func:NtOpenMutant, status:0xC000003
4, handle:0x0, access:0x100001, path:"\Sessions\1\BaseNamedObjects\Global\SyncRo
otManager"
560
s:0x0, module:0x75670000
560
560
560
pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:NtCreateMutant, status:0x0, han
dle:0x558, access:0x100001, owner:0x0, path:"\Sessions\1\BaseNamedObjects\Global

\SyncRootManager"
560
ntVersion\Explorer\SyncRootManager"
560
pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:NtCreateKey, status:0x0, handle
:0x554, access:0x10, title:0x0, class:"", options:0x0, disposition:0x2, path:"\R
EGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Explorer\SyncRootManag
er\"
560
pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:NtNotifyChangeKey, status:0x103
, event:0x56C, iostatus:0x103, information:0x0, filter:0x10000005, watch:0x1, le
ngth:0x0, async:0x1, handle:0x554, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Wi
ndows\CurrentVersion\Explorer\SyncRootManager"
pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:NtAssociateWaitCompletionPacket
s:0x0, module:0x75670000
x4, length:0xB0, resultlength:0x28, handle:0x538, path:"\REGISTRY\MACHINE\SOFTWA
RE\MICROSOFT\Windows\CurrentVersion\Explorer\SyncRootManager"
560
pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:NtEnumerateKey, status:0x0, ind
Y\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Explorer\SyncRootManager"
:0x574, access:0x20119, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\Curre
ntVersion\Explorer\SyncRootManager\Dropbox!S-1-5-21-2360094602-2602383397-246399
0887-1001!personal"
me:"DisplayNameResource", class:0x2, length:0x90, resultlength:0x1C, handle:0x57

4, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Explorer\Sy
ncRootManager\Dropbox!S-1-5-21-2360094602-2602383397-2463990887-1001!personal"
560
targethandle:0x4D4, access:0x0, inherit:0x0, options:0x2, handle:0xFFFFFFFE
me:"IconResource", class:0x2, length:0x90, resultlength:0x7C, handle:0x574, path
:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Explorer\SyncRootM
anager\Dropbox!S-1-5-21-2360094602-2602383397-2463990887-1001!personal"
x0, module:"C:\WINDOWS\system32\mswsock.dll", handle:0x73700000
STRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Explorer\SyncRootManager\
Dropbox!S-1-5-21-2360094602-2602383397-2463990887-1001!personal"
, status:0x0, module:0x73700000, name:"WSPStartup", ordinal:0x0, address:0x7370D
350, image:0x0, caller:0x775F7454
0034, name:"Handler", class:0x2, length:0x90, resultlength:0x19E8B0, handle:0x57
4, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Explorer\Sy
ncRootManager\Dropbox!S-1-5-21-2360094602-2602383397-2463990887-1001!personal"
560
560
:0x578, access:0x20119, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\Curre
ntVersion\Explorer\SyncRootManager\Dropbox!S-1-5-21-2360094602-2602383397-246399
0887-1001!personal\UserSyncRoots"
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:LdrUnloadDll, status:0x0, hand
le:0x76B00000
:0x50C, access:0x20019, path:"\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Service
s\Winsock\Parameters"
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:LdrUnloadDll, status:0x0, hand
le:0x74B20000
RE\MICROSOFT\Windows\CurrentVersion\Explorer\SyncRootManager\Dropbox!S-1-5-21-23
60094602-2602383397-2463990887-1001!personal\UserSyncRoots"
me:"Transports", class:0x2, length:0x90, resultlength:0x42, handle:0x50C, path:"
pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:NtEnumerateValueKey, status:0x0
GISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Explorer\SyncRootManage
r\Dropbox!S-1-5-21-2360094602-2602383397-2463990887-1001!personal\UserSyncRoots"
me:"Transports", class:0x2, length:0x90, resultlength:0x42, handle:0x50C, path:"
78
0C
, handle:0x0, access:0x20119, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows
\CurrentVersion\Explorer\SyncRootManager\Dropbox!S-1-5-21-2360094602-26023833972463990887-1001!personal\PendingRedirectionSyncRoots"
74
38
s\Psched\Parameters\Winsock"
58
0005, name:"Mapping", class:0x2, length:0x90, resultlength:0xA4, handle:0x50C, p
0005, name:"Mapping", class:0x2, length:0x90, resultlength:0xA4, handle:0x50C, p
me:"Mapping", class:0x2, length:0xA4, resultlength:0xA4, handle:0x50C, path:"\RE
GISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Winsock"
0C
ntVersion\Explorer\KindMap"
me:".exe", class:0x2, length:0x90, resultlength:0x1C, handle:0x558, path:"\REGIS
TRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Explorer\KindMap"
58
nsock\Setup Migration\Providers\Psched"
-2360094602-2602383397-2463990887-1001_Classes"
tion\Providers\Psched"

60094602-2602383397-2463990887-1001_Classes"
04
0C
7-2463990887-1001_Classes\.exe"
ARE\Classes\.exe"
me:"Mapping", class:0x2, length:0x90, resultlength:0x74, handle:0x50C, path:"\RE
\Classes\.exe"
me:"Mapping", class:0x2, length:0x90, resultlength:0x74, handle:0x50C, path:"\RE
97-2463990887-1001", attributes:0x0
0C
397-2463990887-1001_Classes\.exe"
me:"Content Type", class:0x2, length:0x90, resultlength:0x3E, handle:0x55A, path
5A
nsock\Setup Migration\Providers\Tcpip"
tion\Providers\Tcpip"
s:0x0, module:0x75670000
04
0C
-2360094602-2602383397-2463990887-1001_Classes"

60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\.exe"
me:"MinSockaddrLength", class:0x2, length:0x90, resultlength:0x10, handle:0x50C,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock"
me:"MaxSockaddrLength", class:0x2, length:0x90, resultlength:0x10, handle:0x50C,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock"
ARE\Classes\.exe"
me:"UseDelayedAcceptance", class:0x2, length:0x90, resultlength:0x10, handle:0x5
0C, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winso
ck"
\Classes\.exe"
0C
97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\.exe"
pid:4092, tid:8264, tick:0x33D701E, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0x50C, access:0xC0140000, iostatus:0x0, information:0x0, attribs:0x0, share:0x
me:"", class:0x2, length:0x90, resultlength:0x1C, handle:0x55A, path:"\REGISTRY\
pid:4092, tid:8264, tick:0x33D701E, lvl:OK, func:NtDeviceIoControlFile, status:0
x0, event:0x514, iostatus:0x0, information:0x0, code:0x12047, inlen:0xA4, outlen
:0x10, handle:0x50C, path:"\Device\Afd\Endpoint"
-2360094602-2602383397-2463990887-1001_Classes"
0C
60094602-2602383397-2463990887-1001_Classes"
:0x1C, handle:0x50C, path:"\Device\Afd\Endpoint"
0C
:0x538, access:0x20019, path:"\Registry\Machine\Software\Classes\exefile"
x0, module:"C:\WINDOWS\System32\mswsock.dll", handle:0x73700000
, status:0x0, module:0x73700000, name:"NSPStartup", ordinal:0x0, address:0x7370B
530, image:0x0, caller:0x775F615C
\Classes\exefile"
97-2463990887-1001", attributes:0x0
s:0x0, module:0x73700000
r"
:0x504, access:0x20019, title:0x0, class:"Class", options:0x0, disposition:0x2,
path:"\REGISTRY\MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters"
\Classes\exefile"
s\DnsCache\Parameters"
97-2463990887-1001", attributes:0x0
t\Windows NT\DnsClient"
:0x574, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\"
me:"Hostname", class:0x2, length:0x90, resultlength:0x2C, handle:0x504, path:"\R
EGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters"
3A

04
\Classes\exefile"
08
97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\exefile"
0034, name:"IsShortcut", class:0x2, length:0x90, resultlength:0x124B208, handle:
0x576, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"
\Classes\exefile"
97-2463990887-1001", attributes:0x0
7-2463990887-1001_Classes\exefile\shell\open"
:0x538, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\o
pen"
08
04
x3, length:0x180, resultlength:0x6E, handle:0x53A, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\exefile\shell\open"
\Classes\exefile\shell\open"
97-2463990887-1001", attributes:0x0
pen\"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\Software\Policies\Microsoft\Sy
stem\DNSClient"
x3, length:0x180, resultlength:0x6E, handle:0x562, path:"\REGISTRY\MACHINE\SOFTW
me:"Domain", class:0x2, length:0x90, resultlength:0xE, handle:0x504, path:"\REGI
STRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters"
97-2463990887-1001", attributes:0x0
04
08
pen\"
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:DnsQueryEx, status:0x57
62
lambda_7138ae5cd59c00b0ddad740776ba328b>::operator (), status:0x0, token:0x53C,
class:0x1D, length:0x4, returnlength:0x4
53C

2, handle:0x0, access:0xF003F, path:"\REGISTRY\MACHINE\System\CurrentControlSet\
Services\WinSock2\Parameters"
ndows\Explorer"
e:0x53C, access:0x20019, path:"\REGISTRY\MACHINE\System\CurrentControlSet\Servic
es\WinSock2\Parameters"
ame:"WinSock_Registry_Version", class:0x2, length:0x90, resultlength:0x14, handl
e:0x53C, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Paramete
rs"
08
ame:"WinSock_Registry_Version", class:0x2, length:0x90, resultlength:0x14, handl
e:0x53C, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Paramete
rs"
04
ame:"AutodialDLL", class:0x2, length:0x90, resultlength:0x4E, handle:0x53C, path
:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters"
ame:"AutodialDLL", class:0x2, length:0x90, resultlength:0x4E, handle:0x53C, path
:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters"
53C
indows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4
146FC19}"

7C
olderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
rDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\Software\Policies\Microsoft\Sy
stem\DNSClient"
er\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
pid:4092, tid:11200, tick:0x33D701E, lvl:LOG, func:NtOpenSection, status:0xC0000
034, handle:0x0, access:0xF, path:"\KnownDlls32\rasadhlp.dll"
04
08
\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
lorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
rer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"

plorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:NtQueryAttributesFile, status:
0x0, attribs:0x20, path:"C:\Windows\System32\rasadhlp.dll"
ion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
Version\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
ersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
plorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
orer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
08
tVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
04
sion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:NtOpenFile, status:0x0, handle
:0x53C, access:0x100021, iostatus:0x0, information:0x1, share:0x5, options:0x60,
path:"C:\Windows\System32\rasadhlp.dll"

n\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:NtCreateSection, status:0x0, h
andle:0x548, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x53C
ersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}"
soft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F
-A1EF4146FC19}\PropertyBag"
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:NtMapViewOfSection, status:0x0
, address:0x6EFD0000, zerobits:0x0, commitsize:0x0, viewsize:0x8000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x548, path:"C:\Windows\System32\rasadh
lp.dll"
80
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\System\CurrentControlSet\Servi
ces\DNS"
0034, name:"QueryAdapterName", class:0x2, length:0x90, resultlength:0x5, handle:
0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters
"
0034, name:"DisableAdapterDomainName", class:0x2, length:0x90, resultlength:0xE,
handle:0x504, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Param
eters"
0034, name:"UseDomainNameDevolution", class:0x2, length:0x90, resultlength:0x5,
handle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Par
ameters"
me:"UseDomainNameDevolution", class:0x2, length:0x90, resultlength:0x10, handle:
0x504, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters"
nownFolders"
548
0034, name:"DomainNameDevolutionLevel", class:0x2, length:0x90, resultlength:0x1
0, handle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\
Parameters"

80
0034, name:"PrioritizeRecordData", class:0x2, length:0x90, resultlength:0x10, ha
ndle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Param
eters"
97-2463990887-1001", attributes:0x0
53C
0034, name:"PrioritizeRecordData", class:0x2, length:0x90, resultlength:0x10, ha
ndle:0x504, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Paramete
rs"
0034, name:"AllowUnqualifiedQuery", class:0x2, length:0x90, resultlength:0x10, h
andle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Para
meters"
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:LdrLoadDll, status:0x0, flags:
0x0, module:"C:\Windows\System32\rasadhlp.dll", handle:0x6EFD0000
0034, name:"AllowUnqualifiedQuery", class:0x2, length:0x90, resultlength:0x10, h
andle:0x504, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Paramet
ers"
pid:4092, tid:11200, tick:0x33D701E, lvl:OK, func:LdrGetProcedureAddressForCalle
r, status:0x0, module:0x6EFD0000, name:"WSAttemptAutodialAddr", ordinal:0x0, add
ress:0x6EFD26E0, image:0x0, caller:0x775F5F74
0034, name:"AppendToMultiLabelName", class:0x2, length:0x90, resultlength:0x10,
ameters"
r, status:0x0, module:0x6EFD0000, name:"WSAttemptAutodialName", ordinal:0x0, add
ress:0x6EFD1500, image:0x0, caller:0x775F5F8A
0034, name:"ScreenBadTlds", class:0x2, length:0x90, resultlength:0x10, handle:0x
508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters"
pid:4092, tid:2168, tick:0x33D701E, lvl:OK, func:NtOpenKey, status:0x0, handle:0
0887-1001"
r, status:0x0, module:0x6EFD0000, name:"WSNoteSuccessfulHostentLookup", ordinal:
0x0, address:0x6EFD27C0, image:0x0, caller:0x775F5FA0
0034, name:"ScreenUnreachableServers", class:0x2, length:0x90, resultlength:0x10
, handle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\P
arameters"
0034, name:"ScreenDefaultServers", class:0x2, length:0x90, resultlength:0x10, ha
eters"
34, handle:0x0, access:0x3, iostatus:0x31DF534, information:0x14, attribs:0x80,
share:0x3, disposition:0x3, options:0x0, path:"\Device\RasAcd"
0034, name:"DynamicServerQueryOrder", class:0x2, length:0x90, resultlength:0x10,
handle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Pa
rameters"

s"
0034, name:"FilterClusterIp", class:0x2, length:0x90, resultlength:0x10, handle:
"
7C
0034, name:"WaitForNameErrorOnAll", class:0x2, length:0x90, resultlength:0x10, h
meters"
me:"Start Menu", class:0x2, length:0x90, resultlength:0x82, handle:0x584, path:"
\Windows\CurrentVersion\Explorer\User Shell Folders"
0034, name:"UseEdns", class:0x2, length:0x90, resultlength:0x10, handle:0x508, p
ath:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters"
0034, name:"DnsSecureNameQueryFallback", class:0x2, length:0x90, resultlength:0x
10, handle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache
\Parameters"
60
84
0034, name:"EnableDAForAllNetworks", class:0x2, length:0x90, resultlength:0x10,
ameters"
0034, name:"DirectAccessQueryOrder", class:0x2, length:0x90, resultlength:0x10,
ameters"
0034, name:"QueryIpMatching", class:0x2, length:0x90, resultlength:0x10, handle:
"
0034, name:"UseHostsFile", class:0x2, length:0x90, resultlength:0x10, handle:0x5
0034, name:"AddrConfigControl", class:0x2, length:0x90, resultlength:0x10, handl
e:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Paramete
rs"
indows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8
BE3B067}"

0034, name:"DisableSmartNameResolution", class:0x2, length:0x90, resultlength:0x
\Parameters"
60
0034, name:"PreferLocalOverLowerBindingDNS", class:0x2, length:0x90, resultlengt
h:0x10, handle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnsc
ache\Parameters"
olderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"QueryNetBTFQDN", class:0x2, length:0x90, resultlength:0x10, handle:0
x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters"
me:"Name", class:0x2, length:0x90, resultlength:0x30, handle:0x57C, path:"\REGIS
rDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"DisableSmartProtocolReordering", class:0x2, length:0x90, resultlengt
ache\Parameters"
er\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"UdpRecvBufferSize", class:0x2, length:0x90, resultlength:0x10, handl
rs"
\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"DisableParallelAandAAAA", class:0x2, length:0x90, resultlength:0x10,
rameters"
0034, name:"DisableCoalescing", class:0x2, length:0x90, resultlength:0x10, handl
rs"
\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"FilterVPNTrigger", class:0x2, length:0x90, resultlength:0x10, handle
:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameter
s"
lorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"EnableMultiHomedRouteConflicts", class:0x2, length:0x90, resultlengt
ache\Parameters"
me:"LocalizedName", class:0x2, length:0x90, resultlength:0x60, handle:0x57C, pat
rer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"RegistrationEnabled", class:0x2, length:0x90, resultlength:0x10, han
dle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parame
ters"
0034, name:"DisableDynamicUpdate", class:0x2, length:0x90, resultlength:0xE, han
dle:0x504, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameter
s"
plorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"RegisterPrimaryName", class:0x2, length:0x90, resultlength:0x10, han
ters"
ion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"RegisterAdapterName", class:0x2, length:0x90, resultlength:0x10, han
ters"
Version\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"EnableAdapterDomainNameRegistration", class:0x2, length:0x90, result
length:0xE, handle:0x504, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\
Tcpip\Parameters"
ersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"RegisterReverseLookup", class:0x2, length:0x90, resultlength:0x10, h
meters"
plorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"DisableReverseAddressRegistrations", class:0x2, length:0x90, resultl
ength:0xE, handle:0x504, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\T
cpip\Parameters"
me:"PreCreate", class:0x2, length:0x90, resultlength:0x10, handle:0x57C, path:"\
FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"RegisterWanAdapters", class:0x2, length:0x90, resultlength:0x10, han
ters"
orer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"DisableWanDynamicUpdate", class:0x2, length:0x90, resultlength:0xE,
handle:0x504, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parame
ters"
tVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"RegistrationTtl", class:0x2, length:0x90, resultlength:0x10, handle:
"
sion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"DefaultRegistrationTTL", class:0x2, length:0x90, resultlength:0xE, h
ers"
me:"Attributes", class:0x2, length:0x90, resultlength:0x10, handle:0x57C, path:"
\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"RegistrationRefreshInterval", class:0x2, length:0x90, resultlength:0
x10, handle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscach
e\Parameters"
n\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"DefaultRegistrationRefreshInterval", class:0x2, length:0x90, resultl
ength:0xE, handle:0x504, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\T
cpip\Parameters"
ersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
0034, name:"RegistrationMaxAddressCount", class:0x2, length:0x90, resultlength:0
e\Parameters"
0034, name:"MaxNumberOfAddressesToRegister", class:0x2, length:0x90, resultlengt
h:0xE, handle:0x504, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip
\Parameters"
soft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C
-E74B8BE3B067}\PropertyBag"
7C
0034, name:"UpdateSecurityLevel", class:0x2, length:0x90, resultlength:0x10, han
ters"
0034, name:"UpdateSecurityLevel", class:0x2, length:0x90, resultlength:0x10, han
dle:0x504, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameter
s"
0034, name:"UpdateTopLevelDomainZones", class:0x2, length:0x90, resultlength:0x1
Parameters"
0034, name:"DowncaseSpnCauseApiOwnerIsTooLazy", class:0x2, length:0x90, resultle
ngth:0x10, handle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\D
nscache\Parameters"
nownFolders"
0034, name:"RegistrationOverwrite", class:0x2, length:0x90, resultlength:0x10, h
meters"
7C
0034, name:"MaxCacheSize", class:0x2, length:0x90, resultlength:0x10, handle:0x5
0034, name:"MaxCacheTtl", class:0x2, length:0x90, resultlength:0x10, handle:0x50
ntVersion\Explorer\User Shell Folders"
0034, name:"MaxNegativeCacheTtl", class:0x2, length:0x90, resultlength:0x10, han
ters"
0034, name:"AdapterTimeoutLimit", class:0x2, length:0x90, resultlength:0x10, han
ters"
me:"Common Start Menu", class:0x2, length:0x90, resultlength:0x62, handle:0x57C,
xplorer\User Shell Folders"
0034, name:"ServerPriorityTimeLimit", class:0x2, length:0x90, resultlength:0x10,
rameters"
0034, name:"MaxCachedSockets", class:0x2, length:0x90, resultlength:0x10, handle
s"
84
0034, name:"DisableServerUnreachability", class:0x2, length:0x90, resultlength:0
e\Parameters"
7C
0034, name:"EnableMulticast", class:0x2, length:0x90, resultlength:0x10, handle:
"
0034, name:"MulticastResponderFlags", class:0x2, length:0x90, resultlength:0x10,
rameters"
0034, name:"MulticastSenderFlags", class:0x2, length:0x90, resultlength:0x10, ha
eters"
0034, name:"MulticastSenderMaxTimeout", class:0x2, length:0x90, resultlength:0x1
Parameters"
indows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092
E34987A}"
84
0034, name:"DnsTest", class:0x2, length:0x90, resultlength:0x10, handle:0x508, p
ath:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters"
olderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"UseCompartments", class:0x2, length:0x90, resultlength:0x10, handle:
"
rDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"CacheAllCompartments", class:0x2, length:0x90, resultlength:0x10, ha
eters"

er\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"UseNewRegistration", class:0x2, length:0x90, resultlength:0x10, hand
le:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Paramet
ers"
\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"ResolverRegistration", class:0x2, length:0x90, resultlength:0x10, ha
eters"
er\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"ResolverRegistrationOnly", class:0x2, length:0x90, resultlength:0x10
, handle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\P
arameters"
0034, name:"ParsingName", class:0x2, length:0x90, resultlength:0x3E, handle:0x56
\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"NewDhcpSrvRegistration", class:0x2, length:0x90, resultlength:0x10,
ameters"
lderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"DirectAccessPreferLocal", class:0x2, length:0x90, resultlength:0x10,
rameters"
rer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"DisableIdnEncoding", class:0x2, length:0x90, resultlength:0x10, hand
le:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Paramet
ers"
rDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"EnableIdnMapping", class:0x2, length:0x90, resultlength:0x10, handle
s"
plorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"

0034, name:"TestMode_AdaptiveTimeoutHistoryLength", class:0x2, length:0x90, resu
ltlength:0x10, handle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Servic
es\Dnscache\Parameters"
ion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"TestMode_AdaptiveTimeoutRecalculationInterval", class:0x2, length:0x
90, resultlength:0x10, handle:0x508, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet00
1\Services\Dnscache\Parameters"
Version\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
:0x580, access:0x1, path:"\REGISTRY\MACHINE\System\Setup"
ersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
580, path:"\REGISTRY\MACHINE\SYSTEM\Setup"
plorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
80
FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"DnsQueryTimeouts", class:0x2, length:0x90, resultlength:0x1258870, h
meters"
orer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"DnsQueryTimeouts", class:0x2, length:0x90, resultlength:0x1258870, h
ers"
tVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"DnsQuickQueryTimeouts", class:0x2, length:0x90, resultlength:0x12588
\Parameters"
sion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
0034, name:"DnsQuickQueryTimeouts", class:0x2, length:0x90, resultlength:0x12588

70, handle:0x504, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Pa
rameters"
04
\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
08
n\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
s:0x0, module:0x72170000
ersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}"
soft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655
-8A092E34987A}\PropertyBag"
08
60
nownFolders"
60
pid:4092, tid:8264, tick:0x33D701E, lvl:OK, func:DnsQueryEx, status:0x0
97-2463990887-1001", attributes:0x0
0887-1001"
s"
88
me:"Recent", class:0x2, length:0x90, resultlength:0x7A, handle:0x58C, path:"\REG
dows\CurrentVersion\Explorer\User Shell Folders"
pid:4092, tid:8264, tick:0x33D701E, lvl:LOG, func:NtOpenSection, status:0xC00000
34, handle:0x0, access:0xF, path:"\KnownDlls32\fwpuclnt.dll"

7C
8C
indows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0
B28FC23}"
7C
x0, attribs:0x20, path:"C:\WINDOWS\System32\fwpuclnt.dll"
olderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
rDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
n\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
lorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
on\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
pid:4092, tid:8264, tick:0x33D701E, lvl:OK, func:NtOpenFile, status:0x0, handle:
path:"C:\WINDOWS\System32\fwpuclnt.dll"
er\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
pid:4092, tid:8264, tick:0x33D701E, lvl:OK, func:NtCreateSection, status:0x0, ha

plorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
ion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
pid:4092, tid:8264, tick:0x33D701E, lvl:OK, func:NtMapViewOfSection, status:0x0,
address:0x6EFE0000, zerobits:0x0, commitsize:0x0, viewsize:0x47000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x548, path:"C:\WINDOWS\System32\fwpucl
nt.dll"
Version\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
ersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
plorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
xplorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
orer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
48
tVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
sion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
3C
Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
ersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
indows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0
B28FC23}\PropertyBag"

60
x53C, access:0x9, path:"\Registry\Machine\SYSTEM\CurrentControlSet\Control\Sessi
on Manager"
8C
0034, name:"ResourcePolicies", class:0x2, length:0x18, resultlength:0x0, handle:
0x53C, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER"
3C
indows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1A
E5198B7}"
pid:4092, tid:8264, tick:0x33D702E, lvl:OK, func:NtCreateSemaphore, status:0x0,
handle:0x508, access:0x1F0003, initialcount:0x0, maxcount:0x1
60
x0, module:"C:\WINDOWS\System32\fwpuclnt.dll", handle:0x6EFE0000
olderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
rDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
, status:0x0, module:0x6EFE0000, name:"NamespaceCallout", ordinal:0x0, address:0
x6EFF2070, image:0x0, caller:0x775F9787
n\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
E0
\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"

lorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
on\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
er\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
plorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
ion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
Version\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
ersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
plorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
xplorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
orer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
tVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
sion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"

ersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
indows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1A
E5198B7}\PropertyBag"
30
8C
pid:4092, tid:8264, tick:0x33D702E, lvl:OK, func:NtOpenEvent, status:0x0, handle
:0x53C, access:0x100000, path:"\Sessions\1\BaseNamedObjects\Global\BFE_Notify_Ev
ent_{a3a05c3b-90ae-4c3e-959c-1c8a488d7c6f}"
3C
indows\CurrentVersion\Explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C854
80369C7}"
30
5C
olderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
rDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
n\Explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
\Explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
er\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
\Explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
:0x1C, handle:0x55C, path:"\Device\Afd\Endpoint"

r\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
lorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
x103, event:0x514, iostatus:0x0, information:0xC, code:0x120BF, inlen:0x18, outl
en:0xC, handle:0x55C, path:"\Device\Afd\Endpoint"
rer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
5C
rDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
0C
plorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
ion\Explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
x0, module:"C:\WINDOWS\system32\ws2_32", handle:0x775F0000
Version\Explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
, status:0x0, module:0x775F0000, name:"getaddrinfo", ordinal:0x0, address:0x7760
5B80, image:0x0, caller:0x70303743
, status:0x0, module:0x775F0000, name:"getaddrinfo", ordinal:0x0, address:0x7760
5B80, image:0x0, caller:0x70303763
ersion\Explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
, status:0x0, module:0x775F0000, name:"getnameinfo", ordinal:0x0, address:0x7760
4C90, image:0x0, caller:0x70303763
, status:0x0, module:0x775F0000, name:"freeaddrinfo", ordinal:0x0, address:0x776
064A0, image:0x0, caller:0x70303763
me:"Roamable", class:0x2, length:0x90, resultlength:0x10, handle:0x588, path:"\R
olderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
orer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
targethandle:0x4E0, access:0x0, inherit:0x0, options:0x2, handle:0xFFFFFFFE
tVersion\Explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
sion\Explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
n\Explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
ersion\Explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
x0, event:0x50C, iostatus:0x0, information:0x0, code:0x12047, inlen:0xA4, outlen
indows\CurrentVersion\Explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C854
80369C7}\PropertyBag"
88
nownFolders"
x0, attribs:0x20, path:"C:\WINDOWS\System32\mswsock.dll"
88
97-2463990887-1001", attributes:0x0
pid:4092, tid:8264, tick:0x33D702E, lvl:OK, func:NtQueryVirtualMemory, status:0x

0, address:0x2CCD898, class:0x3, length:0x14
pid:4092, tid:8264, tick:0x33D702E, lvl:OK, func:LdrUnloadDll, status:0x0, handl
e:0x73700000
0887-1001"
s"
90
e:0x73700000
me:"Personal", class:0x2, length:0x90, resultlength:0x3C, handle:0x594, path:"\R
EGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Microsoft\W
indows\CurrentVersion\Explorer\User Shell Folders"
8C
94
e:0x73700000
indows\CurrentVersion\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F39
10AB8FE}"
8C
olderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
rDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
er\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"

\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"RelativePath", class:0x2, length:0x90, resultlength:0x5A, handle:0x5
n\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
e:0x73700000
0034, name:"ParsingName", class:0x2, length:0x90, resultlength:0x5A, handle:0x58
\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"InfoTip", class:0x2, length:0x90, resultlength:0x5A, handle:0x588, p
lorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"LocalizedName", class:0x2, length:0x90, resultlength:0x5A, handle:0x
on\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"Icon", class:0x2, length:0x90, resultlength:0x5A, handle:0x588, path
er\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"Security", class:0x2, length:0x90, resultlength:0x5A, handle:0x588,
plorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"StreamResource", class:0x2, length:0x90, resultlength:0x5A, handle:0
ion\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
e:0x73700000
0034, name:"StreamResourceType", class:0x2, length:0x90, resultlength:0x5A, hand
Version\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"LocalRedirectOnly", class:0x2, length:0x90, resultlength:0x5A, handl
ersion\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"Roamable", class:0x2, length:0x90, resultlength:0x5A, handle:0x588,
plorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"PreCreate", class:0x2, length:0x90, resultlength:0x5A, handle:0x588,
xplorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"Stream", class:0x2, length:0x90, resultlength:0x5A, handle:0x588, pa
orer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"PublishExpandedPath", class:0x2, length:0x90, resultlength:0x5A, han
tVersion\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"DefinitionFlags", class:0x2, length:0x90, resultlength:0x5A, handle:
sion\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
e:0x73700000
0034, name:"Attributes", class:0x2, length:0x90, resultlength:0x5A, handle:0x588
Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"FolderTypeID", class:0x2, length:0x90, resultlength:0x5A, handle:0x5
n\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
0034, name:"InitFolderHandler", class:0x2, length:0x90, resultlength:0x5A, handl
ersion\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
indows\CurrentVersion\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F39
10AB8FE}\PropertyBag"
88
94
x0, attribs:0x20, path:"C:\WINDOWS\System32\wshqos.dll"
pid:4092, tid:2168, tick:0x33D702E, lvl:LOG, func:NtOpenKey, status:0xC0000034,
handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{0000
0323-0000-0000-C000-000000000046}"
x594, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Rpc\Extensions"
me:"NdrOleExtDLL", class:0x2, length:0x21A, resultlength:0x24, handle:0x594, pat
h:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Rpc\Extensions"
94
pid:4092, tid:2168, tick:0x33D702E, lvl:OK, func:LdrGetDllHandle, status:0x0, na
, status:0x0, module:0x74DC0000, name:"NdrOleInitializeExtension", ordinal:0x0,
address:0x74E96DA0, image:0x0, caller:0x770340A5
5, disposition:0x1, options:0x60, path:"C:\WINDOWS\System32\wshqos.dll"
, status:0x0, module:0x74DC0000, name:"CoGetMarshalSizeMax", ordinal:0x0, addres
s:0x74E45230, image:0x0, caller:0x74E96DFA
, status:0x0, module:0x74DC0000, name:"CoMarshalInterface", ordinal:0x0, address
:0x74E45680, image:0x0, caller:0x74E96E18

, status:0x0, module:0x74DC0000, name:"CoUnmarshalInterface", ordinal:0x0, addre
ss:0x74E406A0, image:0x0, caller:0x74E96E36
ndle:0x584, access:0x5, pageattribs:0x2, sectionattribs:0x11000000, file:0x580
, status:0x0, module:0x74DC0000, name:"StringFromIID", ordinal:0x0, address:0x74
E03710, image:0x0, caller:0x74E96E54
, status:0x0, module:0x74DC0000, name:"CoTaskMemAlloc", ordinal:0x0, address:0x7
4E7FAB0, image:0x0, caller:0x74E96E6E
, status:0x0, module:0x74DC0000, name:"CoTaskMemFree", ordinal:0x0, address:0x74
E7FBF0, image:0x0, caller:0x74E96E88
000003, address:0x5A0000, zerobits:0x0, commitsize:0x0, viewsize:0x8000, disposi
tion:0x1, type:0x800000, protect:0x2, handle:0x584, path:"C:\WINDOWS\System32\ws
hqos.dll"
, status:0x0, module:0x74DC0000, name:"CoCreateInstance", ordinal:0x0, address:0
x74E39C80, image:0x0, caller:0x74E96EA2
, status:0x0, module:0x74DC0000, name:"CoReleaseMarshalData", ordinal:0x0, addre
ss:0x74E10520, image:0x0, caller:0x74E96EBC
84
pid:4092, tid:2168, tick:0x33D702E, lvl:OK, func:CoCreateInstance, hr:0x0, clsid
:00000323-0000-0000-C000-000000000046, context:0x1, riid:00000146-0000-0000-C000
-000000000046
80
FC, class:0x1A, length:0x4, returnlength:0x4
97-2463990887-1001", attributes:0x0
0, address:0x2D799A0, class:0x3, length:0x14
pid:4092, tid:8264, tick:0x33D702E, lvl:OK, func:NtUnmapViewOfSection, status:0x
0, address:0x5A0000
pid:4092, tid:2168, tick:0x33D702E, lvl:LOG, func:Init, log:"Dropping DesiredAcc
ess from 0x20119 to 0x20019 for faulting in key \REGISTRY\USER\S-1-5-21-23600946
02-2602383397-2463990887-1001\Software\Spoon\SandboxCache\A527E666CB0D6807\roami
ng\modified\@HKCU@\"
0887-1001"
990887-1001\Software\Classes\Local Settings"
88
7-2463990887-1001_CLASSES\Local Settings\Software\Microsoft\Ole\FeatureDevelopme
ntProperties"
90
, handle:0x0, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\Ole\Fea
tureDevelopmentProperties"
x590, access:0x20119, path:"\Registry\Machine\SOFTWARE\Policies\Microsoft\Window
s\Appx"
me:"AllowDevelopmentWithoutDevLicense", class:0x2, length:0x18, resultlength:0x1
0, handle:0x590, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\App
x"
90
x590, access:0x20119, path:"\Registry\Machine\SOFTWARE\Microsoft\Windows\Current
Version\AppModelUnlock"
0034, name:"AllowDevelopmentWithoutDevLicense", class:0x2, length:0x18, resultle
ngth:0x0, handle:0x590, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\Curre
ntVersion\AppModelUnlock"
hqos.dll"
90
84
80
, status:0x0, module:0x77C10000, name:"NtQuerySystemInformation", ordinal:0x0, a
ddress:0x77C86F30, image:0x0, caller:0x74EA12A1
0, address:0x5A0000

hqos.dll"
84
80
0, address:0x5A0000
hqos.dll"
84
80
0, address:0x5A0000
pid:4092, tid:8264, tick:0x33D702E, lvl:OK, func:NtSetInformationFile, status:0x
0, iostatus:0x0, information:0x0, length:0x4, class:0x29, handle:0x55C, path:"\D
evice\Afd\Endpoint"
0, iostatus:0x0, information:0x0, length:0x4, class:0x29, handle:0x53C, path:"\D
evice\Afd\Endpoint"
0, iostatus:0x0, information:0x0, length:0x8, class:0x1E, handle:0x55C, path:"\D
evice\Afd\Endpoint"
0, iostatus:0x0, information:0x0, length:0x8, class:0x1E, handle:0x53C, path:"\D
evice\Afd\Endpoint"
x103, event:0x50C, iostatus:0x0, information:0x10, code:0x12003, inlen:0x14, out
len:0x10, handle:0x53C, path:"\Device\Afd\Endpoint"
x103, event:0x514, iostatus:0x0, information:0x10, code:0x12003, inlen:0x14, out
len:0x10, handle:0x55C, path:"\Device\Afd\Endpoint"
x0, event:0x50C, iostatus:0x0, information:0x10, code:0x1202F, inlen:0x0, outlen
x0, event:0x50C, iostatus:0x0, information:0x0, code:0x120BF, inlen:0x18, outlen
x0, event:0x514, iostatus:0x0, information:0x10, code:0x1202F, inlen:0x0, outlen

x0, event:0x50C, iostatus:0x0, information:0x0, code:0x1203B, inlen:0x10, outlen
x0, event:0x514, iostatus:0x0, information:0x0, code:0x1203B, inlen:0x10, outlen
x103, iostatus:0x103, information:0x0, code:0x120C7, inlen:0x1A, outlen:0x0, han
dle:0x53C, path:"\Device\Afd\Endpoint"
x103, iostatus:0x103, information:0x0, code:0x120C7, inlen:0x1A, outlen:0x0, han
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\AppID\firefox.exe"
, handle:0x0, access:0x20019, path:"\Registry\Machine\Software\Classes\AppID\fir
efox.exe"
-2360094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\AppID\firefox.exe"
, handle:0x0, access:0x20119, path:"\Registry\Machine\Software\Classes\AppID\fir

efox.exe"
:0x590, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\OLE\AppCompat
"
0034, name:"RaiseDefaultAuthnLevel", class:0x2, length:0x90, resultlength:0x0, h
andle:0x590, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\OLE\AppCompat"
90
:0x590, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE"
0034, name:"DefaultAccessPermission", class:0x2, length:0x90, resultlength:0x0,
handle:0x590, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\OLE"
pid:4092, tid:2168, tick:0x33D702E, lvl:LOG, func:New_NtQueryInformationToken::<
94
90
FC, class:0x1, length:0x4C, returnlength:0x24, sid:"S-1-5-21-2360094602-26023833
97-2463990887-1001", attributes:0x0
60
60
pid:4092, tid:2168, tick:0x33D702E, lvl:LOG, func:NtQueryAttributesFile, status:
0xC0000034, path:"C:\WINDOWS\system32\rpcss.dll"
pid:4092, tid:2168, tick:0x33D702E, lvl:LOG, func:LdrGetDllHandle, status:0xC000
0135, name:"C:\WINDOWS\system32\rpcss.dll"
pid:4092, tid:2168, tick:0x33D702E, lvl:LOG, func:NtOpenEvent, status:0xC0000034
, handle:0x0, access:0x100000, path:"\Sessions\1\BaseNamedObjects\MSFT.VSA.COM.D
ISABLE.4092"
pid:4092, tid:2168, tick:0x33D702E, lvl:LOG, func:NtOpenEvent, status:0xC0000034
, handle:0x0, access:0x100002, path:"\Sessions\1\BaseNamedObjects\MSFT.VSA.IEC.S
TATUS.6c736db0"
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"

7-2463990887-1001_Classes\Interface\{00000134-0000-0000-C000-000000000046}"
0, address:0x5A0000
:0x588, access:0x20019, path:"\Registry\Machine\Software\Classes\Interface\{0000
0134-0000-0000-C000-000000000046}"
x3, length:0x180, resultlength:0xC2, handle:0x58A, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}"
\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}"
97-2463990887-1001", attributes:0x0
7-2463990887-1001_Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-0000000
00046}\ProxyStubClsid32"
:0x598, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Int
erface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32"
x3, length:0x188, resultlength:0xE4, handle:0x59A, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxySt
ubClsid32"
\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubC
lsid32"
97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-00000
me:"", class:0x2, length:0x90, resultlength:0x5A, handle:0x59A, path:"\REGISTRY\
MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-00000000
9A
8A
pid:4092, tid:2168, tick:0x33D702E, lvl:LOG, func:NtQuerySecurityObject, status:

C Control"
pid:4092, tid:2168, tick:0x33D702E, lvl:OK, func:NtQuerySecurityObject, status:0
ol"
88
98
C Control"
ol"

98
88
C Control"
ol"

88
98
C Control"
ol"

98
88
FC, class:0x1D, length:0x4, returnlength:0x4
9C
pid:4092, tid:13216, tick:0x33D702E, lvl:LOG, func:BaseThreadInitThunk, log:"New
thread started (via BaseThreadInitThunk) at address: 0x74E7D370, parameter: 0x7
E4530"
rsion\PropertySystem\SystemPropertyHandlers"
0034, name:".exe", class:0x2, length:0x90, resultlength:0x19E6B4, handle:0x59C,
path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Pr
opertySystem\SystemPropertyHandlers"
9C
rsion\PropertySystem\PropertyHandlers\.exe"
me:"", class:0x2, length:0x90, resultlength:0x5A, handle:0x59C, path:"\REGISTRY\
MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\Pro
pertyHandlers\.exe"
9C
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"

7-2463990887-1001_Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideF
ileSystemProperties"
, handle:0x0, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{66
742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties"
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}"
:0x59C, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{66742402
-F9B9-11D1-A202-0000F81FEDEE}"
x3, length:0x188, resultlength:0xBA, handle:0x59E, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\WOW6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}"
\Classes\WOW6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}"
97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\WOW6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FE
DEE}"
me:"DisableProcessIsolation", class:0x2, length:0x90, resultlength:0x10, handle:
0x59E, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66742402-F9B9
-11D1-A202-0000F81FEDEE}"
97-2463990887-1001", attributes:0x0
DEE}"
0034, name:"NoOplock", class:0x2, length:0x90, resultlength:0x10, handle:0x59E,
path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66742402-F9B9-11D1-A
202-0000F81FEDEE}"
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FED
EE}"
, handle:0x0, access:0x20019, path:"\Registry\Machine\Software\Classes\ExplorerC
LSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}"
97-2463990887-1001", attributes:0x0
DEE}"
0034, name:"UseInProcHandlerCache", class:0x2, length:0x90, resultlength:0x80000
000, handle:0x59E, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6
6742402-F9B9-11D1-A202-0000F81FEDEE}"
97-2463990887-1001", attributes:0x0
DEE}"
0034, name:"UseOutOfProcHandlerCache", class:0x2, length:0x90, resultlength:0x80
000000, handle:0x59E, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID
\{66742402-F9B9-11D1-A202-0000F81FEDEE}"
9E
x59C, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{76765B11-3
F95-4AF2-AC9D-EA55D8994F1A}"
0034, name:"AppID", class:0x2, length:0x400, resultlength:0x66742402, handle:0x5
9C, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765B11-3F95-4A
F2-AC9D-EA55D8994F1A}"
\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\LocalServer32"
9C
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}"
:0x59C, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{76765B11
-3F95-4AF2-AC9D-EA55D8994F1A}"
ARE\Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}"
\Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\T
reatAs"
LSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\TreatAs"
97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994
F1A}"
me:"", class:0x2, length:0x90, resultlength:0x52, handle:0x59E, path:"\REGISTRY\
MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A
}"
97-2463990887-1001", attributes:0x0
F1A}"
}"
97-2463990887-1001", attributes:0x0
7-2463990887-1001_Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1
A}\InprocServer32"
:0x5A0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLS
ID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\InprocServer32"
x3, length:0x188, resultlength:0xD8, handle:0x5A2, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\InProcServe
r32"
x7, length:0x4, resultlength:0x4, handle:0x5A2, path:"\REGISTRY\MACHINE\SOFTWARE
\Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\InProcServer32
"
97-2463990887-1001", attributes:0x0
F1A}\InProcServer32"
5A2, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765B11-3F95-4
AF2-AC9D-EA55D8994F1A}\InProcServer32"
r32"
"
97-2463990887-1001", attributes:0x0
me:"", class:0x2, length:0x90, resultlength:0x50, handle:0x5A2, path:"\REGISTRY\

}\InProcServer32"
r32"
"
97-2463990887-1001", attributes:0x0
}\InProcServer32"
r32"
"
97-2463990887-1001", attributes:0x0
}\InProcServer32"
r32"
"
97-2463990887-1001", attributes:0x0
me:"ThreadingModel", class:0x2, length:0x90, resultlength:0x16, handle:0x5A2, pa

th:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9
D-EA55D8994F1A}\InProcServer32"
A2
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\I
nprocHandler32"
LSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\InprocHandler32"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\I
nprocHandler"
LSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\InprocHandler"
9E
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}"
:0x59C, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{76765B11
-3F95-4AF2-AC9D-EA55D8994F1A}"

97-2463990887-1001", attributes:0x0
7-2463990887-1001_Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1
A}\TreatAs"
de\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\TreatAs"
9E
:76765B11-3F95-4AF2-AC9D-EA55D8994F1A, context:0x1, riid:00000000-0000-0000-C000
-000000000046
ndows\Explorer"
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\CLSID\{F324E4F9-8496-40B2-A1FF-9617C1C9AFFE}\Instance"
, handle:0x0, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{F3
24E4F9-8496-40B2-A1FF-9617C1C9AFFE}\Instance"
0x757FDCA0, image:0x0, caller:0x76CCD1BF
\Classes\exefile"
97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\exefile"
0034, name:"AppUserModelID", class:0x2, length:0x90, resultlength:0x20, handle:0
x576, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"

\Classes\exefile"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\exefile\Application"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Appli
cation"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\exefile\shell\open\command"
:0x59C, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\
command"
x3, length:0x188, resultlength:0x7E, handle:0x59E, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\exefile\shell\open\command"
\Classes\exefile\shell\open\command"
97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\exefile\shell\open\command"
0034, name:"DelegateExecute", class:0x2, length:0x90, resultlength:0x19F3F8, han
dle:0x59E, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command"
9E
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\exefile\shell\open\DropTarget"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell

\open\DropTarget"
x59C, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0
AC9-11D1-896C-00C04FB6BFC4}"
0034, name:"AppID", class:0x2, length:0x400, resultlength:0x63002D, handle:0x59C
, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1
-896C-00C04FB6BFC4}"
\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\LocalServer32"
9C
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"
:0x59C, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{7B8A2D94
-0AC9-11D1-896C-00C04FB6BFC4}"
ARE\Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"
\Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\T
reatAs"
LSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\TreatAs"

97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6B
FC4}"
me:"", class:0x2, length:0x90, resultlength:0x2E, handle:0x59E, path:"\REGISTRY\
MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4
}"
97-2463990887-1001", attributes:0x0
FC4}"
me:"", class:0x2, length:0x90, resultlength:0x2E, handle:0x59E, path:"\REGISTRY\
}"
97-2463990887-1001", attributes:0x0
7-2463990887-1001_Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC
4}\InprocServer32"
:0x5A0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLS
ID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InprocServer32"
ARE\Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InprocServe
r32"
\Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InprocServer32
"
97-2463990887-1001", attributes:0x0
FC4}\InprocServer32"
5A2, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-1
1D1-896C-00C04FB6BFC4}\InprocServer32"
r32"
"
97-2463990887-1001", attributes:0x0
me:"", class:0x2, length:0x90, resultlength:0x4A, handle:0x5A2, path:"\REGISTRY\
}\InprocServer32"
r32"
"
97-2463990887-1001", attributes:0x0
me:"", class:0x2, length:0x90, resultlength:0x4A, handle:0x5A2, path:"\REGISTRY\
}\InprocServer32"
r32"
"
97-2463990887-1001", attributes:0x0
me:"ThreadingModel", class:0x2, length:0x90, resultlength:0x16, handle:0x5A2, pa
th:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1-896
C-00C04FB6BFC4}\InprocServer32"
A2
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\I
nprocHandler32"
LSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InprocHandler32"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\I
nprocHandler"
LSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InprocHandler"
9E
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"
:0x59C, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{7B8A2D94
-0AC9-11D1-896C-00C04FB6BFC4}"
97-2463990887-1001", attributes:0x0
7-2463990887-1001_Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC
4}\TreatAs"
de\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\TreatAs"
9E
x0, module:"C:\Windows\SysWOW64\urlmon.dll", handle:0x73500000
0x73578D60, image:0x0, caller:0x74E6C7CB
pid:4092, tid:2168, tick:0x33D702E, lvl:LOG, func:LdrGetProcedureAddressForCalle
r, status:0xC0000139, module:0x73500000, name:"DllGetActivationFactory", ordinal
:0x0, image:0x0, caller:0x74E6C7DD
, status:0x0, module:0x73500000, name:"DllCanUnloadNow", ordinal:0x0, address:0x
73579820, image:0x0, caller:0x74E6C841
:7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4, context:0x1, riid:79EAC9EE-BAF9-11CE-8C82
-00AA004BA90B
NITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610"
\Internet Explorer\Main\FeatureControl\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE
_TO_ALLOW_KB936610"
0x0, handle:0x59C, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246399088
9C
:0x59C, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Internet Expl
orer\Security"
0x0, handle:0x59C, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Intern
9C
x0, module:"API-MS-WIN-CORE-URL-L1-1-0.DLL", handle:0x776F0000
, status:0x0, module:0x776F0000, name:"PathCreateFromUrlW", ordinal:0x0, address
:0x77797370, image:0x0, caller:0x72A3C190

63990887-1001\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Z
ONES_DEFAULT_DRIVE_INTRANET_KB941000"
\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB94
1000"
0034, name:"SpecialFoldersCacheSize", class:0x2, length:0x90, resultlength:0xA8,
handle:0x3E4, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Curre
handle:0x3A8, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-10
01\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
x0, module:"api-ms-win-shell-shellfolders-l1-1-0.dll", handle:0x76B00000
, status:0x0, module:0x76B00000, name:"SHGetFolderPathW", ordinal:0x0, address:0
x76C87230, image:0x0, caller:0x735747A8
x0, attribs:0x80, path:"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
pid:4092, tid:2168, tick:0x33D702E, lvl:OK, func:NtOpenFile, status:0x0, handle:
0x5A4, access:0x100001, iostatus:0x0, information:0x1, share:0x7, options:0x4021
, path:"C:\Program Files (x86)\Mozilla Firefox\"
pid:4092, tid:2168, tick:0x33D702E, lvl:OK, func:NtQueryDirectoryFile, status:0x
0, iostatus:0x0, information:0x78, length:0x268, class:0x3, single:0x1, mask:"fi
refox.exe", restart:0x0, handle:0x5A4, path:"C:\Program Files (x86)\Mozilla Fire
fox"
A4
x0, attribs:0x10, path:"C:\Program Files (x86)\Mozilla Firefox"
x0, attribs:0x11, path:"C:\Program Files (x86)"
e:0x59C, access:0x120080, iostatus:0x0, information:0x0, attribs:0x0, share:0x3,
disposition:0x1, options:0x60, path:"C:\Program Files (x86)\Mozilla Firefox\fir
efox.exe"
pid:4092, tid:2168, tick:0x33D703E, lvl:WRN, func:NtQuerySecurityObject, status:
0xC000000D, class:0x10, length:0x0, requiredlength:0x0, handle:0x59C, path:"C:\P
rogram Files (x86)\Mozilla Firefox\firefox.exe"
9C
x0, module:"api-ms-win-shlwapi-ie-l1-1-0.dll", handle:0x77BC0000

, status:0x0, module:0x77BC0000, name:"PathFileExistsAndAttributesW", ordinal:0x
0, address:0x77BD5F40, image:0x0, caller:0x735747A8
pid:4092, tid:2168, tick:0x33D703E, lvl:LOG, func:NtQueryAttributesFile, status:
0xC0000034, path:"C:\Program Files (x86)\Mozilla Firefox\firefox.exe:Zone.Identi
fier"
ROTOCOL_LOCKDOWN"
:0x59C, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Inter
net Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN"
0x59C, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\
Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN"
0034, name:"*", class:0x2, length:0x90, resultlength:0xAA1199, handle:0x59C, pat
reControl\FEATURE_PROTOCOL_LOCKDOWN"
9C
0034, name:"1806", class:0x2, length:0x90, resultlength:0xA90BB7, handle:0x59C,
path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE\Mic
rosoft\Windows\CurrentVersion\Internet Settings\Zones\0"
ntVersion\Internet Settings\Zones\0"
me:"1806", class:0x2, length:0x90, resultlength:0x10, handle:0x5A0, path:"\REGIS
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Setti
ngs\Zones\0"
9C
A0
s:0x0, module:0x75670000
x5A0, access:0x20019, path:"\Registry\Machine\Software\Policies\Microsoft\Window

s\Safer\CodeIdentifiers"
0034, name:"TransparentEnabled", class:0x1, length:0x20C, resultlength:0x0, hand
le:0x5A0, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\code
identifiers"
A0
97-2463990887-1001", attributes:0x0
:0x5A0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\
command"
x3, length:0x188, resultlength:0x7E, handle:0x5A2, path:"\REGISTRY\MACHINE\SOFTW
97-2463990887-1001", attributes:0x0
0034, name:"command", class:0x2, length:0x90, resultlength:0x0, handle:0x5A2, pa
th:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command"
A2
97-2463990887-1001", attributes:0x0
:0x5A0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\
command"
x3, length:0x188, resultlength:0x7E, handle:0x5A2, path:"\REGISTRY\MACHINE\SOFTW
97-2463990887-1001", attributes:0x0
me:"", class:0x2, length:0x90, resultlength:0x1C, handle:0x5A2, path:"\REGISTRY\
MACHINE\SOFTWARE\Classes\exefile\shell\open\command"
A2
x5A0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CDC82860-4
68D-4D4E-B7E7-C298FF23AB2C}"
0034, name:"AppID", class:0x2, length:0x400, resultlength:0x1D0000, handle:0x5A0
, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDC82860-468D-4D4E
-B7E7-C298FF23AB2C}"
\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}\LocalServer32"
A0
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}"
:0x5A0, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{CDC82860
-468D-4D4E-B7E7-C298FF23AB2C}"
x3, length:0x180, resultlength:0xBA, handle:0x5A2, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\WOW6432Node\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}"
\Classes\WOW6432Node\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\WOW6432Node\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}\T
reatAs"
LSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}\TreatAs"

97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\WOW6432Node\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23A
B2C}"
MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C
}"
97-2463990887-1001", attributes:0x0
B2C}"
}"
97-2463990887-1001", attributes:0x0
7-2463990887-1001_Classes\WOW6432Node\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2
C}\InprocServer32"
:0x59C, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLS
ID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}\InprocServer32"
ARE\Classes\WOW6432Node\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}\InProcServe
r32"
\Classes\WOW6432Node\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}\InProcServer32
"
97-2463990887-1001", attributes:0x0
B2C}\InProcServer32"
59E, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDC82860-468D-4
D4E-B7E7-C298FF23AB2C}\InProcServer32"
r32"
"
97-2463990887-1001", attributes:0x0
}\InProcServer32"
r32"
"
97-2463990887-1001", attributes:0x0
}\InProcServer32"
r32"
"
97-2463990887-1001", attributes:0x0
}\InProcServer32"
r32"
"
97-2463990887-1001", attributes:0x0
me:"ThreadingModel", class:0x2, length:0x90, resultlength:0x16, handle:0x59E, pa
th:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDC82860-468D-4D4E-B7E
7-C298FF23AB2C}\InProcServer32"
9E
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\WOW6432Node\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}\I
nprocHandler32"
LSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}\InprocHandler32"

97-2463990887-1001", attributes:0x0
63990887-1001_Classes\WOW6432Node\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}\I
nprocHandler"
LSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}\InprocHandler"
A2
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}"
:0x5A0, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{CDC82860
-468D-4D4E-B7E7-C298FF23AB2C}"
97-2463990887-1001", attributes:0x0
7-2463990887-1001_Classes\WOW6432Node\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2
C}\TreatAs"
de\CLSID\{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}\TreatAs"
A2
x0, module:"C:\WINDOWS\system32\windows.storage.dll", handle:0x76B00000
, status:0x0, module:0x76B00000, name:"DllGetClassObject", ordinal:0x0, address:
0x76CCD4E0, image:0x0, caller:0x74E6C7CB
, status:0x0, module:0x76B00000, name:"DllGetActivationFactory", ordinal:0x0, ad
dress:0x76CEDEA0, image:0x0, caller:0x74E6C7DD
, status:0x0, module:0x76B00000, name:"DllCanUnloadNow", ordinal:0x0, address:0x
76CEAF80, image:0x0, caller:0x74E6C841
:CDC82860-468D-4D4E-B7E7-C298FF23AB2C, context:0x1, riid:5632B1A4-E38A-400A-928A
-D4CD63230295

-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\.exe"
:0x5A0, access:0x20019, path:"\Registry\Machine\Software\Classes\.exe"
x3, length:0x188, resultlength:0x52, handle:0x5A2, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\.exe"
\Classes\.exe"
97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\.exe"
me:"", class:0x2, length:0x90, resultlength:0x1C, handle:0x5A2, path:"\REGISTRY\
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
:0x59C, access:0x20019, path:"\Registry\Machine\Software\Classes\exefile"
\Classes\exefile"
97-2463990887-1001", attributes:0x0
r"

\Classes\exefile"
97-2463990887-1001", attributes:0x0
:0x5A4, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\"
9E
x3, length:0x180, resultlength:0x58, handle:0x5A6, path:"\REGISTRY\MACHINE\SOFTW
\Classes\exefile"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\exefile\Progid"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Progi
d"
rentVersion\ShellCompatibility\ProgIDs\exefile"
A2
A6
:0x5A4, access:0x1, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVe
0034, name:"InheritConsoleHandles", class:0x2, length:0x90, resultlength:0x19F31
8, handle:0x5A4, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersi
on\Policies\Explorer"
A4

97-2463990887-1001", attributes:0x0
63990887-1001_Classes\exefile\shell\open\ddeexec"
\open\ddeexec"
0034, name:"RestrictRun", class:0x2, length:0x90, resultlength:0x19F330, handle:
0x5A4, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policie
s\Explorer"
A4
0034, name:"DisallowRun", class:0x2, length:0x90, resultlength:0x19F330, handle:
0x5A4, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policie
s\Explorer"
A4
7-2463990887-1001\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.ex
e"
ntVersion\App Paths\firefox.exe"
0034, name:"AppendPath", class:0x2, length:0x90, resultlength:0x0, handle:0x5A4,
path:"\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\fir
efox.exe"
me:"PATH", class:0x2, length:0x90, resultlength:0x52, handle:0x5A4, path:"\REGIS
TRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe"
A4

97-2463990887-1001", attributes:0x0
0034, name:"SetWorkingDirectoryFromTarget", class:0x2, length:0x90, resultlength
:0x19F604, handle:0x53A, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\
open"
97-2463990887-1001", attributes:0x0
0034, name:"NoWorkingDirectory", class:0x2, length:0x90, resultlength:0x19F604,
handle:0x53A, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open"
Volume"
A4
me:"Generation", class:0x2, length:0x90, resultlength:0x10, handle:0x5A0, path:"
3-8590cc53fbc1}"
A0
pid:4092, tid:2168, tick:0x33D703E, lvl:OK, func:UpdateProcThreadAttribute, ret:
0x1, gle:0x0, Attribute:0x60001
0xFFFFFFFC, class:0x27, length:0x0, returnlength:0x68
e:0x5A0, access:0x80100080, iostatus:0x0, information:0x0, attribs:0x80, share:0
x5, disposition:0x1, options:0x60, path:"C:\Program Files (x86)\Mozilla Firefox\
firefox.exe"
ndle:0x59C, access:0x1, pageattribs:0x2, sectionattribs:0x11000000, file:0x5A0

pid:4092, tid:2168, tick:0x33D703E, lvl:OK, func:NtQuerySection, status:0x0, cla
ss:0x1, length:0x30, handle:0x59C, path:"C:\Program Files (x86)\Mozilla Firefox\
firefox.exe"
9C
97-2463990887-1001", attributes:0x0
-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
me:"Cache", class:0x1, length:0x208, resultlength:0x98, handle:0x59C, path:"\REG
dows\CurrentVersion\Explorer\Shell Folders"
9C
97-2463990887-1001", attributes:0x0
-1001\Software\Microsoft\Windows NT\CurrentVersion"
x5A4, access:0x101, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908
87-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"
0034, name:"C:\Program Files (x86)\Mozilla Firefox\firefox.exe", class:0x2, leng
th:0x10, resultlength:0x0, handle:0x5A4, path:"\REGISTRY\USER\S-1-5-21-236009460
2-2602383397-2463990887-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCom
patFlags\Layers"
A4
0, address:0x5A0000
0, address:0x5A0000
0, address:0x5A0000
pid:4092, tid:2168, tick:0x33D703E, lvl:LOG, func:RecurseDirectoryConfig, log:"A
dding directory _CrashReporter@1.0.0.0 with flags: 2."
dding directory _Firefox@1.0.0.0 with flags: 2."
dding directory _MaintenanceService@1.0.0.0 with flags: 2."
dding directory _Mozilla.WebAppRT@1.0.0.0 with flags: 2."
dding directory _Nullsoft.NSIS.exehead@1.0.0.0 with flags: 2."
dding directory _plugin-container@1.0.0.0 with flags: 2."
dding directory _plugin-hang-ui@1.0.0.0 with flags: 2."
dding directory _Updater@1.0.0.0 with flags: 2."
dding directory Manifests with flags: 2."
dding directory X86_7zS.sfx.exe@1.0.0.0 with flags: 2."
0, address:0x5A0000
pid:4092, tid:2168, tick:0x33D703E, lvl:LOG, func:RecurseDirectoryConfig, log:"D
uplicate directory Manifests will not be added as it is at lower layer."
dding directory x86_Adobe.FlashPlayer.Installer@14.0.0.125 with flags: 2."
dding directory x86_Adobe.FlashPlayer.Uninstaller@14.0.0.125 with flags: 2."
dding directory X86_Adobe.SAFlashPlayer@14.0.0.125 with flags: 2."
0, address:0x5A0000
0, address:0x5A0000

0, address:0x5A0000
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:NtOpenFile, status:0x0, handle:
0x5AC, access:0x1200A9, iostatus:0x0, information:0x1, share:0x5, options:0x60,
path:"C:\Users\i92segoa\AppData\Local\Temp\SPOON\CACHE\0xA527E666CB0D6807\sxs\ma
nifests\firefox.exe_0x9195B4884EA1918FD0ABEA589A684707.1.manifest"
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:NtCreateSection, status:0x0, ha
ndle:0x5B0, access:0x4, pageattribs:0x2, sectionattribs:0x8000000, file:0x5AC
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:NtMapViewOfSection, status:0x0,
address:0x5A0000, zerobits:0x0, commitsize:0x0, viewsize:0x1000, disposition:0x
1, type:0x0, protect:0x2, handle:0x5B0
pid:4092, tid:2168, tick:0x33D704D, lvl:LOG, func:NtOpenKey, status:0xC0000034,
handle:0x0, access:0x20019, path:"\Registry\MACHINE\Software\Microsoft\Windows\C
urrentVersion\SideBySide"
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:NtQueryInformationFile, status:
0x0, iostatus:0x0, information:0x18, length:0x18, class:0x5, handle:0x5AC, path:
"C:\Users\i92segoa\AppData\Local\Temp\SPOON\CACHE\0xA527E666CB0D6807\sxs\Manifes
ts\firefox.exe_0x9195b4884ea1918fd0abea589a684707.1.manifest"
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:NtQueryVolumeInformationFile, s
tatus:0x0, iostatus:0x0, information:0x8, length:0x8, class:0x4, handle:0x5AC, p
ath:"C:\Users\i92segoa\AppData\Local\Temp\SPOON\CACHE\0xA527E666CB0D6807\sxs\Man
ifests\firefox.exe_0x9195b4884ea1918fd0abea589a684707.1.manifest"
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:NtQueryInformationFile, status:
0x0, iostatus:0x0, information:0x28, length:0x28, class:0x4, handle:0x5AC, path:
"C:\Users\i92segoa\AppData\Local\Temp\SPOON\CACHE\0xA527E666CB0D6807\sxs\Manifes
ts\firefox.exe_0x9195b4884ea1918fd0abea589a684707.1.manifest"
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:NtClose, status:0x0, handle:0x5
AC
B0
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:NtUnmapViewOfSection, status:0x
0, address:0x5A0000
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:CreateActCtxW, ret:0x804384, gl
e:0x0, flags:0x8, path:"C:\Program Files (x86)\Mozilla Firefox\firefox.exe", res
ourceid:0x1
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:QueryActCtxW, ret:0x1, gle:0x0,
flags:0x80000000, actctx:0x804384, class:0x5, size:0xC, requiredsize:0xC
0, address:0x38D0000
A0
A0
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:New_CheckTokenMembership::<lamb
da_02604bca4152832ac92161eb66d89101>::operator (), ret:0x1, gle:0x0, TokenHandle
:0x5B0, SidToCheck:"S-1-5-32-544", IsMember:0x0
B0
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:New_NtQueryInformationToken::<l
B0
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:NtSetInformationProcess, status

pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:NtQueryAttributesFile, status:0
x0, attribs:0x80, path:"c:\program files (x86)\mozilla firefox\firefox.exe"
pid:4092, tid:2168, tick:0x33D704D, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0x5B0, access:0x80100080, iostatus:0x0, information:0x0, attribs:0x0, share:0x
5, disposition:0x1, options:0x60, path:"c:\program files (x86)\mozilla firefox\f
irefox.exe"
ndle:0x5AC, access:0x5, pageattribs:0x2, sectionattribs:0x11000000, file:0x5B0
B8
BC
pid:4092, tid:2168, tick:0x33D705D, lvl:OK, func:NtMapViewOfSection, status:0x40
000003, address:0x38D0000, zerobits:0x0, commitsize:0x0, viewsize:0x63000, dispo
sition:0x1, type:0x800000, protect:0x2, handle:0x5AC, path:"C:\Program Files (x8
6)\Mozilla Firefox\firefox.exe"
AC
B0
pid:4092, tid:2168, tick:0x33D705D, lvl:OK, func:NtQueryAttributesFile, status:0
x0, attribs:0x10, path:"C:\Users\i92segoa\Desktop\Firefox SEO\"
pid:4092, tid:2168, tick:0x33D705D, lvl:OK, func:NtOpenFile, status:0x0, handle:
0x5A0, access:0x120089, iostatus:0x0, information:0x0, share:0x7, options:0x20,
path:"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
ndle:0x5BC, access:0x4, pageattribs:0x2, sectionattribs:0x8000000, file:0x5A0
C0
C4
pid:4092, tid:2168, tick:0x33D705D, lvl:OK, func:NtMapViewOfSection, status:0x0,
address:0x39D0000, zerobits:0x0, commitsize:0x0, viewsize:0x60000, disposition:
0x2, type:0x0, protect:0x2, handle:0x5BC, path:"C:\Program Files (x86)\Mozilla F
irefox\firefox.exe"
BC
A0
pid:4092, tid:2168, tick:0x33D706D, lvl:LOG, func:_GetChildProcessCurrentDirecto
ry, log:"Got following current directory from proc: C:\Users\i92segoa\Desktop\Fi
refox SEO\"
A4
pid:4092, tid:2168, tick:0x33D706D, lvl:OK, func:NtCreateUserProcess, status:0x0
, handle:0x5CC, processaccess:0x2000000, threadaccess:0x2000000, path:"\??\C:\Pr
ogram Files (x86)\Mozilla Firefox\firefox.exe"
handle:0x0, access:0x1, path:"\Registry\MACHINE\System\CurrentControlSet\Control

\Session Manager\AppCertDlls"
63990887-1001", attributes:0x0
handle:0x0, access:0x3, path:"\Registry\MACHINE\System\CurrentControlSet\Control
\SafeBoot\Option"
pid:4092, tid:2168, tick:0x33D706D, lvl:OK, func:NtOpenKey, status:0x0, handle:0
x5D8, access:0x1, path:"\Registry\Machine\Software\Policies\Microsoft\Windows\Sa
fer\CodeIdentifiers"
pid:4092, tid:2168, tick:0x33D706D, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"TransparentEnabled", class:0x2, length:0x50, resultlength:0x77799049
, handle:0x5D8, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\safe
r\codeidentifiers"
pid:4092, tid:2168, tick:0x33D706D, lvl:OK, func:NtQueryValueKey, status:0x0, na
me:"AuthenticodeEnabled", class:0x2, length:0x50, resultlength:0x10, handle:0x5D
8, path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentif
iers"
D8
97-2463990887-1001", attributes:0x0
pid:4092, tid:2168, tick:0x33D707C, lvl:LOG, func:NtOpenKey, status:0xC0000034,
handle:0x0, access:0x1, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463
990887-1001\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
pid:4092, tid:2168, tick:0x33D707C, lvl:OK, func:NtClose, status:0x0, handle:0x5
A4
pid:4092, tid:2168, tick:0x33D707C, lvl:OK, func:New_NtQueryInformationToken::<l
97-2463990887-1001", attributes:0x0
pid:4092, tid:2168, tick:0x33D707C, lvl:OK, func:NtOpenKey, status:0x0, handle:0
x5D8, access:0x1, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887
-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
pid:4092, tid:2168, tick:0x33D707C, lvl:OK, func:NtQueryValueKey, status:0x0, na
me:"Cache", class:0x1, length:0x208, resultlength:0x98, handle:0x5D8, path:"\REG
dows\CurrentVersion\Explorer\Shell Folders"
D8
pid:4092, tid:2168, tick:0x33D707C, lvl:OK, func:NtOpenKey, status:0x0, handle:0
x5D8, access:0x101, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908
87-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"
pid:4092, tid:2168, tick:0x33D707C, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"C:\Program Files (x86)\Mozilla Firefox\firefox.exe", class:0x2, leng
th:0x10, resultlength:0x0, handle:0x5D8, path:"\REGISTRY\USER\S-1-5-21-236009460
2-2602383397-2463990887-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCom
patFlags\Layers"
D8
pid:4092, tid:2168, tick:0x33D707C, lvl:LOG, func:NtOpenKey, status:0xC0000034,
handle:0x0, access:0x20019, path:"\Registry\MACHINE\Software\Microsoft\Windows\C
urrentVersion\SideBySide"
D0
D4
pid:4092, tid:2168, tick:0x33D70DA, lvl:LOG, func:SetLastSeenChildProcThread, lo
g:"Setting last seen child proc thread to 0x5C8."
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtClose, status:0x0, handle:0x5
B0
AC
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:CreateProcessInternalW, ret:0x1
, gle:0x0, name:"C:\Program Files (x86)\Mozilla Firefox\firefox.exe", commandlin
e:"\"C:\Program Files (x86)\Mozilla Firefox\firefox.exe\" ", inherit:0x0, flags:
0x4080404, currentdir:"C:\Users\i92segoa\Desktop\Firefox SEO\"
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtQueryKey, status:0x0, class:0
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
pid:4092, tid:2168, tick:0x33D70DA, lvl:LOG, func:NtOpenKeyEx, status:0xC0000034
7-2463990887-1001_Classes\Applications\firefox.exe"
, handle:0x0, access:0x20019, path:"\Registry\Machine\Software\Classes\Applicati
ons\firefox.exe"
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
pid:4092, tid:2168, tick:0x33D70DA, lvl:LOG, func:NtOpenSection, status:0xC00000
34, handle:0x0, access:0xF, path:"\KnownDlls32\pcacli.dll"
pid:4092, tid:2168, tick:0x33D70DA, lvl:LOG, func:NtQueryAttributesFile, status:
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\pcacli.dll"
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtQueryAttributesFile, status:0
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\pcacli.dll"
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtOpenFile, status:0x0, handle:
0x5AC, access:0x100021, iostatus:0x0, information:0x1, share:0x5, options:0x60,
path:"C:\WINDOWS\SYSTEM32\pcacli.dll"
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtCreateSection, status:0x0, ha
ndle:0x5B0, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x5AC
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtMapViewOfSection, status:0x0,
address:0x60AE0000, zerobits:0x0, commitsize:0x0, viewsize:0xC000, disposition:
0x1, type:0x800000, protect:0x4, handle:0x5B0, path:"C:\WINDOWS\SYSTEM32\pcacli.
dll"
B0
AC
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtOpenKey, status:0x0, handle:0
x5B0, access:0x1, path:"\Registry\Machine\Software\Microsoft\Windows NT\CurrentV
ersion\AppCompatFlags"
pid:4092, tid:2168, tick:0x33D70DA, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"LogFlags", class:0x2, length:0x14, resultlength:0x0, handle:0x5B0, p
ath:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\
AppCompatFlags"
B0
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\kernelbase.dll"
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:LdrGetDllHandle, status:0x0, na
me:"api-ms-win-eventing-provider-l1-1-0", module:0x776F0000
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:LdrGetProcedureAddressForCaller
, status:0x0, module:0x776F0000, name:"EventSetInformation", ordinal:0x0, addres
s:0x77C39FC0, image:0x0, caller:0x60AE409A
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:LdrUnloadDll, status:0x0, handl

e:0x776F0000
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:LdrLoadDll, status:0x0, flags:0
x0, module:"C:\WINDOWS\System32\kernel32.dll", handle:0x74CD0000
, status:0x0, module:0x74CD0000, name:"BaseIsAppcompatInfrastructureDisabled", o
rdinal:0x0, address:0x74CEFEC0, image:0x0, caller:0x60AE3159
63990887-1001\Software\Policies\Microsoft\Windows\AppCompat"
ndows\AppCompat"
34, handle:0x0, access:0xF, path:"\KnownDlls32\sfc_os.dll"
x0, attribs:0x20, path:"C:\WINDOWS\System32\sfc_os.dll"
path:"C:\WINDOWS\System32\sfc_os.dll"
ndle:0x5BC, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x5D0
address:0x63B00000, zerobits:0x0, commitsize:0x0, viewsize:0xF000, disposition:
0x1, type:0x800000, protect:0x4, handle:0x5BC, path:"C:\WINDOWS\System32\sfc_os.
dll"
BC
D0
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:LdrLoadDll, status:0x0, flags:0
x0, module:"C:\WINDOWS\System32\sfc_os.dll", handle:0x63B00000
, status:0x0, module:0x63B00000, name:"SfcIsFileProtected", ordinal:0x0, address
:0x63B04730, image:0x0, caller:0x60AE3262
0x5D0, access:0x120089, iostatus:0x0, information:0x1, share:0x1, options:0x0, p
ath:"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtQueryInformationFile, status:
0x0, iostatus:0x0, information:0x18, length:0x18, class:0x5, handle:0x5D0, path:
"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
ndle:0x5BC, access:0xF0005, pageattribs:0x2, sectionattribs:0x8000000, file:0x5D
0, path:""
address:0xFFEA0000, zerobits:0x0, commitsize:0x0, viewsize:0x1000, disposition:
0x2, type:0x500000, protect:0x2, handle:0x5BC, path:"\SystemRoot\WinSxS\FileMaps
\_0000000000000000.cdf-ms"
D0, path:"C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms"
BC
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtUnmapViewOfSection, status:0x
0, address:0xFFEA0000
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtOpenSection, status:0x0, hand
le:0x5BC, access:0xF, path:"\KnownDlls32\SETUPAPI.dll"
address:0x770B0000, zerobits:0x0, commitsize:0x0, viewsize:0x40B000, dispositio
n:0x1, type:0x800000, protect:0x4, handle:0x5BC, path:"\KnownDlls32\Setupapi.dll

"
BC
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtOpenKeyEx, status:0x0, handle
:0x5B4, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Setup"
0034, name:"SourcePath", class:0x2, length:0x10, resultlength:0x0, handle:0x5B4,
path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Setup"
B4
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtCreateMutant, status:0x0, han
dle:0x5A0, access:0x1F0001, owner:0x0
dle:0x5C4, access:0x1F0001, owner:0x0
34, handle:0x0, access:0xF, path:"\KnownDlls32\DEVRTL.dll"
pid:4092, tid:2168, tick:0x33D70DA, lvl:LOG, func:NtQueryAttributesFile, status:
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\DEVRTL.dll"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\DEVRTL.dll"
path:"C:\WINDOWS\SYSTEM32\DEVRTL.dll"
ndle:0x5D8, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x5C0
address:0x60AD0000, zerobits:0x0, commitsize:0x0, viewsize:0xF000, disposition:
0x1, type:0x800000, protect:0x4, handle:0x5D8, path:"C:\WINDOWS\SYSTEM32\DEVRTL.
dll"
D8
C0
dle:0x5D8, access:0x1F0001, owner:0x0
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtWaitForMultipleObjects, statu
s:0x1, count:0x2, type:0x1, alertable:0x0, objects:0x5C0;0x5D8
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\software\microsoft\windows
\currentversion\setup\PnpLockdownFiles"
0x5DC, access:0x100000, iostatus:0x0, information:0x1, share:0x0, options:0x4021
, path:"C:\"
0x0, iostatus:0x0, information:0x6, length:0x210, class:0x9, handle:0x5DC, path:
"C:"
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtQueryVolumeInformationFile, s
tatus:0x0, iostatus:0x0, information:0x14, length:0x21A, class:0x5, handle:0x5DC
, path:"C:"
DC
, path:"C:\"

"C:"
, path:"C:"
DC
, path:"C:\"
"C:"
, path:"C:"
DC
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:New_NtQueryInformationToken::<l
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:New_ResumeThread, ret:0x1, gle:
0x0, thread:0x5C8
97-2463990887-1001", attributes:0x0
0034, name:"DontReturnProcessHandle", class:0x2, length:0x90, resultlength:0x0,
handle:0x53A, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open"
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtDuplicateObject, status:0x0,
targethandle:0x5DC, access:0x0, inherit:0x0, options:0x2, handle:0x5CC
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\Applications\firefox.exe"
ons\firefox.exe"
\Classes\exefile"

97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\exefile"
0034, name:"AppUserModelID", class:0x2, length:0x90, resultlength:0x35002D, hand
le:0x576, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"
\Classes\exefile"
97-2463990887-1001", attributes:0x0
cation"
97-2463990887-1001", attributes:0x0
0034, name:"FriendlyAppName", class:0x2, length:0x90, resultlength:0x0, handle:0
x53A, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open"
\Classes\exefile"
97-2463990887-1001", attributes:0x0
cation"
97-2463990887-1001", attributes:0x0
:0x5E4, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\
command"
x3, length:0x188, resultlength:0x7E, handle:0x5E6, path:"\REGISTRY\MACHINE\SOFTW
x7, length:0x4, resultlength:0x4, handle:0x5E6, path:"\REGISTRY\MACHINE\SOFTWARE
97-2463990887-1001", attributes:0x0
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtQueryValueKey, status:0x0, na
me:"", class:0x2, length:0x90, resultlength:0x1C, handle:0x5E6, path:"\REGISTRY\
E6
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\Applications\%1.exe"
ons\%1.exe"
97-2463990887-1001", attributes:0x0
command"

97-2463990887-1001", attributes:0x0
0034, name:"DelegateExecute", class:0x2, length:0x90, resultlength:0x0, handle:0
x5E6, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command"
E6
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\exefile\shell\open\DropTarget"
\open\DropTarget"
97-2463990887-1001", attributes:0x0
command"
97-2463990887-1001", attributes:0x0

me:"", class:0x2, length:0x90, resultlength:0x1C, handle:0x5E6, path:"\REGISTRY\
E6
7-2463990887-1001\Software\Microsoft\Windows\CurrentVersion\App Paths\%1.exe"
\CurrentVersion\App Paths\%1.exe"
\Classes\exefile"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\exefile\Progid"
, handle:0x0, access:0x1, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Progi
d"
CC
C8
pid:4092, tid:2168, tick:0x33D70DA, lvl:WRN, func:NtClose, status:0xC0000008
, status:0x0, module:0x77C10000, name:"RtlDllShutdownInProgress", ordinal:0x0, a
ddress:0x77C3C5E0, image:0x0, caller:0x76CDF21F
66
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtOpenKey, status:0x0, handle:0
x564, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9AC9FBE1-E
0A2-4AD6-B4EE-E212013EA917}"
0034, name:"AppID", class:0x2, length:0x400, resultlength:0x0, handle:0x564, pat
h:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE
-E212013EA917}"
pid:4092, tid:2168, tick:0x33D70DA, lvl:LOG, func:NtOpenKey, status:0xC0000034,
\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}\LocalServer32"
64
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}"
:0x564, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{9AC9FBE1
-E0A2-4AD6-B4EE-E212013EA917}"
x3, length:0x180, resultlength:0xBA, handle:0x566, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}"
\Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}\T
reatAs"
LSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}\TreatAs"
97-2463990887-1001", attributes:0x0
397-2463990887-1001_Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA
917}"
me:"", class:0x2, length:0x90, resultlength:0x4E, handle:0x566, path:"\REGISTRY\
MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917
}"
97-2463990887-1001", attributes:0x0
917}"
me:"", class:0x2, length:0x90, resultlength:0x4E, handle:0x566, path:"\REGISTRY\

}"
97-2463990887-1001", attributes:0x0
7-2463990887-1001_Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA91
7}\InprocServer32"
:0x5C8, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLS
ID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}\InprocServer32"
x3, length:0x188, resultlength:0xD8, handle:0x5CA, path:"\REGISTRY\MACHINE\SOFTW
ARE\Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}\InProcServe
r32"
x7, length:0x4, resultlength:0x4, handle:0x5CA, path:"\REGISTRY\MACHINE\SOFTWARE
\Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}\InProcServer32
"
97-2463990887-1001", attributes:0x0
917}\InProcServer32"
5CA, path:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4
AD6-B4EE-E212013EA917}\InProcServer32"
r32"
"
97-2463990887-1001", attributes:0x0
me:"", class:0x2, length:0x90, resultlength:0x60, handle:0x5CA, path:"\REGISTRY\
}\InProcServer32"

r32"
"
97-2463990887-1001", attributes:0x0
}\InProcServer32"
r32"
"
97-2463990887-1001", attributes:0x0
}\InProcServer32"
r32"
"
97-2463990887-1001", attributes:0x0
me:"ThreadingModel", class:0x2, length:0x90, resultlength:0x16, handle:0x5CA, pa
th:"\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4AD6-B4E
E-E212013EA917}\InProcServer32"

CA
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}\I
nprocHandler32"
LSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}\InprocHandler32"
97-2463990887-1001", attributes:0x0
63990887-1001_Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}\I
nprocHandler"
LSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}\InprocHandler"
66
-2360094602-2602383397-2463990887-1001_Classes"
60094602-2602383397-2463990887-1001_Classes"
7-2463990887-1001_Classes\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}"
:0x564, access:0x20019, path:"\Registry\Machine\Software\Classes\CLSID\{9AC9FBE1
-E0A2-4AD6-B4EE-E212013EA917}"
97-2463990887-1001", attributes:0x0

7-2463990887-1001_Classes\WOW6432Node\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA91
7}\TreatAs"
de\CLSID\{9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917}\TreatAs"
66
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:CoCreateInstance, hr:0x0, clsid
:9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917, context:0x403, riid:00000003-0000-0000-C0
00-000000000046
5A
76
3A
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:NtUnmapViewOfSectionEx, status:
0x0, address:0x670000
B4
C2
e:0x717E0000
e:0x76B00000
e:0x73500000
me:"oleaut32.dll", module:0x754E0000
pid:4092, tid:2168, tick:0x33D70DA, lvl:OK, func:ShellExecuteExW, ret:0x1, gle:0
x0, verb:"open", file:"\"C:\Program Files (x86)\Mozilla Firefox\firefox.exe\"",
mask:0x8140
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:NtDeviceIoControlFile, status:0
x0, event:0x514, iostatus:0x0, information:0xA4, code:0x1203F, inlen:0x0, outlen
x0, event:0x514, iostatus:0x0, information:0x10, code:0x1202F, inlen:0x0, outlen
x0, event:0x50C, iostatus:0x0, information:0xA4, code:0x1203F, inlen:0x0, outlen

x0, event:0x50C, iostatus:0x0, information:0x0, code:0x1203B, inlen:0x10, outlen
x0, event:0x50C, iostatus:0x0, information:0x10, code:0x1202F, inlen:0x0, outlen
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:NtOpenKeyEx, status:0x0, handle
:0x5EC, access:0x20019, path:"\REGISTRY\MACHINE\System\CurrentControlSet\Control
\SecurityProviders"
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:NtQueryValueKey, status:0x0, na
me:"SecurityProviders", class:0x2, length:0x90, resultlength:0x24, handle:0x5EC,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders"
me:"SecurityProviders", class:0x2, length:0x90, resultlength:0x24, handle:0x5EC,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders"
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:NtClose, status:0x0, handle:0x5
EC
:0x5EC, access:0x20019, path:"\REGISTRY\MACHINE\System\CurrentControlSet\Control
\Lsa\SspiCache"
:0x5F0, access:0x20019, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa
\SspiCache\credssp.dll"
me:"Name", class:0x2, length:0x90, resultlength:0x1C, handle:0x5F0, path:"\REGIS
TRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll"
me:"Name", class:0x2, length:0x90, resultlength:0x1C, handle:0x5F0, path:"\REGIS
me:"Comment", class:0x2, length:0x90, resultlength:0x54, handle:0x5F0, path:"\RE
GISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll"
me:"Comment", class:0x2, length:0x90, resultlength:0x54, handle:0x5F0, path:"\RE
me:"Capabilities", class:0x2, length:0x90, resultlength:0x10, handle:0x5F0, path
:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll"
me:"RpcId", class:0x2, length:0x90, resultlength:0x10, handle:0x5F0, path:"\REGI
STRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll"
me:"Version", class:0x2, length:0x90, resultlength:0x10, handle:0x5F0, path:"\RE
me:"Type", class:0x2, length:0x90, resultlength:0x10, handle:0x5F0, path:"\REGIS
me:"TokenSize", class:0x2, length:0x90, resultlength:0x10, handle:0x5F0, path:"\
REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll"
EC
F0
:0x5F0, access:0x20019, path:"\REGISTRY\MACHINE\System\CurrentControlSet\Control

\SecurityProviders\SaslProfiles"
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:NtEnumerateValueKey, status:0x0
, index:0x0, class:0x1, length:0x410, resultlength:0x32, handle:0x5F0, path:"\RE
GISTRY\MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SaslProfiles"
pid:4092, tid:8264, tick:0x33D70EA, lvl:LOG, func:NtEnumerateValueKey, status:0x
8000001A, index:0x1, class:0x1, length:0x410, resultlength:0x32, handle:0x5F0, p
ath:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SaslProfil
es"
F0
pid:4092, tid:8264, tick:0x33D70EA, lvl:LOG, func:NtOpenSection, status:0xC00000
34, handle:0x0, access:0xF, path:"\KnownDlls32\schannel.dll"
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:NtQueryAttributesFile, status:0
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\schannel.dll"
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:NtOpenFile, status:0x0, handle:
0x5F8, access:0x100021, iostatus:0x0, information:0x1, share:0x5, options:0x60,
path:"C:\WINDOWS\SYSTEM32\schannel.dll"
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:NtCreateSection, status:0x0, ha
ndle:0x5FC, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x5F8
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:NtMapViewOfSection, status:0x0,
address:0x6D390000, zerobits:0x0, commitsize:0x0, viewsize:0x64000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x5FC, path:"C:\WINDOWS\SYSTEM32\schann
el.dll"
FC
F8
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:NtCreateSemaphore, status:0x0,
handle:0x5F8, access:0x100003, initialcount:0x0, maxcount:0x7FFFFFFF
handle:0x5FC, access:0x100003, initialcount:0x0, maxcount:0x7FFFFFFF
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:LdrGetDllHandle, status:0x0, na
me:"schannel", module:0x6D390000
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:LdrLoadDll, status:0x0, flags:0
x0, module:"C:\WINDOWS\SysWOW64\schannel.dll", handle:0x6D390000
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:LdrGetProcedureAddressForCaller
, status:0x0, module:0x6D390000, name:"SpUserModeInitialize", ordinal:0x0, addre
ss:0x6D3A6B10, image:0x0, caller:0x7494D82A
pid:4092, tid:8264, tick:0x33D70EA, lvl:OK, func:NtCreateKey, status:0x0, handle
:0x608, access:0x20019, title:0x0, class:"", options:0x0, disposition:0x2, path:
"\REGISTRY\MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel"
pid:4092, tid:8264, tick:0x33D70EA, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"UserContextLockCount", class:0x2, length:0x90, resultlength:0x0, han
dle:0x608, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SecurityProvider
s\SCHANNEL"
pid:4092, tid:8264, tick:0x33D70EA, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"UserContextListCount", class:0x2, length:0x90, resultlength:0x0, han
dle:0x608, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SecurityProvider
s\SCHANNEL"
08
handle:0x60C, access:0x100003, initialcount:0x0, maxcount:0x7FFFFFFF

x0, iostatus:0x0, information:0xC0, code:0x1201F, inlen:0x10, outlen:0x0, handle
:0x55C, path:"\Device\Afd\Endpoint"
x0, iostatus:0x0, information:0xC0, code:0x1201F, inlen:0x10, outlen:0x0, handle
x103, iostatus:0x103, information:0x0, code:0x12017, inlen:0x10, outlen:0x0, han
pid:4092, tid:1488, tick:0x33D71B5, lvl:OK, func:NtDeviceIoControlFile, status:0
x0, iostatus:0x0, information:0x498, code:0x12017, inlen:0x10, outlen:0x0, handl
e:0x53C, path:"\Device\Afd\Endpoint"
pid:4092, tid:1488, tick:0x33D7261, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x33D7261, lvl:OK, func:NtDeviceIoControlFile, status:0
pid:4092, tid:1488, tick:0x33D7261, lvl:OK, func:NtClose, status:0x0, handle:0x6
48
pid:4092, tid:1488, tick:0x33D7261, lvl:OK, func:WSAStartup, ret:0x0, gle:0x0, V
pid:4092, tid:1488, tick:0x33D7261, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0x648, access:0xC0140000, iostatus:0x0, information:0x0, attribs:0x0, share:0x
x0, event:0x50C, iostatus:0x0, information:0x0, code:0x12047, inlen:0xC4, outlen
x0, event:0x50C, iostatus:0x0, information:0x0, code:0x12047, inlen:0xC4, outlen
x0, event:0x50C, iostatus:0x0, information:0xB8, code:0x120B3, inlen:0x2, outlen
x103, event:0x50C, iostatus:0x0, information:0x34, code:0x120BF, inlen:0x18, out
len:0xDC, handle:0x648, path:"\Device\Afd\Endpoint"
48
48
pid:4092, tid:8264, tick:0x33D7261, lvl:OK, func:WSAStartup, ret:0x0, gle:0x0, V
pid:4092, tid:8264, tick:0x33D7261, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0x3C0, access:0xC0140000, iostatus:0x0, information:0x0, attribs:0x0, share:0x
:0x1C, handle:0x3C0, path:"\Device\Afd\Endpoint"
:0x0, handle:0x3C0, path:"\Device\Afd\Endpoint"
:0x1C, handle:0x3C0, path:"\Device\Afd\Endpoint"
x0, event:0x514, iostatus:0x0, information:0xB8, code:0x120B3, inlen:0x2, outlen
:0x200, handle:0x3C0, path:"\Device\Afd\Endpoint"
x103, event:0x514, iostatus:0x0, information:0x34, code:0x120BF, inlen:0x18, out
len:0xDC, handle:0x3C0, path:"\Device\Afd\Endpoint"
C0
pid:4092, tid:8264, tick:0x33D7270, lvl:OK, func:NtCreateSemaphore, status:0x0,

handle:0x648, access:0x1F0003, initialcount:0x0, maxcount:0x7FFFFF
handle:0x5A8, access:0x1F0003, initialcount:0x0, maxcount:0x7FFFFF
pid:4092, tid:8264, tick:0x33D7280, lvl:OK, func:LdrLoadDll, status:0x0, flags:0
x0, module:"sspicli.dll", handle:0x74940000
pid:4092, tid:8264, tick:0x33D7280, lvl:OK, func:LdrGetProcedureAddressForCaller
, status:0x0, module:0x74940000, name:"FreeContextBuffer", ordinal:0x0, address:
0x7494B3C0, image:0x0, caller:0x6D3A6B53
pid:4092, tid:8264, tick:0x33D7280, lvl:LOG, func:NtOpenSection, status:0xC00000
34, handle:0x0, access:0xF, path:"\KnownDlls32\mskeyprotect.dll"
pid:4092, tid:8264, tick:0x33D7280, lvl:OK, func:NtQueryAttributesFile, status:0
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\mskeyprotect.dll"
pid:4092, tid:8264, tick:0x33D7280, lvl:OK, func:NtOpenFile, status:0x0, handle:
path:"C:\WINDOWS\SYSTEM32\mskeyprotect.dll"
pid:4092, tid:8264, tick:0x33D7280, lvl:OK, func:NtCreateSection, status:0x0, ha
pid:4092, tid:8264, tick:0x33D7280, lvl:OK, func:NtMapViewOfSection, status:0x0,
address:0x6D380000, zerobits:0x0, commitsize:0x0, viewsize:0x10000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x658, path:"C:\WINDOWS\SYSTEM32\mskeyp
rotect.dll"
34, handle:0x0, access:0xF, path:"\KnownDlls32\ncrypt.dll"
58
54
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\ncrypt.dll"
path:"C:\WINDOWS\SYSTEM32\ncrypt.dll"
address:0x64B60000, zerobits:0x0, commitsize:0x0, viewsize:0x20000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x660, path:"C:\WINDOWS\SYSTEM32\ncrypt
.dll"
34, handle:0x0, access:0xF, path:"\KnownDlls32\NTASN1.dll"
60
5C
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\NTASN1.dll"
path:"C:\WINDOWS\SYSTEM32\NTASN1.dll"
address:0x64B30000, zerobits:0x0, commitsize:0x0, viewsize:0x2C000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x660, path:"C:\WINDOWS\SYSTEM32\NTASN1
.dll"

60
5C
pid:4092, tid:8264, tick:0x33D7280, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
s:0x0, module:0x6D380000
x0, module:"mskeyprotect.dll", handle:0x6D380000
, status:0x0, module:0x6D380000, name:"KeyFileProtectSessionTicket", ordinal:0x0
, address:0x6D386AD0, image:0x0, caller:0x6D3A6B7F
, status:0x0, module:0x6D380000, name:"KeyFileUnprotectSessionTicket", ordinal:0
x0, address:0x6D386EB0, image:0x0, caller:0x6D3A6B95
pid:4092, tid:8264, tick:0x33D7280, lvl:OK, func:NtOpenKeyEx, status:0x0, handle
:0x660, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptography\
OID"
pid:4092, tid:8264, tick:0x33D7280, lvl:OK, func:NtEnumerateKey, status:0x0, ind
Y\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID"
:0x664, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\C
ryptography\OID\EncodingType 0"
pid:4092, tid:8264, tick:0x33D7280, lvl:OK, func:NtOpenKey, status:0x0, handle:0
x668, access:0x20019, path:"\Registry\Machine\System\CurrentControlSet\Control\N
ls\CustomLocale"
pid:4092, tid:8264, tick:0x33D7280, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"en-US", class:0x1, length:0x214, resultlength:0xA5B5A8CA, handle:0x6
68, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale"
68
pid:4092, tid:8264, tick:0x33D7280, lvl:OK, func:NtOpenKey, status:0x0, handle:0
x668, access:0x20019, path:"\Registry\Machine\System\CurrentControlSet\Control\N
ls\ExtendedLocale"
0034, name:"en-US", class:0x1, length:0x214, resultlength:0xA5B5A8CA, handle:0x6
68, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale"
68
0034, name:"en-US", class:0x2, length:0x5A, resultlength:0x345E2E2, handle:0xA4,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids"
0034, name:"en", class:0x2, length:0x5A, resultlength:0x345E2E2, handle:0xA4, pa
th:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids"
ryptography\OID\EncodingType 0\CertDllOpenStoreProv"
Y\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDll
OpenStoreProv"
:0x66C, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\C
ryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16"
pid:4092, tid:8264, tick:0x33D7280, lvl:OK, func:NtQueryKey, status:0x0, class:0
x4, length:0xB0, resultlength:0x28, handle:0x66C, path:"\REGISTRY\MACHINE\SOFTWA
RE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#1
6"
pid:4092, tid:8264, tick:0x33D7280, lvl:OK, func:NtEnumerateValueKey, status:0x0
, index:0x0, class:0x1, length:0xDC, resultlength:0x62, handle:0x66C, path:"\REG

ISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\Cer
tDllOpenStoreProv\#16"
, index:0x1, class:0x1, length:0xDC, resultlength:0x4C, handle:0x66C, path:"\REG
tDllOpenStoreProv\#16"
6C
OpenStoreProv"
ryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap"
RE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ld
ap"
tDllOpenStoreProv\Ldap"
tDllOpenStoreProv\Ldap"
6C
pid:4092, tid:8264, tick:0x33D7280, lvl:LOG, func:NtEnumerateKey, status:0x80000
01A, index:0x2, class:0x0, length:0x120, resultlength:0x0, handle:0x668, path:"\
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\
CertDllOpenStoreProv"
68
64
pid:4092, tid:8264, tick:0x33D7280, lvl:LOG, func:NtOpenKeyEx, status:0xC0000034
soft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv"
64
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID"
60
OID"

soft\Cryptography\OID\EncodingType 0\CryptDllDecodeObjectEx"
74
ryptography\OID\EncodingType 1\CryptDllDecodeObjectEx"
Y\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDl
lDecodeObjectEx"
:0x5C8, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\C
ryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.1.1"
x4, length:0xB0, resultlength:0x28, handle:0x5C8, path:"\REGISTRY\MACHINE\SOFTWA
RE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\
1.2.840.113549.1.9.16.1.1"
, index:0x0, class:0x1, length:0xDC, resultlength:0x62, handle:0x5C8, path:"\REG
ISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\Cry
ptDllDecodeObjectEx\1.2.840.113549.1.9.16.1.1"
, index:0x1, class:0x1, length:0xDC, resultlength:0x4E, handle:0x5C8, path:"\REG
C8
lDecodeObjectEx"
1.2.840.113549.1.9.16.2.1"
, index:0x1, class:0x1, length:0xDC, resultlength:0x5C, handle:0x5C8, path:"\REG
C8

lDecodeObjectEx"
ryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.11
"
1.2.840.113549.1.9.16.2.11"
C8
lDecodeObjectEx"
ryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.12
"
1.2.840.113549.1.9.16.2.12"
, index:0x1, class:0x1, length:0xDC, resultlength:0x5E, handle:0x5C8, path:"\REG
C8
lDecodeObjectEx"
1.2.840.113549.1.9.16.2.2"
, index:0x1, class:0x1, length:0xDC, resultlength:0x5A, handle:0x5C8, path:"\REG
C8
lDecodeObjectEx"
1.2.840.113549.1.9.16.2.3"
C8
lDecodeObjectEx"
1.2.840.113549.1.9.16.2.4"
C8
CryptDllDecodeObjectEx"
64
74
38
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\msasn1"
A8
48
34, handle:0x0, access:0xF, path:"\KnownDlls32\DPAPI.DLL"
pid:4092, tid:1488, tick:0x33D7280, lvl:LOG, func:NtQueryAttributesFile, status:
0xC0000034, path:"C:\Users\i92segoa\Desktop\Firefox SEO\DPAPI.DLL"
x0, attribs:0x20, path:"C:\WINDOWS\SYSTEM32\DPAPI.DLL"
path:"C:\WINDOWS\SYSTEM32\DPAPI.DLL"
address:0x701B0000, zerobits:0x0, commitsize:0x0, viewsize:0x8000, disposition:
0x1, type:0x800000, protect:0x4, handle:0x678, path:"C:\WINDOWS\SYSTEM32\DPAPI.D
LL"
78
74
pid:4092, tid:1488, tick:0x33D7280, lvl:OK, func:NtOpenSection, status:0x0, hand
le:0x648, access:0xF, path:"\KnownDlls32\WINTRUST.dll"
:0x1, type:0x800000, protect:0x4, handle:0x648, path:"\KnownDlls32\WINTRUST.dll"
48
pid:4092, tid:1488, tick:0x33D7280, lvl:OK, func:NtCreateMutant, status:0x0, han
dle:0x5CC, access:0x1F0001, owner:0x0
pid:4092, tid:1488, tick:0x33D7280, lvl:OK, func:NtCreateMutant, status:0x0, han
dle:0x5E8, access:0x1F0001, owner:0x0
:0x5A8, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptography\
Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
pid:4092, tid:1488, tick:0x33D7280, lvl:OK, func:NtQueryValueKey, status:0x0, na
me:"$DLL", class:0x2, length:0x90, resultlength:0x4E, handle:0x5A8, path:"\REGIS
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certific
ate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
me:"$Function", class:0x2, length:0x90, resultlength:0x38, handle:0x5A8, path:"\
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cer
tificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
me:"$DLL", class:0x2, length:0x90, resultlength:0x4E, handle:0x674, path:"\REGIS
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certific
ate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
A8
me:"$Function", class:0x2, length:0x90, resultlength:0x38, handle:0x674, path:"\
tificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
74
Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPol
icy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
me:"$Function", class:0x2, length:0x90, resultlength:0x2A, handle:0x5A8, path:"\
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Fin
alPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
A8
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPol
icy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
me:"$Function", class:0x2, length:0x90, resultlength:0x2A, handle:0x674, path:"\
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Fin
alPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initiali
zation\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
74
me:"$Function", class:0x2, length:0x90, resultlength:0x30, handle:0x5A8, path:"\
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Ini
tialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
A8
Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initiali
zation\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"

TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\
{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Ini
tialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Mes
sage\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
74
38
Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signatur
e\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Sig
nature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\
74
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Mes
sage\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
38
Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertChec
k\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
me:"$Function", class:0x2, length:0x90, resultlength:0x2E, handle:0x674, path:"\
tCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signatur
e\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
74
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Sig
nature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
74
raphy\Providers\Trust\DiagnosticPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertChec
k\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cle
anup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
74
me:"$Function", class:0x2, length:0x90, resultlength:0x2E, handle:0x660, path:"\
tCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
pid:4092, tid:1488, tick:0x33D7280, lvl:OK, func:NtWaitForMultipleObjects, statu
s:0x0, count:0x2, type:0x0, alertable:0x0, objects:0x5CC;0x5E4
60
x0, module:"C:\Windows\SysWOW64\WINTRUST.DLL", handle:0x74960000
raphy\Providers\Trust\DiagnosticPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
, status:0x0, module:0x74960000, name:"HTTPSCertificateTrust", ordinal:0x0, addr
ess:0x7496CC30, image:0x0, caller:0x7496C116

, status:0x0, module:0x74960000, name:"HTTPSFinalProv", ordinal:0x0, address:0x7
4970AD0, image:0x0, caller:0x7496C155
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\
, status:0x0, module:0x74960000, name:"SoftpubInitialize", ordinal:0x0, address:
0x7496F0B0, image:0x0, caller:0x7496C194
, status:0x0, module:0x74960000, name:"SoftpubLoadMessage", ordinal:0x0, address
:0x7496E7D0, image:0x0, caller:0x7496C1CB
REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cle
anup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
, status:0x0, module:0x74960000, name:"SoftpubLoadSignature", ordinal:0x0, addre
ss:0x7496E510, image:0x0, caller:0x7496C1F3
74
, status:0x0, module:0x74960000, name:"SoftpubCheckCert", ordinal:0x0, address:0
x74976500, image:0x0, caller:0x7496C21B
, status:0x0, module:0x74960000, name:"SoftpubCleanup", ordinal:0x0, address:0x7
496F0A0, image:0x0, caller:0x7496C254
s:0x0, count:0x2, type:0x0, alertable:0x0, objects:0x5CC;0x5E4
s:0x0, module:0x74960000
Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider"
oft Enhanced RSA and AES Cryptographic Provider"
, status:0x0, module:0x74960000, name:"HTTPSCertificateTrust", ordinal:0x0, addr
ess:0x7496CC30, image:0x0, caller:0x7496C116
, status:0x0, module:0x74960000, name:"HTTPSFinalProv", ordinal:0x0, address:0x7
4970AD0, image:0x0, caller:0x7496C155

Microsoft Enhanced RSA and AES Cryptographic Provider"
, status:0x0, module:0x74960000, name:"SoftpubInitialize", ordinal:0x0, address:
0x7496F0B0, image:0x0, caller:0x7496C194
, status:0x0, module:0x74960000, name:"SoftpubLoadMessage", ordinal:0x0, address
:0x7496E7D0, image:0x0, caller:0x7496C1CB
, status:0x0, module:0x74960000, name:"SoftpubLoadSignature", ordinal:0x0, addre
ss:0x7496E510, image:0x0, caller:0x7496C1F3
, status:0x0, module:0x74960000, name:"SoftpubCheckCert", ordinal:0x0, address:0
x74976500, image:0x0, caller:0x7496C21B
, status:0x0, module:0x74960000, name:"SoftpubCleanup", ordinal:0x0, address:0x7
496F0A0, image:0x0, caller:0x7496C254


pid:4092, tid:1488, tick:0x33D7280, lvl:OK, func:New_NtQueryInformationToken::<l
6C

:0x5A8, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptography"
me:"MachineGuid", class:0x2, length:0x90, resultlength:0x56, handle:0x5A8, path:
A8
raphy\Offload"
463990887-1001", attributes:0x0
A8

6C
74
:0x66C, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptography"
463990887-1001", attributes:0x0
74
63990887-1001"
pid:4092, tid:1488, tick:0x33D7280, lvl:OK, func:NtCreateKey, status:0x0, handle
t\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"
6C
A8
raphy\Offload"
me:"State", class:0x2, length:0x90, resultlength:0x10, handle:0x668, path:"\REGI
ows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"
463990887-1001", attributes:0x0
68
F4
463990887-1001", attributes:0x0
F4

64
63990887-1001"
463990887-1001", attributes:0x0
64
68
me:"Safety Warning Level", class:0x2, length:0x90, resultlength:0x18, handle:0x6
70, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE
\Microsoft\Internet Explorer\Security"
:0x5F4, access:0x2000000, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24
63990887-1001"
70
t\SystemCertificates\TrustedPublisher\Safer"
pid:4092, tid:8264, tick:0x33D728F, lvl:OK, func:NtCreateKey, status:0x0, handle
t\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"
463990887-1001", attributes:0x0
F4
6C
me:"State", class:0x2, length:0x90, resultlength:0x10, handle:0x668, path:"\REGI
ows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"
68
463990887-1001", attributes:0x0
63990887-1001"
68
7-2463990887-1001\Software\Policies\Microsoft\SystemCertificates\TrustedPublishe
r\Safer"
74
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\SystemC
ertificates\TrustedPublisher\Safer"
63990887-1001"
s\crypt32"
0034, name:"DiagLevel", class:0x2, length:0x90, resultlength:0x0, handle:0x574,
path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\crypt32"
0034, name:"DiagMatchAnyMask", class:0x2, length:0x90, resultlength:0x0, handle:
0x574, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\crypt32"
74
38
me:"Safety Warning Level", class:0x2, length:0x90, resultlength:0x18, handle:0x6
7C, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SOFTWARE
\Microsoft\Internet Explorer\Security"
s\crypt32"
7C
pid:4092, tid:1488, tick:0x33D728F, lvl:OK, func:NtNotifyChangeKey, status:0x103
, event:0x678, iostatus:0x103, information:0x0, filter:0x10000004, watch:0x0, le
ngth:0x0, async:0x1, handle:0x574, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\
Services\crypt32"
t\SystemCertificates\TrustedPublisher\Safer"
pid:4092, tid:1488, tick:0x33D728F, lvl:OK, func:NtAssociateWaitCompletionPacket
463990887-1001", attributes:0x0
88
88
94

63990887-1001"
94
7-2463990887-1001\Software\Policies\Microsoft\SystemCertificates\TrustedPublishe
r\Safer"
9C
ertificates\TrustedPublisher\Safer"
9C
98
OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config"
98
0034, name:"DisableSerialChain", class:0x2, length:0x90, resultlength:0x80000002
, handle:0x6A0, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography\OID\Enco
dingType 0\CertDllCreateCertificateChainEngine\Config"
A0
0034, name:"CryptnetPreFetchTriggerPeriodSeconds", class:0x2, length:0x90, resul
tlength:0x331F4D0, handle:0x6A0, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryp
tography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config"
0034, name:"MaxUrlRetrievalByteCount", class:0x2, length:0x90, resultlength:0x33
1F4D0, handle:0x6A0, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography\OID
\EncodingType 0\CertDllCreateCertificateChainEngine\Config"
:0x698, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertifi
cates\AuthRoot\AutoUpdate"
0034, name:"DisallowedCertSyncDeltaTime", class:0x2, length:0x90, resultlength:0
x77793E5E, handle:0x698, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertif
icates\AuthRoot\AutoUpdate"
98
ertificates\Root\PhysicalStores"
pid:4092, tid:1488, tick:0x33D728F, lvl:LOG, func:NtCreateKey, status:0xC0000022
, handle:0x0, access:0x3001F, title:0x0, class:"", options:0x0, disposition:0xFF
FF0000, path:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root"
:0x6A4, access:0x2000000, title:0x0, class:"", options:0x0, disposition:0x2, pat

h:"\REGISTRY\MACHINE\Software"
0, address:0x5A0000
h:"\REGISTRY\MACHINE\Software\Microsoft"
A4
h:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates"
A8
pid:4092, tid:8684, tick:0x33D728F, lvl:LOG, func:BaseThreadInitThunk, log:"New
thread started (via BaseThreadInitThunk) at address: 0x77C3C6D0, parameter: 0x7F
5938"
, handle:0x0, access:0x3001F, title:0x0, class:"", options:0x0, disposition:0x2,
path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\Root"
A4
cates\Root"
68
t\SystemCertificates\Root\ProtectedRoots"
, handle:0x0, access:0x3001F, title:0x0, class:"", options:0x0, disposition:0x40
, path:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root"
:0x6AC, access:0x2000000, title:0x0, class:"", options:0x0, disposition:0x2, pat
:0x668, access:0x2000000, title:0x0, class:"", options:0x0, disposition:0x2, pat
AC
68
path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\Root"
AC
:0x6AC, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertifi

cates\Root"
:0x6A4, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertifi
cates\ROOT\"
AC
path:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\AuthRoot"
AC
A8
path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot"
AC
:0x6AC, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertifi
cates\AuthRoot"
cates\AuthRoot\"
AC
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Enterpr
iseCertificates\Root\PhysicalStores"
FFFFFE, path:"\REGISTRY\MACHINE\Software\Microsoft\EnterpriseCertificates\Root"
:0x6B0, access:0x2000000, title:0x0, class:"", options:0x0, disposition:0x2, pat
B0
h:"\REGISTRY\MACHINE\Software\Microsoft\EnterpriseCertificates"
AC
path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\EnterpriseCertificates\Root"
B0

:0x6B0, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\EnterpriseCer
tificates\Root"
B0
path:"\REGISTRY\MACHINE\Software\Microsoft\EnterpriseCertificates\Root"
B0
AC
path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\EnterpriseCertificates\Root"
B0
:0x6B0, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\EnterpriseCer
tificates\Root"
:0x6AC, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\EnterpriseCer
tificates\Root\"
B0
, path:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot"
B4
B8
path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\SmartCardRoot"
B4
:0x6BC, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertifi
cates\SmartCardRoot"
BC

ertificates\CA\PhysicalStores"
C8ED50, path:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\CA"
B0
B4
path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\CA"
B0
cates\CA"
BC
path:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\CA"
:0x6BC, access:0x2000000, title:0x0, class:"", options:0x0, disposition:0x2, pat
:0x6C0, access:0x2000000, title:0x0, class:"", options:0x0, disposition:0x2, pat
BC
C0
path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\CA"
BC
cates\CA"
:0x6C0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertifi
cates\CA\"
BC
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Enterpr
iseCertificates\CA\PhysicalStores"
FFFFFE, path:"\REGISTRY\MACHINE\Software\Microsoft\EnterpriseCertificates\CA"
BC
C4
path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\EnterpriseCertificates\CA"
BC
:0x6BC, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\EnterpriseCer
tificates\CA"
BC
path:"\REGISTRY\MACHINE\Software\Microsoft\EnterpriseCertificates\CA"
BC
C4
path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\EnterpriseCertificates\CA"
BC
:0x6BC, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\EnterpriseCer
tificates\CA"
:0x6C4, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\EnterpriseCer
tificates\CA\"
BC
0034, name:"AutoFlags", class:0x2, length:0x90, resultlength:0x64, handle:0x6A0,
path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography\OID\EncodingType 0\Cert
DllCreateCertificateChainEngine\Config"

0034, name:"DisableAutoFlushProcessNameList", class:0x2, length:0x90, resultleng
th:0x2020E48, handle:0x6A0, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptogra
phy\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config"
0034, name:"AutoFlushFirstDeltaSeconds", class:0x2, length:0x90, resultlength:0x
0, handle:0x6A0, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography\OID\Enc
odingType 0\CertDllCreateCertificateChainEngine\Config"
0034, name:"AutoFlushNextDeltaSeconds", class:0x2, length:0x90, resultlength:0x0
, handle:0x6A0, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography\OID\Enco
dingType 0\CertDllCreateCertificateChainEngine\Config"
A0
cates\ROOT\Certificates"
0034, name:"104C63D2546B8021DD105E9FBA5A8D78169F6B32", class:0x2, length:0x90, r
esultlength:0x331F37C, handle:0x6A0, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\
SystemCertificates\ROOT\Certificates"
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemC
ertificates\ROOT\Certificates\104C63D2546B8021DD105E9FBA5A8D78169F6B32"
A0
cates\AuthRoot\Certificates"
esultlength:0x124B218, handle:0x6A0, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\
SystemCertificates\AuthRoot\Certificates"
ertificates\AuthRoot\Certificates\104C63D2546B8021DD105E9FBA5A8D78169F6B32"
A0
0000, path:"\REGISTRY\MACHINE\Software\Policies\Microsoft\SystemCertificates\Roo
t"
h:"\REGISTRY\MACHINE\Software\Policies"
A0
h:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft"
BC
h:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates"
A0

path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root"
BC
:0x6BC, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\EnterpriseCer
tificates\Root\Certificates"
esultlength:0x0, handle:0x6BC, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Enterp
riseCertificates\Root\Certificates"
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Enterpr
iseCertificates\Root\Certificates\104C63D2546B8021DD105E9FBA5A8D78169F6B32"
BC
:0x6BC, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertifi
cates\CA\Certificates"
esultlength:0x124B790, handle:0x6BC, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\
SystemCertificates\CA\Certificates"
ertificates\CA\Certificates\104C63D2546B8021DD105E9FBA5A8D78169F6B32"
BC
0000, path:"\REGISTRY\MACHINE\Software\Policies\Microsoft\SystemCertificates\CA"
h:"\REGISTRY\MACHINE\Software\Policies"
BC
h:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft"
A0
h:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates"
BC
path:"\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA"
A0
:0x6A0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\EnterpriseCer
tificates\CA\Certificates"
esultlength:0x0, handle:0x6A0, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Enterp

riseCertificates\CA\Certificates"
, handle:0x0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Enterpr
iseCertificates\CA\Certificates\104C63D2546B8021DD105E9FBA5A8D78169F6B32"
A0
cates\ROOT\Certificates"
0034, name:"AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4", class:0x2, length:0x90, r
SystemCertificates\ROOT\Certificates"
ertificates\ROOT\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4"
A0
cates\AuthRoot\Certificates"
0034, name:"AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4", class:0x2, length:0x90, r
SystemCertificates\AuthRoot\Certificates"
:0x6BC, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertifi
cates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4"
0005, name:"Blob", class:0x2, length:0x90, resultlength:0x7BC, handle:0x6BC, pat
h:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\Certificates
\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4"
0005, name:"Blob", class:0x2, length:0x90, resultlength:0x7BC, handle:0x6BC, pat
h:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\Certificates
\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4"
me:"Blob", class:0x2, length:0x7BC, resultlength:0x7BC, handle:0x6BC, path:"\REG
ISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\Certificates\AFE5D2
44A8D1194230FF479FE2F897BBCD7A8CB4"
BC
A0
:0x6A0, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertifi
me:"DisallowedCertLastSyncTime", class:0x2, length:0x90, resultlength:0x14, hand
le:0x6A0, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot
\AutoUpdate"
A0
BC
A0

A0
463990887-1001", attributes:0x0
A0
:0x6BC, access:0x2000000, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24
63990887-1001"
990887-1001\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate"
BC
me:"DisallowedCertLastSyncTime", class:0x2, length:0x90, resultlength:0x14, hand
le:0x6C8, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463990887-1001\SO
FTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate"
C8
OID"
soft\Cryptography\OID\EncodingType 0\CertDllVerifyRevocation"
9C
:0x6B8, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\C
ryptography\OID\EncodingType 1\CertDllVerifyRevocation"
VerifyRevocation"
ryptography\OID\EncodingType 1\CertDllVerifyRevocation\DEFAULT"
RE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyRevocation
\DEFAULT"
tDllVerifyRevocation\DEFAULT"
64
CertDllVerifyRevocation"
68
B8
98
pid:4092, tid:8264, tick:0x33D728F, lvl:LOG, func:NtOpenSection, status:0xC00000
34, handle:0x0, access:0xF, path:"\KnownDlls32\cryptnet.dll"
x0, attribs:0x20, path:"C:\Windows\SYSTEM32\cryptnet.dll"
path:"C:\Windows\SYSTEM32\cryptnet.dll"
pid:4092, tid:8264, tick:0x33D728F, lvl:OK, func:NtCreateSection, status:0x0, ha
ndle:0x6D8, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x6D4
address:0x60BF0000, zerobits:0x0, commitsize:0x0, viewsize:0x25000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x6D8, path:"C:\Windows\SYSTEM32\cryptn
et.dll"
D8
D4
x2, module:"C:\Windows\SYSTEM32\cryptnet.dll", handle:0x60BF0000
raphy\TVO"
x0, module:"C:\Windows\SysWOW64\cryptnet.dll", handle:0x60BF0000

x0, module:"C:\Windows\SysWOW64\cryptnet.dll", handle:0x60BF0000
pid:4092, tid:8264, tick:0x33D729F, lvl:LOG, func:LdrGetProcedureAddressForCalle
r, status:0xC0000139, module:0x60BF0000, name:"DllCanUnloadNow", ordinal:0x0, im
age:0x0, caller:0x778A2540
pid:4092, tid:1488, tick:0x33D729F, lvl:LOG, func:LdrGetProcedureAddressForCalle
r, status:0xC0000139, module:0x60BF0000, name:"DllCanUnloadNow", ordinal:0x0, im
age:0x0, caller:0x778A2540
, status:0x0, module:0x60BF0000, name:"CertDllVerifyRevocation", ordinal:0x0, ad
dress:0x60BF9DB0, image:0x0, caller:0x778A3452
e:0x60BF0000
, status:0x0, module:0x60BF0000, name:"CertDllVerifyRevocation", ordinal:0x0, ad
dress:0x60BF9DB0, image:0x0, caller:0x778A3452
OID"
:0x5F4, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\C
soft\Cryptography\OID\EncodingType 0\TimeValidDllGetObject"
F4
soft\Cryptography\OID\EncodingType 1\TimeValidDllGetObject"
98
64
:0x5F4, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptography\
OID"
ex:0x0, class:0x0, length:0x120, resultlength:0x2C, handle:0x5F4, path:"\REGISTR
soft\Cryptography\OID\EncodingType 0\UrlDllGetObjectUrl"
70

soft\Cryptography\OID\EncodingType 1\UrlDllGetObjectUrl"
70
01A, index:0x2, class:0x0, length:0x120, resultlength:0x0, handle:0x5F4, path:"\
F4
0034, name:"CryptnetCachedOcspSwitchToCrlCount", class:0x2, length:0x90, resultl
ength:0x0, handle:0x5F4, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography
\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config"
0034, name:"CryptnetMaxCachedOcspPerCrlCount", class:0x2, length:0x90, resultlen
gth:0x0, handle:0x5F4, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography\O
ID\EncodingType 0\CertDllCreateCertificateChainEngine\Config"
F4
t\SystemCertificates\ChainEngine\Config"
70
F4
pid:4092, tid:1488, tick:0x33D729F, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
s:0x0, module:0x60BF0000
lass:0x1, length:0xC8, returnlength:0x24, sid:"S-1-5-21-2360094602-2602383397-24
63990887-1001", attributes:0x0
pid:4092, tid:1488, tick:0x33D729F, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
s:0x0, module:0x75430000
74
:0x6DC, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463
s"
me:"Local AppData", class:0x2, length:0x90, resultlength:0x44, handle:0x6DC, pat

:0x6E0, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows NT\Cu
me:"ProfileImagePath", class:0x2, length:0x90, resultlength:0x30, handle:0x6E0,
\S-1-5-21-2360094602-2602383397-2463990887-1001"
me:"ProfileImagePath", class:0x2, length:0x90, resultlength:0x30, handle:0x6E0,
\S-1-5-21-2360094602-2602383397-2463990887-1001"
E0
DC
70
x0, attribs:0x2010, path:"C:\Users\i92segoa\AppData\LocalLow"
0, path:"C:\Users\i92segoa\AppData\LocalLow"
pid:4092, tid:1488, tick:0x33D729F, lvl:OK, func:NtQuerySecurityObject, status:0
x0, class:0x10, length:0x400, requiredlength:0x30, handle:0x6DC, path:"C:\Users\
i92segoa\AppData\LocalLow"
DC
F4
0, address:0x670000
0, address:0x5A0000
dding directory LastPass with flags: 2."
dding directory Microsoft with flags: 4."
F4
0, address:0x670000
0, address:0x5A0000
dding directory CryptnetUrlCache with flags: 4."

F4
dding directory Content with flags: 4."
F4
dding directory MetaData with flags: 4."
F4
0x5F4, access:0x100001, iostatus:0x0, information:0x0, share:0x7, options:0x4021
, path:"C:\Users\i92segoa\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\"
pid:4092, tid:1488, tick:0x33D729F, lvl:OK, func:NtQueryDirectoryFile, status:0x
0, iostatus:0x0, information:0xE0, length:0x268, class:0x3, single:0x1, mask:"50
80DC7A65DB6A5960ECD874088F3328_*", restart:0x0, handle:0x5F4, path:"C:\Users\i92
segoa\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData"
pid:4092, tid:1488, tick:0x33D729F, lvl:OK, func:NtQueryDirectoryFile, status:0x
0, iostatus:0x0, information:0x2A0, length:0x1000, class:0x3, single:0x0, restar
t:0x0, handle:0x5F4, path:"C:\Users\i92segoa\AppData\LocalLow\Microsoft\Cryptnet
UrlCache\MetaData"
pid:4092, tid:1488, tick:0x33D729F, lvl:LOG, func:NtQueryDirectoryFile, status:0
x80000006, iostatus:0x80000006, information:0x0, length:0x1000, class:0x3, singl
e:0x0, restart:0x0, handle:0x5F4, path:"C:\Users\i92segoa\AppData\LocalLow\Micro
soft\CryptnetUrlCache\MetaData"
F4
raphy\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CrlPreFetch"
OID"
soft\Cryptography\OID\EncodingType 0\CryptDllEncodeObjectEx"
70
:0x6DC, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\C
ryptography\OID\EncodingType 1\CryptDllEncodeObjectEx"
ex:0x0, class:0x0, length:0x120, resultlength:0x42, handle:0x6DC, path:"\REGISTR
lEncodeObjectEx"
:0x6E0, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\C
ryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.1.1"
x4, length:0xB0, resultlength:0x28, handle:0x6E0, path:"\REGISTRY\MACHINE\SOFTWA
RE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\
1.2.840.113549.1.9.16.1.1"
, index:0x0, class:0x1, length:0xDC, resultlength:0x62, handle:0x6E0, path:"\REG
ptDllEncodeObjectEx\1.2.840.113549.1.9.16.1.1"
, index:0x1, class:0x1, length:0xDC, resultlength:0x4E, handle:0x6E0, path:"\REG
E0
lEncodeObjectEx"
1.2.840.113549.1.9.16.2.1"
9C
lEncodeObjectEx"
ryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.11
"
1.2.840.113549.1.9.16.2.11"
9C
lEncodeObjectEx"
ryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.12
"
1.2.840.113549.1.9.16.2.12"
, index:0x1, class:0x1, length:0xDC, resultlength:0x5E, handle:0x69C, path:"\REG
9C
lEncodeObjectEx"
1.2.840.113549.1.9.16.2.2"
, index:0x1, class:0x1, length:0xDC, resultlength:0x5A, handle:0x69C, path:"\REG
9C
lEncodeObjectEx"
1.2.840.113549.1.9.16.2.3"

9C
lEncodeObjectEx"
1.2.840.113549.1.9.16.2.4"
9C
01A, index:0x7, class:0x0, length:0x120, resultlength:0x0, handle:0x6DC, path:"\
CryptDllEncodeObjectEx"
DC
70
F4
OID"
:0x6DC, access:0x20019, path:"\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\C
ryptography\OID\EncodingType 0\CryptDllFindOIDInfo"
lFindOIDInfo"
ryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7"
RE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3
.6.1.4.1.311.64.1.1!7"
, index:0x0, class:0x1, length:0xDC, resultlength:0x6E, handle:0x69C, path:"\REG
ptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7"

:0x6CC, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptography\
OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7"
me:"Name", class:0x2, length:0x90, resultlength:0x5A, handle:0x6CC, path:"\REGIS
TRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\Crypt
DllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7"
x694, access:0x1, path:"\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\S
tringCacheSettings"
me:"StringCacheGeneration", class:0x1, length:0x214, resultlength:0x44, handle:0
x694, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettin
gs"
94
97-2463990887-1001", attributes:0x0
990887-1001"
x6B0, access:0x2001F, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246399
0887-1001\Software\Classes\Local Settings\MuiCache\a4\63C768CF"
88
:"LanguageList", index:0x0, type:0x7, size:0x26, handle:0x6B0, path:"\REGISTRY\U
SER\S-1-5-21-2360094602-2602383397-2463990887-1001_CLASSES\Local Settings\MuiCac
he\a4\63C768CF"
x0, attribs:0x20, path:"C:\WINDOWS\system32\dnsapi.dll"
me:"@%SystemRoot%\system32\dnsapi.dll,-103", class:0x1, length:0x214, resultleng
th:0xDA, handle:0x6B0, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639
90887-1001_CLASSES\Local Settings\MuiCache\a4\63C768CF"
B0
me:"Name", class:0x2, length:0x90, resultlength:0x5A, handle:0x6CC, path:"\REGIS
DllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7"
x6B0, access:0x1, path:"\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\S
tringCacheSettings"
x6B0, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettin
gs"
B0
97-2463990887-1001", attributes:0x0
990887-1001"

x688, access:0x2001F, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246399
94
:"LanguageList", index:0x0, type:0x7, size:0x26, handle:0x688, path:"\REGISTRY\U
he\a4\63C768CF"
x0, attribs:0x20, path:"C:\WINDOWS\system32\dnsapi.dll"
me:"@%SystemRoot%\system32\dnsapi.dll,-103", class:0x1, length:0x214, resultleng
th:0xDA, handle:0x688, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639
90887-1001_CLASSES\Local Settings\MuiCache\a4\63C768CF"
88
CC
9C
ex:0x1, class:0x0, length:0x120, resultlength:0x3C, handle:0x6DC, path:"\REGISTR
lFindOIDInfo"
ryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7"
RE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3
.6.1.4.1.311.80.1!7"
, index:0x0, class:0x1, length:0xDC, resultlength:0xA4, handle:0x69C, path:"\REG
ptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7"
:0x6CC, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptography\
OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7"
me:"Name", class:0x2, length:0x90, resultlength:0x90, handle:0x6CC, path:"\REGIS
DllFindOIDInfo\1.3.6.1.4.1.311.80.1!7"
tringCacheSettings"
gs"
88
97-2463990887-1001", attributes:0x0
990887-1001"
x694, access:0x2001F, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246399

B0
:"LanguageList", index:0x0, type:0x7, size:0x26, handle:0x694, path:"\REGISTRY\U
he\a4\63C768CF"
x0, attribs:0x20, path:"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.ex
e"
me:"@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124", class:0x
1, length:0x214, resultlength:0xC4, handle:0x694, path:"\REGISTRY\USER\S-1-5-212360094602-2602383397-2463990887-1001_CLASSES\Local Settings\MuiCache\a4\63C768C
F"
94
me:"Name", class:0x2, length:0x90, resultlength:0x90, handle:0x6CC, path:"\REGIS
DllFindOIDInfo\1.3.6.1.4.1.311.80.1!7"
tringCacheSettings"
gs"
94
97-2463990887-1001", attributes:0x0
990887-1001"
x6B0, access:0x2001F, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-246399
88
:"LanguageList", index:0x0, type:0x7, size:0x26, handle:0x6B0, path:"\REGISTRY\U
he\a4\63C768CF"
x0, attribs:0x20, path:"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.ex
e"
me:"@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124", class:0x
1, length:0x214, resultlength:0xC4, handle:0x6B0, path:"\REGISTRY\USER\S-1-5-212360094602-2602383397-2463990887-1001_CLASSES\Local Settings\MuiCache\a4\63C768C
F"
B0
CC
9C
01A, index:0x2, class:0x0, length:0x120, resultlength:0x0, handle:0x6DC, path:"\
CryptDllFindOIDInfo"
DC
70
F4
:0x5F4, access:0x20119, path:"\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control
\Cryptography\ECCParameters"
REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Cryptography\ECCParameters"
F4
0, address:0x2DBEAA8, class:0x3, length:0x14

pid:4092, tid:1488, tick:0x33D729F, lvl:OK, func:NtQueryVirtualMemory,
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x

status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x

status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x

status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x

status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x

status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x
status:0x

:0x5F4, access:0x20019, path:"\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Service
s\crypt32"
0034, name:"DebugFlags", class:0x2, length:0x90, resultlength:0x1F, handle:0x5F4
, path:"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\crypt32"
F4
OID"
soft\Cryptography\OID\EncodingType 0\SchemeDllRetrieveEncodedObjectW"
70
soft\Cryptography\OID\EncodingType 1\SchemeDllRetrieveEncodedObjectW"
70
F4
70
F4

63990887-1001", attributes:0x0
DC
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtOpenKeyEx, status:0x0, handle
:0x6DC, access:0x20019, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-2463
s"
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtQueryValueKey, status:0x0, na
\S-1-5-21-2360094602-2602383397-2463990887-1001"
\S-1-5-21-2360094602-2602383397-2463990887-1001"
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtClose, status:0x0, handle:0x6
9C
DC
70
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtQueryAttributesFile, status:0
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtOpenFile, status:0x0, handle:
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtQuerySecurityObject, status:0
x0, class:0x10, length:0x400, requiredlength:0x30, handle:0x6DC, path:"C:\Users\
DC
F4
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0x670, access:0x80100080, iostatus:0x0, information:0x1, attribs:0x80, share:0
x1, disposition:0x1, options:0x60, path:"C:\Users\i92segoa\AppData\LocalLow\Micr
osoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A7
93BD240CF29711C77"
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0x5F4, access:0x80100080, iostatus:0x0, information:0x1, attribs:0x80, share:0
osoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A79
3BD240CF29711C77"
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtQueryInformationFile, status:
"C:\Users\i92segoa\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A
65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77"
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtReadFile, status:0x0, iostatu

s:0x0, information:0x4, length:0x4, handle:0x670, path:"C:\Users\i92segoa\AppDat
a\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_
2908F682DFC81A793BD240CF29711C77"
s:0x0, information:0x6C, length:0x6C, handle:0x670, path:"C:\Users\i92segoa\AppD
ata\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F332
8_2908F682DFC81A793BD240CF29711C77"
s:0x0, information:0x124, length:0x124, handle:0x670, path:"C:\Users\i92segoa\Ap
pData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3
328_2908F682DFC81A793BD240CF29711C77"
s:0x0, information:0x2D7, length:0x2D7, handle:0x5F4, path:"C:\Users\i92segoa\Ap
pData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F33
28_2908F682DFC81A793BD240CF29711C77"
F4
70
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
s:0x0, module:0x77870000
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtDeviceIoControlFile, status:0
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:LdrGetProcedureAddressForCaller
OID"
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtEnumerateKey, status:0x0, ind
pid:4092, tid:1488, tick:0x33D72AF, lvl:LOG, func:NtOpenKeyEx, status:0xC0000034
soft\Cryptography\OID\EncodingType 0\CryptDllVerifyEncodedSignature"
F4
soft\Cryptography\OID\EncodingType 1\CryptDllVerifyEncodedSignature"
F4
pid:4092, tid:1488, tick:0x33D72AF, lvl:LOG, func:NtEnumerateKey, status:0x80000
70
OID"
soft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx2"
F4
soft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx2"
F4
pid:4092, tid:1488, tick:0x33D72AF, lvl:LOG, func:NtEnumerateKey, status:0x80000
70
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtDeviceIoControlFile, status:0
x0, iostatus:0x0, information:0x118, code:0x390402, inlen:0x38, outlen:0x180, ha
ndle:0x340, path:"\Device\KsecDD"
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:LdrGetProcedureAddressForCaller
, status:0x0, module:0x74AB0000, name:"GetAsymmetricEncryptionInterface", ordina
l:0x0, address:0x74ADC770, image:0x0, caller:0x72B3146B
:0x6E0, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptography\
pid:4092, tid:1488, tick:0x33D72AF, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"CryptnetPreFetchMinMaxAgeSeconds", class:0x2, length:0x90, resultlen
gth:0x0, handle:0x6E0, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography\O
0034, name:"CryptnetPreFetchMaxMaxAgeSeconds", class:0x2, length:0x90, resultlen
E0
pid:4092, tid:8264, tick:0x33D72AF, lvl:OK, func:NtWaitForMultipleObjects, statu
s:0x0, count:0x2, type:0x1, alertable:0x0, objects:0x6D8;0x6D4
D8
D4
:0x6E0, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptography\
0034, name:"CryptnetCachedOcspSwitchToCrlCount", class:0x2, length:0x90, resultl
ength:0x0, handle:0x6E0, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography

0034, name:"CryptnetMaxCachedOcspPerCrlCount", class:0x2, length:0x90, resultlen
E0
t\SystemCertificates\ChainEngine\Config"
E4
E0
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:New_NtQueryInformationToken::<l
63990887-1001", attributes:0x0
E8
s"
me:"Local AppData", class:0x2, length:0x90, resultlength:0x44, handle:0x6E8, pat
me:"Local AppData", class:0x2, length:0x90, resultlength:0x44, handle:0x6E8, pat
:0x6EC, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows NT\Cu
me:"ProfileImagePath", class:0x2, length:0x90, resultlength:0x30, handle:0x6EC,
\S-1-5-21-2360094602-2602383397-2463990887-1001"
me:"ProfileImagePath", class:0x2, length:0x90, resultlength:0x30, handle:0x6EC,
\S-1-5-21-2360094602-2602383397-2463990887-1001"
EC
E8
E4
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtQueryAttributesFile, status:0
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtOpenFile, status:0x0, handle:
0x6E8, access:0x20000, iostatus:0x0, information:0x1, share:0x7, options:0x20000
pid:4092, tid:1488, tick:0x33D72AF, lvl:OK, func:NtQuerySecurityObject, status:0
x0, class:0x10, length:0x400, requiredlength:0x30, handle:0x6E8, path:"C:\Users\

E8
pid:4092, tid:1488, tick:0x33D72BE, lvl:OK, func:NtClose, status:0x0, handle:0x6
E0
pid:4092, tid:1488, tick:0x33D72BE, lvl:OK, func:NtOpenFile, status:0x0, handle:
0x6E0, access:0x100001, iostatus:0x0, information:0x0, share:0x7, options:0x4021
, path:"C:\Users\i92segoa\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\"
pid:4092, tid:1488, tick:0x33D72BE, lvl:OK, func:NtQueryDirectoryFile, status:0x
0, iostatus:0x0, information:0xE0, length:0x268, class:0x3, single:0x1, mask:"02
4823B39FBEACCDB5C06426A8168E99_*", restart:0x0, handle:0x6E0, path:"C:\Users\i92
segoa\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData"
pid:4092, tid:1488, tick:0x33D72BE, lvl:OK, func:NtQueryDirectoryFile, status:0x
0, iostatus:0x0, information:0xE0, length:0x1000, class:0x3, single:0x0, restart
:0x0, handle:0x6E0, path:"C:\Users\i92segoa\AppData\LocalLow\Microsoft\CryptnetU
rlCache\MetaData"
pid:4092, tid:1488, tick:0x33D72BE, lvl:LOG, func:NtQueryDirectoryFile, status:0
x80000006, iostatus:0x80000006, information:0x0, length:0x1000, class:0x3, singl
e:0x0, restart:0x0, handle:0x6E0, path:"C:\Users\i92segoa\AppData\LocalLow\Micro
soft\CryptnetUrlCache\MetaData"
E0
pid:4092, tid:1488, tick:0x33D72BE, lvl:LOG, func:NtOpenKeyEx, status:0xC0000034
raphy\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CrlPreFetch"
F4
70
pid:4092, tid:1488, tick:0x33D72BE, lvl:OK, func:New_NtQueryInformationToken::<l
63990887-1001", attributes:0x0
9C
pid:4092, tid:1488, tick:0x33D72BE, lvl:OK, func:NtOpenKeyEx, status:0x0, handle
s"
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:NtQueryValueKey, status:0x0, na
me:"Local AppData", class:0x2, length:0x90, resultlength:0x44, handle:0x69C, pat
me:"Local AppData", class:0x2, length:0x90, resultlength:0x44, handle:0x69C, pat
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:NtOpenKeyEx, status:0x0, handle
:0x6CC, access:0x20019, path:"\REGISTRY\MACHINE\Software\Microsoft\Windows NT\Cu
me:"ProfileImagePath", class:0x2, length:0x90, resultlength:0x30, handle:0x6CC,
\S-1-5-21-2360094602-2602383397-2463990887-1001"
me:"ProfileImagePath", class:0x2, length:0x90, resultlength:0x30, handle:0x6CC,
\S-1-5-21-2360094602-2602383397-2463990887-1001"
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:NtClose, status:0x0, handle:0x6
CC
9C
F4
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:NtQueryAttributesFile, status:0
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:NtOpenFile, status:0x0, handle:
0x69C, access:0x20000, iostatus:0x0, information:0x1, share:0x7, options:0x20000
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:NtQuerySecurityObject, status:0
x0, class:0x10, length:0x400, requiredlength:0x30, handle:0x69C, path:"C:\Users\
9C
70
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0x670, access:0x80100080, iostatus:0x0, information:0x1, attribs:0x80, share:0
osoft\CryptnetUrlCache\MetaData\024823B39FBEACCDB5C06426A8168E99_4EB65D2EF896F9A
30A10A7F798B64304"
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:NtCreateFile, status:0x0, handl
e:0x6E0, access:0x80100080, iostatus:0x0, information:0x1, attribs:0x80, share:0
osoft\CryptnetUrlCache\Content\024823B39FBEACCDB5C06426A8168E99_4EB65D2EF896F9A3
0A10A7F798B64304"
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:NtQueryInformationFile, status:
"C:\Users\i92segoa\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\024823B3
9FBEACCDB5C06426A8168E99_4EB65D2EF896F9A30A10A7F798B64304"
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:NtReadFile, status:0x0, iostatu
s:0x0, information:0x4, length:0x4, handle:0x670, path:"C:\Users\i92segoa\AppDat
a\LocalLow\Microsoft\CryptnetUrlCache\MetaData\024823B39FBEACCDB5C06426A8168E99_
4EB65D2EF896F9A30A10A7F798B64304"
s:0x0, information:0x6C, length:0x6C, handle:0x670, path:"C:\Users\i92segoa\AppD
ata\LocalLow\Microsoft\CryptnetUrlCache\MetaData\024823B39FBEACCDB5C06426A8168E9
9_4EB65D2EF896F9A30A10A7F798B64304"
s:0x0, information:0x124, length:0x124, handle:0x670, path:"C:\Users\i92segoa\Ap
pData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\024823B39FBEACCDB5C06426A8168
E99_4EB65D2EF896F9A30A10A7F798B64304"
s:0x0, information:0x1D8, length:0x1D8, handle:0x6E0, path:"C:\Users\i92segoa\Ap
pData\LocalLow\Microsoft\CryptnetUrlCache\Content\024823B39FBEACCDB5C06426A8168E
99_4EB65D2EF896F9A30A10A7F798B64304"
E0
70
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:NtDeviceIoControlFile, status:0
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:LdrGetProcedureAddressForCaller

pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
s:0x0, module:0x77870000
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:LdrLoadDll, status:0x0, flags:0

pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:New_NtQueryInformationToken::<l
E0
:0x6E0, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptography"
me:"MachineGuid", class:0x2, length:0x90, resultlength:0x56, handle:0x6E0, path:
E0
pid:4092, tid:1488, tick:0x33D72CE, lvl:LOG, func:NtOpenKeyEx, status:0xC0000034
raphy\Offload"
463990887-1001", attributes:0x0
E0
70
OID"
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:NtEnumerateKey, status:0x0, ind
soft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx"
E0
soft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx"
E0
pid:4092, tid:1488, tick:0x33D72CE, lvl:LOG, func:NtEnumerateKey, status:0x80000
70
OID"

soft\Cryptography\OID\EncodingType 0\CryptDllConvertPublicKeyInfo"
E0
soft\Cryptography\OID\EncodingType 1\CryptDllConvertPublicKeyInfo"
E0
70
, status:0x0, module:0x74AB0000, name:"GetAsymmetricEncryptionInterface", ordina
l:0x0, address:0x74ADC770, image:0x0, caller:0x72B3146B
pid:4092, tid:1488, tick:0x33D72CE, lvl:LOG, func:NtQueryValueKey, status:0xC000
0034, name:"CryptnetPreFetchMinMaxAgeSeconds", class:0x2, length:0x90, resultlen
gth:0x0, handle:0x670, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography\O
0034, name:"CryptnetPreFetchMaxMaxAgeSeconds", class:0x2, length:0x90, resultlen
gth:0x0, handle:0x670, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography\O
70
pid:4092, tid:8264, tick:0x33D72CE, lvl:OK, func:NtWaitForMultipleObjects, statu
s:0x0, count:0x2, type:0x1, alertable:0x0, objects:0x6D8;0x6D4
x0, module:"cryptnet.dll", handle:0x60BF0000
D8
, status:0x0, module:0x60BF0000, name:"I_CryptNetGetConnectivity", ordinal:0x0,
address:0x60BF6C60, image:0x0, caller:0x778C5BBB
D4
x2, module:"C:\WINDOWS\SYSTEM32\crypt32.dll", handle:0x77870000
OID"
E0

70
soft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy"
F4
pid:4092, tid:3336, tick:0x33D72CE, lvl:LOG, func:BaseThreadInitThunk, log:"New
thread started (via BaseThreadInitThunk) at address: 0x778A0640, parameter: 0x83
D720"
70
soft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy"
F4
pid:4092, tid:1488, tick:0x33D72CE, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
s:0x0, module:0x60BF0000
64
70
pid:4092, tid:8264, tick:0x33D72CE, lvl:OK, func:NtNotifyChangeKey, status:0x103
, event:0x5F4, iostatus:0x103, information:0x0, filter:0x10000004, watch:0x0, le
ngth:0x0, async:0x1, handle:0x664, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cr
yptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config"
pid:4092, tid:8264, tick:0x33D72CE, lvl:OK, func:NtAssociateWaitCompletionPacket
, status:0x0, completionpacket:0x69C, iocompletion:0x660, handle:0x5F4
, status:0x0, completionpacket:0x6BC, iocompletion:0x38, handle:0x6B4
70
t\SystemCertificates\AuthRoot"
70

t\SystemCertificates\Root\ProtectedRoots"
t\SystemCertificates\AuthRoot"
, status:0x0, completionpacket:0x6E0, iocompletion:0x38, handle:0x6B8
:0x6CC, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertifi
70
pid:4092, tid:8264, tick:0x33D72CE, lvl:OK, func:NtNotifyChangeKey, status:0x103
, event:0x6B0, iostatus:0x103, information:0x0, filter:0x10000004, watch:0x0, le
ngth:0x0, async:0x1, handle:0x6CC, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Sy
stemCertificates\AuthRoot\AutoUpdate"
70
, status:0x0, completionpacket:0x694, iocompletion:0x660, handle:0x6B0
0034, name:"PinRulesLogDir", class:0x2, length:0x90, resultlength:0x77D194B8, ha
ndle:0x664, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography\OID\Encoding
Type 0\CertDllCreateCertificateChainEngine\Config"
0034, name:"PinRules", class:0x2, length:0x90, resultlength:0x77793613, handle:0
x664, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography\OID\EncodingType 0
\CertDllCreateCertificateChainEngine\Config"
70
me:"PinRulesLastSyncTime", class:0x2, length:0x90, resultlength:0x14, handle:0x6
88, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\AutoU
pdate"
88
98
88
88
463990887-1001", attributes:0x0
88

63990887-1001"
990887-1001\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate"
98
0034, name:"PinRulesLastSyncTime", class:0x2, length:0x90, resultlength:0x124B9D
0, handle:0x6E4, path:"\REGISTRY\USER\S-1-5-21-2360094602-2602383397-24639908871001\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate"
E4
:0x6E4, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\SystemCertifi
pid:4092, tid:8264, tick:0x33D72CE, lvl:LOG, func:NtQueryValueKey, status:0x8000
0005, name:"PinRulesEncodedCtl", class:0x2, length:0x90, resultlength:0x489C, ha
ndle:0x6E4, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRo
ot\AutoUpdate"
pid:4092, tid:8264, tick:0x33D72CE, lvl:LOG, func:NtQueryValueKey, status:0x8000
0005, name:"PinRulesEncodedCtl", class:0x2, length:0x90, resultlength:0x489C, ha
ndle:0x6E4, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRo
ot\AutoUpdate"
me:"PinRulesEncodedCtl", class:0x2, length:0x489C, resultlength:0x489C, handle:0
x6E4, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\Aut
oUpdate"
E4
pid:4092, tid:8264, tick:0x33D72DE, lvl:OK, func:NtDeviceIoControlFile, status:0
x0, iostatus:0x0, information:0x7E, code:0x1201F, inlen:0x10, outlen:0x0, handle
pid:4092, tid:1488, tick:0x33D72DE, lvl:OK, func:NtClose, status:0x0, handle:0x6
70
pid:4092, tid:1488, tick:0x33D72DE, lvl:LOG, func:NtDeviceIoControlFile, status:
0xC0000225, event:0x670, iostatus:0x390DA34, information:0x20, code:0x12000F, in
70
70
0xC0000225, event:0x670, iostatus:0x390DC8C, information:0xC, code:0x12000F, inl
en:0x38, outlen:0x38, handle:0x2F4, path:"\??\Nsi"
70

70
0xC0000225, event:0x670, iostatus:0x390DEE4, information:0xC, code:0x12000F, inl
70
70
0xC0000225, event:0x670, iostatus:0x390E13C, information:0xC, code:0x12000F, inl
70
0xC0000225, event:0x670, iostatus:0x390E13C, information:0xC, code:0x12000F, inl
70
0xC0000225, event:0x670, iostatus:0x390E394, information:0xC, code:0x12000F, inl
70
0xC0000225, event:0x670, iostatus:0x390E394, information:0xC, code:0x12000F, inl
70
0xC0000225, event:0x670, iostatus:0x390E5EC, information:0xC, code:0x12000F, inl
70
0xC0000225, event:0x670, iostatus:0x390E5EC, information:0xC, code:0x12000F, inl
70
pid:4092, tid:1488, tick:0x33D72DE, lvl:OK, func:LdrResolveDelayLoadedAPI, statu
s:0x0, module:0x77870000
pid:4092, tid:1488, tick:0x33D72DE, lvl:OK, func:NtOpenEvent, status:0x0, handle
:0x670, access:0x100000, path:"\Sessions\1\BaseNamedObjects\Global\SvcctrlStartE
vent_A3752DX"
70
pid:4092, tid:1488, tick:0x33D72DE, lvl:OK, func:OpenSCManagerW, ret:0x83D900, g
pid:4092, tid:1488, tick:0x33D72DE, lvl:OK, func:OpenServiceW, ret:0x83D9C8, gle
:0x0, SCManager:0x83D900, serviceName:"CryptSvc", desiredAccess:0x5
s:0x0, module:0x77870000
pid:4092, tid:1488, tick:0x33D72DE, lvl:OK, func:QueryServiceConfigW, ret:0x1, g
le:0x0, service:0x83D9C8, serviceConfig:0x331F060, bufSize:0x400, bytesNeeded:0x
13A
pid:4092, tid:1488, tick:0x33D72DE, lvl:OK, func:New_NtQueryInformationToken::<l

463990887-1001", attributes:0x0
70
s:0x0, module:0x77870000
pid:4092, tid:1488, tick:0x33D72DE, lvl:OK, func:CloseServiceHandle, ret:0x1, gl
e:0x0, SCObject:0x83D9C8
pid:4092, tid:1488, tick:0x33D72DE, lvl:OK, func:CloseServiceHandle, ret:0x1, gl
e:0x0, SCObject:0x83D900
s:0x0, module:0x77870000
pid:4092, tid:1488, tick:0x33D72DE, lvl:OK, func:New_NtQueryInformationToken::<l
90
x0, iostatus:0x0, information:0x7E, code:0x1201F, inlen:0x10, outlen:0x0, handle
s:0x0, module:0x6D390000
x0, iostatus:0x0, information:0xC0, code:0x390402, inlen:0x70, outlen:0x200, han
34, handle:0x0, access:0xF, path:"\KnownDlls32\ncryptsslp.dll"
x0, attribs:0x20, path:"C:\WINDOWS\system32\ncryptsslp.dll"
0x6EC, access:0x100021, iostatus:0x0, information:0x1, share:0x5, options:0x60,
path:"C:\WINDOWS\system32\ncryptsslp.dll"
ndle:0x6F0, access:0xF, pageattribs:0x10, sectionattribs:0x1000000, file:0x6EC
address:0x6D360000, zerobits:0x0, commitsize:0x0, viewsize:0x1A000, disposition
:0x1, type:0x800000, protect:0x4, handle:0x6F0, path:"C:\WINDOWS\system32\ncrypt
sslp.dll"
F0
EC
handle:0x6FC, access:0x100003, initialcount:0x0, maxcount:0x7FFFFFFF
x0, module:"C:\WINDOWS\system32\ncryptsslp.dll", handle:0x6D360000
, status:0x0, module:0x6D360000, name:"GetSChannelInterface", ordinal:0x0, addre

ss:0x6D367600, image:0x0, caller:0x64B64FFA
x0, iostatus:0x0, information:0xD8, code:0x390402, inlen:0x38, outlen:0x180, han
, status:0x0, module:0x74AB0000, name:"GetCipherInterface", ordinal:0x0, address
:0x74ADC530, image:0x0, caller:0x72B3146B
, status:0x0, module:0x74AB0000, name:"GetCipherInterface", ordinal:0x0, address
:0x74ADC530, image:0x0, caller:0x72B3146B
x0, iostatus:0x0, information:0x221, code:0x1201F, inlen:0x10, outlen:0x0, handl
x0, iostatus:0x0, information:0x221, code:0x1201F, inlen:0x10, outlen:0x0, handl
pid:4092, tid:8264, tick:0x33D73B8, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:8264, tick:0x33D7464, lvl:WRN, func:NtDeviceIoControlFile, status:
0xC00000A3, event:0x514, iostatus:0x103, information:0x2, code:0x12017, inlen:0x
10, outlen:0x0, handle:0x53C, path:"\Device\Afd\Endpoint"
50
48
pid:4092, tid:9004, tick:0x33D7464, lvl:LOG, func:LdrShutdownThread, log:"Thread
terminating..."
5C
50
terminated successfully!"
x0, event:0x6DC, iostatus:0x0, information:0x0, code:0x1202B, inlen:0x10, outlen
5C
pid:4092, tid:4644, tick:0x33D7474, lvl:OK, func:NtDuplicateObject, status:0x0,
54
4C
terminating..."
DC
8C
74
5C
pid:4092, tid:8264, tick:0x33D77A0, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33D7F90, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:8264, tick:0x33D8F3F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33D8F3F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33D9EEF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33D9EEF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DA2D7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DA2D7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DA6BF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DA6BF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DAAA7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DAAA7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:3336, tick:0x33DAD66, lvl:OK, func:NtWaitForMultipleObjects, statu
s:0x102, count:0x1, type:0x1, alertable:0x0, timeout:0xFFFFFFFFF70F2E80, objects
:0x6D4
pid:4092, tid:8264, tick:0x33DAE8F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DAE8F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DB277, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DB65F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DBA47, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DBE2F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DBE2F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DC217, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DC5FF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DC5FF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DC9E7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DCDCF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DCDCF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DD1B7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DD1B7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DD59F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DD59F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DD987, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:8264, tick:0x33DDD6F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DDD6F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DE157, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DE510, lvl:OK, func:NtClose, status:0x0, handle:0x3
1C
pid:4092, tid:8264, tick:0x33DE53F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DE53F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:3336, tick:0x33DE7FE, lvl:OK, func:NtWaitForMultipleObjects, statu
s:0x102, count:0x1, type:0x1, alertable:0x0, timeout:0xFFFFFFFFF70F2E80, objects
:0x6D4
pid:4092, tid:3336, tick:0x33DE7FE, lvl:OK, func:LdrUnloadDll, status:0x0, handl
e:0x60BF0000
pid:4092, tid:3336, tick:0x33DE7FE, lvl:OK, func:NtClose, status:0x0, handle:0x6
D8
pid:4092, tid:3336, tick:0x33DE7FE, lvl:OK, func:NtClose, status:0x0, handle:0x6
D4
pid:4092, tid:3336, tick:0x33DE7FE, lvl:OK, func:LdrUnloadDll, status:0x0, handl
e:0x77870000
pid:4092, tid:3336, tick:0x33DE7FE, lvl:LOG, func:LdrShutdownThread, log:"Thread
terminating..."
pid:4092, tid:3336, tick:0x33DE7FE, lvl:OK, func:NtWaitForMultipleObjects, statu
pid:4092, tid:3336, tick:0x33DE7FE, lvl:LOG, func:LdrShutdownThread, log:"Thread
pid:4092, tid:8264, tick:0x33DECA1, lvl:OK, func:NtClose, status:0x0, handle:0x5
88
pid:4092, tid:8264, tick:0x33DED0F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DED0F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DF0F7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DF0F7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DF4DF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DF4DF, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:8264, tick:0x33DF8C7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DFCAF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33DFCAF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E0097, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E048E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E0C5E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E0C5E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E1BFE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E1BFE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E1FE6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E1FE6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E23CE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E23CE, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:8264, tick:0x33E27B6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E2B9E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E2F86, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E4ADE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E4ADE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E4EC6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E4EC6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E52AE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E52AE, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:8264, tick:0x33E5A40, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E5A40, lvl:OK, func:NtClose, status:0x0, handle:0x6
70
EC
A8
pid:4092, tid:8264, tick:0x33E5A7E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E5E66, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:13216, tick:0x33E67AD, lvl:OK, func:NtWaitForMultipleObjects, stat
us:0x0, count:0x1, type:0x1, alertable:0x0, objects:0x504
pid:4092, tid:13216, tick:0x33E67AD, lvl:OK, func:NtClose, status:0x0, handle:0x
504
pid:4092, tid:8264, tick:0x33E71EE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E71EE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E75D6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E79BE, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:8264, tick:0x33E79BE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E7DA6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E7DA6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E9CF6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33E9CF6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EA0DE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EA0DE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EA4C6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EA4C6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EA8AE, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:8264, tick:0x33EA8AE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EAC96, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EB07E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EB466, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EBC36, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EC01E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EC01E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EC406, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EC7EE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EC7EE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33ECBD6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33ECBD6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33ECFBE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33ECFBE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33ED3A6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33ED3A6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33ED78E, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:8264, tick:0x33EDB76, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EDF5E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EDF5E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EE346, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EE72E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EE72E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EEB16, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EEB16, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EEEFE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EEEFE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EF2E6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EF2E6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EF6CE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EF6CE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EFAB6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EFAB6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EFE9E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33EFE9E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F0286, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F066E, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:8264, tick:0x33F0A56, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F0E3E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F0E3E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F1DAF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F1DAF, lvl:OK, func:NtDeviceIoControlFile, status:0
x0, event:0x514, iostatus:0x0, information:0x1, code:0x12017, inlen:0x10, outlen
pid:4092, tid:8264, tick:0x33F1DAF, lvl:OK, func:NtClose, status:0x0, handle:0x5
3C
pid:4092, tid:8264, tick:0x33F1DEE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F1DEE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F21D6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F25BE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F25BE, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:8264, tick:0x33F2D8E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F44BF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F44BF, lvl:OK, func:LdrUnloadDll, status:0x0, handl
e:0x74760000
pid:4092, tid:1488, tick:0x33F44BF, lvl:OK, func:NtClose, status:0x0, handle:0x4
DC
pid:4092, tid:8264, tick:0x33F44BF, lvl:OK, func:NtClose, status:0x0, handle:0x4
D8
pid:4092, tid:8264, tick:0x33F44FE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F44FE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F48E6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F4CDD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F4CDD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:13216, tick:0x33F4F8D, lvl:OK, func:NtWaitForMultipleObjects, stat
us:0x1, count:0x2, type:0x1, alertable:0x1, objects:0x598;0x504
pid:4092, tid:13216, tick:0x33F4F8D, lvl:OK, func:NtClose, status:0x0, handle:0x

504
598
pid:4092, tid:13216, tick:0x33F4F8D, lvl:OK, func:LdrUnloadDll, status:0x0, hand
le:0x74DC0000
pid:4092, tid:13216, tick:0x33F4F8D, lvl:LOG, func:LdrShutdownThread, log:"Threa
d terminating..."
pid:4092, tid:13216, tick:0x33F4F8D, lvl:OK, func:NtWaitForMultipleObjects, stat
us:0x1, count:0x2, type:0x1, alertable:0x0, objects:0x5C0;0x5D8
580
584
pid:4092, tid:13216, tick:0x33F4F8D, lvl:LOG, func:LdrShutdownThread, log:"Threa
d terminated successfully!"
pid:4092, tid:8264, tick:0x33F50C5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F54BD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F58B5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F5CAC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F5CAC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F647C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F6C5C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F6C5C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F743B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F743B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F7C1B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F7C1B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F83EB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F83EB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F8BCB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F8BCB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F8FB3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F8FB3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F93AA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F9B8A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F9B8A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33F9F82, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33FA36A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33FA36A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33FA752, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33FAB49, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33FAB49, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33FAF41, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33FAF41, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:8264, tick:0x33FB329, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FB9EF, lvl:OK, func:LdrUnloadDll, status:0x0, handl
e:0x74760000
pid:4092, tid:1488, tick:0x33FB9EF, lvl:OK, func:NtClose, status:0x0, handle:0x4
74
pid:4092, tid:1488, tick:0x33FBAF9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FBAF9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FBEF0, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FBEF0, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FC2D8, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FCAC8, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FCAC8, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FCEB0, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x33FCEB0, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FD2A7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FD2A7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FD68F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FD68F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FDA87, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FDA87, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FDE6F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FDE6F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FE257, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FE64F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FE64F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FEA37, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FEA37, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FEE1F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FEE1F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FF207, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FF5FE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FF5FE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FF9F6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FF9F6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x33FFDDE, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x33FFDDE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34005BD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34009B5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3400DAD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3400DAD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3401195, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340158C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3401D6C, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x3402F1F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3402F1F, lvl:OK, func:LdrUnloadDll, status:0x0, handl
e:0x72360000
pid:4092, tid:1488, tick:0x3402F1F, lvl:OK, func:LdrUnloadDll, status:0x0, handl
e:0x74760000
pid:4092, tid:1488, tick:0x34034FB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34034FB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3403CDB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3403CDB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34044BA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3404C9A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340546A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3406C09, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3407BB9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340A2F7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340A6DF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340AAD7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340AAD7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340AEBF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340AEBF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340B2A7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340B69F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340BA87, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340BE7E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340C65E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340CA56, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340CB6F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340CE3E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340CE3E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340D61D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340DA05, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340DDFD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340DDFD, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x340E5DC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340E5DC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340E9C4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340EDBC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340EDBC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340FD6C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x340FD6C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3410D1B, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x341150B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3411CEA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3411CEA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34130A1, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x3415BE7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3415FCF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3415FCF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34167AF, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x341776E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3418F0D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34196ED, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3419AD5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3419EBD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3419EBD, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x341A2B4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341A69C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341AA84, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341AE7C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341B65B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341B65B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341BE3B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341C61B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341CDFA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341CDFA, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x341D1E2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341D5CA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341DD9A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341E56A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341ED3A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341ED3A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341F50A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341F50A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341FCDA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x341FCDA, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34204AA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342066F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34223EA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3422BBA, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x3422BBA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3423B6A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3424EF2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34252DA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34252DA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3425AAA, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x3425AAA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3426A4A, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x342A8DA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342A8DA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342ACC2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342ACC2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342B0AA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342B0AA, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x342BC62, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342CC02, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342CFEA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342CFEA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342D3D2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342D7BA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342D7BA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342DF8A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342DF8A, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x342EF2A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342EF2A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342F6FA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342F6FA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342FAE2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342FECA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x342FECA, lvl:OK, func:NtAssociateWaitCompletionPacket


pid:4092, tid:1488, tick:0x3434CF9, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x3437BD9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3437FC1, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x343A6E1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x343AAC9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x343AAC9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x343AEB1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x343AEB1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x343CDF1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x343CDF1, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x343D5C1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x343ED31, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x343FCD1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x343FCD1, lvl:OK, func:NtAssociateWaitCompletionPacket




pid:4092, tid:1488, tick:0x344A8D0, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x344ACB8, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x344ACB8, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x344CBF8, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x344CBF8, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x344CFE0, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x344CFE0, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x344DF80, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x344FED0, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x344FED0, lvl:OK, func:NtAssociateWaitCompletionPacket



pid:4092, tid:1488, tick:0x345A2EF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345A2EF, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x345AABF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345AABF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345AEA7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345AEA7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345BA5F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345BA5F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345C22F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345C9FF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345C9FF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345CDE7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345CDE7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345D1CF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345D1CF, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x345E16F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345F8DF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345F8DF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345FCC7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x345FCC7, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x3461FFF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3461FFF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34627CF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34627CF, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x3464AF7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3464EDF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3464EDF, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34675EF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3467DBF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3467DBF, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x346A8C7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346ACAF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346ACAF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346BC4F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346BC4F, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x346CBEF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346CBEF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346CFD7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346CFD7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346D3BF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346D3BF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346EB2F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346EB2F, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x346F2FF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346F2FF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346FACF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346FACF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346FEB7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x346FEB7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3470A6F, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3471A1E, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34721EE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34729BE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34729BE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34748FE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34748FE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3474CE6, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34750CE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34777DE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34777DE, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x3477FAE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3477FAE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3479EEE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3479EEE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347A6BE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347A6BE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347AAB6, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x347AAB6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347AE9E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347AE9E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347B66E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347C9F6, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347CDDE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347CDDE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347D5AE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347D5AE, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x347DD7E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347DD7E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347F4EE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347F4EE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347FCBE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x347FCBE, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x3481BFE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3481BFE, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x3484ADE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3484ADE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3485A8D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348625D, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34871FD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34879CD, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x348A0DD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348A0DD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348A8AD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348A8AD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348AC95, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348B07D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348C01D, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x348C7ED, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348C7ED, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348CBD5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348CBD5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348CFBD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348CFBD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348DF5D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348E73D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348EF0D, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x348F6DD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348F6DD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348FAC5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348FAC5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348FEAD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x348FEAD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3491DED, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3491DED, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x3494CCD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3494CCD, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34973DD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3497BAD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3497BAD, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x3499AFD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x3499AFD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349A2CD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349A2CD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349AA9D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349AA9D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349AE85, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x349BA3D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349BA3D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349C9DD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349C9DD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349CDC5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349CDC5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349D1AD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349D1AD, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x349F0ED, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349F0ED, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349FCA5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x349FCA5, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34A1BF4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A1BF4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A1FDC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A1FDC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A27AC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A27AC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A2F7C, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34A46EC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A46EC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A4AD4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A4AD4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A4EBC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A4EBC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A52A4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A5E5C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A5E5C, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34A6DFC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A6DFC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A75CC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A75CC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A7D9C, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34A9CDC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34A9CDC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AA0C4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AA0C4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AA4BC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AA4BC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AA8A4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AA8A4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AAC8C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AAC8C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AB074, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AB45C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AB45C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34ABC2C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34ABC2C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AC3FC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AC3FC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AC7E4, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34AC7E4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34ACBCC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34ACBCC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34ACFB4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34ACFB4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AD39C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AD39C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34ADB6C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34ADB6C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34ADF54, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34ADF54, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AEB0C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AEB0C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AEEF4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AEEF4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AF2DC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AF2DC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AF6C4, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34AF6C4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AFAAC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AFAAC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AFE94, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34AFE94, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B027C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B0A4C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B0A4C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B0E34, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B19EC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B19EC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B1DD4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B1DD4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B21BC, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34B2D84, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B44F4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B44F4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B48DC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B48DC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B4CC4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B4CC4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B50AC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B50AC, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34B5C64, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B6FEC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B6FEC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B7BA4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B7BA4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B7F8C, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34B8B44, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B8B44, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B96FC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B9AE4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B9AE4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B9ECC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34B9ECC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BA2B4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BA2B4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BA69C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BA69C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BAA84, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BAA84, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BAE6C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BAE6C, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34BB64B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BB64B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BBA33, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BBA33, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BBE1B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BBE1B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BC5EB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BC5EB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BC9D3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BC9D3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BCDBB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BCDBB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BD1A3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BD1A3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BD58B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BD58B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BDD5B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BDD5B, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34BECFB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BECFB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BF0E3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BF0E3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BF4CB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BF4CB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BF8B3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BF8B3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BFC9B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34BFC9B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C0C3B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C0C3B, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34C1BDB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C1BDB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C1FC3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C1FC3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C23AB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C2B7B, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34C42EB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C46D3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C4ABB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C4ABB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C4EB3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C4EB3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C5A6B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C5E53, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C5E53, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C6DF3, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34C6DF3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C71DB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C71DB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C75C3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C75C3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34C9CD3, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34C9CD3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CA0BB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CA0BB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CA4A3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CA4A3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CA88B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CA88B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CAC73, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CAC73, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CB05B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CB05B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CB443, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CB83A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CB83A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CBC22, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CBC22, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CC00A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CC00A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CC3F2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CC3F2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CC7DA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CC7DA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CCBC2, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34CCBC2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CCFAA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CCFAA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CD392, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CD77A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CD77A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CDB62, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CDB62, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CDF4A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CDF4A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CE71A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CE71A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CEB02, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CEB02, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CEEEA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CEEEA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CF2D2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CF2D2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CF6BA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CF6BA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CFAA2, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34CFAA2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CFE8A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34CFE8A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D065A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D0E2A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D0E2A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D15FA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D15FA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D1DCA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D1DCA, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34D2D6A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D44EA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D44EA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D4CBA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D4CBA, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34D5C5A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D5C5A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D6BFA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D6BFA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D6FE2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D6FE2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D7B9A, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34D9ADA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D9ADA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D9EC2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34D9EC2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DA2AA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DA2AA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DAA7A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DAA7A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DAE62, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DAE62, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DB24A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DB24A, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34DBA1A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DBA1A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DBE02, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DBE02, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DC1FA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DC1FA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DC9CA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DC9CA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DCDB2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DCDB2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DDD52, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DDD52, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DE13A, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34DECF2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DECF2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DF0DA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DF0DA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DF8AA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DF8AA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DFC92, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34DFC92, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34E17EA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34E17EA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34E1BD2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34E1BD2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34E1FBA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34E1FBA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34E2F5A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34E2F5A, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34E4AC1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34E4AC1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34E4EA9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34E4EA9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34E6DE9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34E6DE9, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34E9CC9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34E9CC9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EA0B1, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34EA0B1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EA499, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EBFF1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EBFF1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EC3E9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EC3E9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EC7D1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EC7D1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34ECBB9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34ECBB9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34ECFA1, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34ECFA1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EDF41, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EDF41, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EEAF9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EEAF9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EEEE1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EEEE1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EF2C9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EF2C9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EF6B1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EF6B1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EFA99, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EFA99, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34EFE81, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34EFE81, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34F1DC1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34F1DC1, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34F4CB1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34F4CB1, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:1488, tick:0x34F6BF1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34F6BF1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34F6FD9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1488, tick:0x34F6FD9, lvl:OK, func:NtAssociateWaitCompletionPacket

pid:4092, tid:8264, tick:0x34F8D44, lvl:LOG, func:LdrShutdownThread, log:"Thread
terminating..."
pid:4092, tid:11200, tick:0x34F8D44, lvl:LOG, func:LdrShutdownThread, log:"Threa
d terminating..."
terminating..."
terminating..."
pid:4092, tid:11200, tick:0x34F8D44, lvl:OK, func:NtWaitForMultipleObjects, stat
us:0x1, count:0x2, type:0x1, alertable:0x0, objects:0x5C0;0x5D8
pid:4092, tid:11200, tick:0x34F8D44, lvl:OK, func:NtClose, status:0x0, handle:0x
51C
568
4A4
4A0
pid:4092, tid:8800, tick:0x34F8D44, lvl:OK, func:NtWaitForMultipleObjects, statu
pid:4092, tid:11200, tick:0x34F8D44, lvl:LOG, func:LdrShutdownThread, log:"Threa
d terminated successfully!"
pid:4092, tid:8800, tick:0x34F8D44, lvl:OK, func:NtClose, status:0x0, handle:0x4
08
1C
68
5C
pid:4092, tid:8264, tick:0x34F8D44, lvl:OK, func:NtWaitForMultipleObjects, statu
14
D4
80
7C
pid:4092, tid:556, tick:0x34F8D44, lvl:OK, func:NtWaitForMultipleObjects, status
:0x1, count:0x2, type:0x1, alertable:0x0, objects:0x5C0;0x5D8
8
4

pid:4092, tid:12448, tick:0x34F8F19, lvl:LOG, func:BaseThreadInitThunk, log:"New
652D8"
pid:4092, tid:12448, tick:0x34F9301, lvl:OK, func:NtAssociateWaitCompletionPacke
t, status:0x0, completionpacket:0x4C, iocompletion:0x38, handle:0x48
t, status:0x0, completionpacket:0x2F0, iocompletion:0x38, handle:0xCC, path:"\Se
ssions\1\BaseNamedObjects\_xvm_evt_notification_0xA527E666CB0D6807"
pid:4092, tid:12448, tick:0x34F96E9, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34F9AD1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34F9AD1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34F9EB9, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34F9EB9, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FA2A1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FA2A1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FA689, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FAA71, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FAA71, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FAE59, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FAE59, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FB241, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FBA11, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FBA11, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FBDF9, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x34FBDF9, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FC1E1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FC1E1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FC5C9, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FC9B1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FC9B1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FCD99, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FCD99, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FD181, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FDD48, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FDD48, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FE130, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FECE8, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x34FECE8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FF0D0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FF4B8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FF4B8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FF8A0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FF8A0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FFC88, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x34FFC88, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3500070, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3500C28, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35017E0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3501BC8, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3502B68, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3503EF0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35042D8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3504AA8, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3504EA0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3505A58, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3506DE0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3506DE0, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3509CC0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350A0A8, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x350AC60, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350BFE8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350BFE8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350C3D0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350C7B8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350CBA0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350CBA0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350CF88, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350D37F, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x350DB4F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350DB4F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350DF37, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350E31F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350EAEF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350EAEF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350EED7, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350EED7, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350F2BF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350F2BF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350F6A7, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350FA8F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x350FA8F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351025F, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3510A2F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35111FF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35119CF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3511DB7, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35140DF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35148BF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35148BF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3514CA7, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3516BE7, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3516FCF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3516FCF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3517F6F, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3519EAF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3519EAF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351AE4F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351AE4F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351B61F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351BA07, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351BDEF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351BDEF, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x351C5BF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351C5BF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351C9A7, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351CD8F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351CD8F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351DD3F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351DD3F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351E8F7, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351ECDF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351ECDF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351F0C7, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x351F4AF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351F4AF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351FC7F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x351FC7F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3520C1F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3520C1F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35213EF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35213EF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3521BBF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3521BBF, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3523AFF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3523AFF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3523EE7, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3525A4E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352621E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35269EE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3526DD6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35271BE, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35290FE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35298CE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35298CE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3529CB6, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x352B03E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352BBF6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352BFDE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352BFDE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352C3C6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352C7AE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352C7AE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352CF7E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352CF7E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352D74E, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x352DF1E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352DF1E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352E6EE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352E6EE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352EAE6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352EAE6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352EECE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352EECE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352F2B6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352F69E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352FE6E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x352FE6E, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3530E0E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3530E0E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35315DE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3531DAE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3531DAE, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3533CEE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3533CEE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3534C8E, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3536BDE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3536BDE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3536FC6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35373AE, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3539ABE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353AA5E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353AA5E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353AE46, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353B9FE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353B9FE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353BDE6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353C1CE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353C1CE, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x353CD86, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353E11D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353E8ED, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353E8ED, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353ECD5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353F0BD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x353F0BD, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x353F88D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354005D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3540FFD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3540FFD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35417CD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3541BB5, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3543AF5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3543EDD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3543EDD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35446AD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35446AD, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35465FD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35465FD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3546DCD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3546DCD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3547D6D, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35494DD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3549CAD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3549CAD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354A47D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354AC4D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354AC4D, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x354B41D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354B41D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354BBED, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354BBED, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354BFD5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354BFD5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354C3BD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354C3BD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354CB8D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354CB8D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354D36C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354DB3C, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x354E30C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354EADC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354EADC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354EEC4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354F2AC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354F2AC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354FA7C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x354FA7C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355024C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3550A1C, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35511EC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35519BC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3551DA4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35538FC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3553CE4, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35540CC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3556BD4, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3556BD4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3556FBC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3556FBC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3557F5C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3558EFC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3558EFC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3559AB4, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x355AE3C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355AE3C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355B60C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355B9F4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355BDDC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355BDDC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355C5AC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355C5AC, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x355CD7C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355CD7C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355DD2C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355DD2C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355E4FC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355E4FC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355E8E4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355ECCC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355ECCC, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x355FC6C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x355FC6C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3560C0C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3560FF4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35613DC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35613DC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3561BAC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3561BAC, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3563AEC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3563AEC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3563ED4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356526B, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3565A3B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35669DB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35669DB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3566DC3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35671AB, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35690EB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35690EB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35698BB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35698BB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356B02B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356B02B, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x356B7FB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356B7FB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356BBE3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356BBE3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356BFCB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356BFCB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356C7AB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356C7AB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356CF7B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356CF7B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356D74B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356DF1B, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x356E6EB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356EAD3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356EAD3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356EEBB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356EEBB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356F68B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356FE5B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x356FE5B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3570DFB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3570DFB, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35715CB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35715CB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3573CDB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3573CDB, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3574C7B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35763FB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35763FB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3576BCB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3576BCB, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35773AA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35773AA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3577B7A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x357834A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3579AD9, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3579EC1, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x357A2B9, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x357C9E8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x357CDE0, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x357CDE0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x357D1C8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x357D5B0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x357F4F0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x357F8D8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x357FCC0, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x357FCC0, lvl:OK, func:NtAssociateWaitCompletionPacke



pid:4092, tid:12448, tick:0x358A8EE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358A8EE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358ACD6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358ACD6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358B0CE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358B0CE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358B4C5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358B8AD, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x358B8AD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358C08D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358D7FD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358DBE5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358DBE5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358DFCD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358DFCD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358E3B5, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x358EB85, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358EF6D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358EF6D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358FF0D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x358FF0D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35906ED, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35906ED, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3590EBD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3590EBD, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3592DFD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3592DFD, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3595CEC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3595CEC, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3598BCC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3598BCC, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x359AB0C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359AB0C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359AEF4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359AEF4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359B2DC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359B2DC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359B6D4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359BABC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359BABC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359BEA4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359BEA4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359CA6B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359CA6B, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x359DA0B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359DA0B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359DDF3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359DDF3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359E1DB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359E5C3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x359E9AB, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35A08EB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A0CE3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A0CE3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A10CB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A10CB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A1C83, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35A3BD3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A3BD3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A3FCA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A3FCA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A479A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A4F6A, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35A62F2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A62F2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A66EA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A66EA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A6AD2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A6AD2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A6EBA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A6EBA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A7E5A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A7E5A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A8DFA, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35A8DFA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A91E2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A95CA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A95CA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A9D9A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35A9D9A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AA57A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AA57A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AAD4A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AAD4A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AB51A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AB51A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35ABCEA, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35ABCEA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AC0D2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AC0D2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AC4BA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AC4BA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AC8A2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AC8A2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35ACC8A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35ACC8A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AD45A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AD45A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35ADC2A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35ADC2A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AE3FA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AE3FA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AE7E2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AE7E2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AEBCA, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35AEBCA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AEFC1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AEFC1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AF3A9, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AF3A9, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AFB89, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AFB89, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AFF71, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35AFF71, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B0B29, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B16E1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B1AC9, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35B1AC9, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B1EB1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B1EB1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B22A8, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35B4DC0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B4DC0, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B5D6F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B74EF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B74EF, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35B7CBF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B7CBF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B8C5F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B9FF7, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35B9FF7, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BA3DF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BA3DF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BA7C7, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35BA7C7, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BABAF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BABAF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BAF97, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BAF97, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BB37F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BB37F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BBB4F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BBB4F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BC31F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BCAEF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BCAEF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BCEE6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BCEE6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BD2CE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BD2CE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BD6B6, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35BD6B6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BDA9E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BDA9E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BE27E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BE27E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BEA4E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BEA4E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BEE36, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BEE36, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BF21E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BF21E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BF606, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BF606, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BF9EE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BF9EE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BFDE5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35BFDE5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C01CD, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35C28ED, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C28ED, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C2CE5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C2CE5, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35C53F5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C53F5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C57EC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C57EC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C5BD4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C5BD4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C5FBC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C5FBC, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35C6F5C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C6F5C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C7EFC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C7EFC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C86DC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C86DC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C8AC4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C8AC4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C8EAC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C8EAC, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35C9E4C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35C9E4C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CA61C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CA61C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CAA04, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CAA04, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CADEC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CADEC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CB1D4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CB1D4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CB5BC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CB5BC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CB9A4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CB9A4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CBD8C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CBD8C, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35CC55C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CC55C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CCD2C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CCD2C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CD4FC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CD4FC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CD8E4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CD8E4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CDCCC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CDCCC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CE0B4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CE0B4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CE49C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CE49C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CEC6C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CEC6C, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35CF43C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CF43C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CFC0C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CFC0C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CFFF4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35CFFF4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D03DC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D0BAC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D0BAC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D0F94, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D1B5C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D1B5C, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35D2AFC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D2AFC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D2EE4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D2EE4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D32CC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D32CC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D3A9C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D3E84, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35D5DC4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D5DC4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D61AC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D61AC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D6D64, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35D7DAF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D7DAF, lvl:OK, func:NtOpenKeyEx, status:0x0, handl
e:0x484, access:0x20119, path:"\REGISTRY\MACHINE\Software\Microsoft\Cryptography
pid:4092, tid:12448, tick:0x35D7DAF, lvl:LOG, func:NtQueryValueKey, status:0xC00
00034, name:"AutoFlags", class:0x2, length:0x90, resultlength:0x28038272, handle
:0x484, path:"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Cryptography\OID\EncodingType
0\CertDllCreateCertificateChainEngine\Config"
pid:4092, tid:12448, tick:0x35D7DBF, lvl:OK, func:LdrGetProcedureAddressForCalle
r, status:0x0, module:0x60BF0000, name:"I_CryptNetAutoFlush", ordinal:0x0, addre
ss:0x60C08DA0, image:0x0, caller:0x77925CA0
pid:4092, tid:12448, tick:0x35D7DBF, lvl:OK, func:NtClose, status:0x0, handle:0x
484
pid:4092, tid:12448, tick:0x35D80EC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D80EC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D88BC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D88BC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D8CA4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35D8CA4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DA02C, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35DA02C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DA7FC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DA7FC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DABE4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DABE4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DAFCC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DAFCC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DB3B4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DB3B4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DBB84, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DBB84, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DBF6C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DBF6C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DC73C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DC73C, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DCB33, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DCB33, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DCF1B, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35DCF1B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DD6EB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DD6EB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DDAD3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DDAD3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DDEBB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DDEBB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DE2A3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DE2A3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DE68B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DE68B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DEA73, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DEA73, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DEE5B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DEE5B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DFA13, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DFA13, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35DFDFB, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35DFDFB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E05CB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E05CB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E0D9B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E156B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E2CDB, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35E2CDB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E3C7B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E5BCB, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35E5BCB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E5FB3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E5FB3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E6B6B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E7EF3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E7EF3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E8AAB, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35E8AAB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E9A4B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35E9A4B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EA21B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EA21B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EA9EB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EA9EB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EADD3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EADD3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EB1BB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EB1BB, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EB5A3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EB5A3, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EB98B, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35EB98B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EBD73, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EBD73, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EC15B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EC15B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EC93A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EC93A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35ED11A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35ED11A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35ED8EA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35ED8EA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EDCD2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EDCD2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EE0CA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EE0CA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EE4B2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EE4B2, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EE89A, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35EE89A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EFC41, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35EFC41, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F0FF8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F0FF8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F13EF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F13EF, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35F1BBF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F1BBF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F1FA7, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F1FA7, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F2B7F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F2B7F, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F3B2E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F3B2E, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35F4ADE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F4ADE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F4ED6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F4ED6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F52BE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F52BE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F5A8E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F5A8E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F6A4D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F6A4D, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35F79FC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F79FC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F7DF4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F7DF4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F81DC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F81DC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F89BC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F89BC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F8DA4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35F8DA4, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FA15B, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FA15B, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35FA93A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FA93A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FAD22, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FAD22, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FB11A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FB11A, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FB8EA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FB8EA, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FBCE1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FBCE1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FC8A9, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FC8A9, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FCCA1, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FCCA1, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x35FDC50, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FDC50, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FEC00, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FEC00, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FEFF8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FEFF8, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FF3EF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FF3EF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FFBBF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FFBBF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FFFB7, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x35FFFB7, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3602AFD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3602AFD, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x3603ABC, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3603ABC, lvl:OK, func:NtAssociateWaitCompletionPacke


pid:4092, tid:12448, tick:0x360A4FF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360A4FF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360ACCF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360ACCF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360B4AF, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360B4AF, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x360CC3E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360CC3E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360DBDE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360DBDE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360DFC6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360DFC6, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360E3AE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360E3AE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360EB7E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360EB7E, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x360FB2E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x360FB2E, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3610ACE, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3610ACE, lvl:OK, func:NtAssociateWaitCompletionPacke



pid:4092, tid:12448, tick:0x3618FAD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x3618FAD, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:12448, tick:0x361AEED, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x361AEED, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x361B6BD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x361B6BD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x361BAA5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x361BAA5, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x361BE8D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x361BE8D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x361CE2D, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x361CE2D, lvl:OK, func:NtAssociateWaitCompletionPacke

pid:4092, tid:1488, tick:0x361DCD3, lvl:LOG, func:LdrShutdownThread, log:"Thread
terminating..."
pid:4092, tid:1488, tick:0x361DCD3, lvl:OK, func:NtWaitForMultipleObjects, statu
pid:4092, tid:1488, tick:0x361DCD3, lvl:OK, func:NtClose, status:0x0, handle:0x5
0C
E0
6C
90
pid:4092, tid:1488, tick:0x361DCD3, lvl:LOG, func:LdrShutdownThread, log:"Thread
pid:4092, tid:12448, tick:0x361DDCD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:12448, tick:0x361DDCD, lvl:OK, func:NtAssociateWaitCompletionPacke
pid:4092, tid:1184, tick:0x361DDCD, lvl:LOG, func:BaseThreadInitThunk, log:"New
52D8"
pid:4092, tid:1184, tick:0x361ED6D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x361ED6D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x361FD0D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x361FD0D, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3620CBD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3620CBD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3622BFD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3622BFD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3625ADD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3625ADD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36262AD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36262AD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x362ACF5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x362ACF5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x362B0DD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x362B0DD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x362B8AD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x362B8AD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x362D7ED, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x362D7ED, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x362DBD5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x362DBD5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x362DFBD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x362DFBD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x362FF0C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36306DC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36306DC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3630EAC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3630EAC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3631E4C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3632DEC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3632DEC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36335BC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36335BC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36354FC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3635CDC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3635CDC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36364AC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36364AC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3636C8C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3638BEB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3638BEB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3638FD3, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36393BB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36393BB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x363AB4A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x363AB4A, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x363BAFA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x363BAFA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x363BEE2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x363BEE2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x363CAB9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x363CAB9, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x363CEA1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x363CEA1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x363FDB0, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x363FDB0, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3642CBF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3642CBF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3645BBE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3645BBE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3647AFE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3647AFE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3648ABD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3648ABD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x364AA1C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x364AA1C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x364B9CC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x364B9CC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x364BDB4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x364BDB4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x364E11B, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x364E8FA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x364E8FA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x364ECE2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x364ECE2, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x364F0CA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x364F0CA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3651BF1, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3655ABF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3655ABF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365B0FD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365B0FD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365B8CD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365B8CD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365BCC5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365BCC5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365C0AD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365C0AD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365DFFD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365DFFD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365E7CD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365E7CD, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365EFAC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x365EFAC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3660EFC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3660EFC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36616DB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36616DB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3661EBB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3661EBB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36645FA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36645FA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3664DCA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3664DCA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366AFFF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366AFFF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366B7CF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366B7CF, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366BBB7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366BBB7, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366BFAE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366BFAE, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366CF5E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366CF5E, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366E6ED, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366E6ED, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366EAE5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366EAE5, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366EEDC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366EEDC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366F6BC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366F6BC, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366FAA4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366FAA4, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366FE8C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x366FE8C, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3671DFB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3671DFB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36725CB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36725CB, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3672DAA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3672DAA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3674CFA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x3674CFA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36754CA, lvl:OK, func:NtAssociateWaitCompletionPacket
pid:4092, tid:1184, tick:0x36754CA, lvl:OK, func:NtAssociateWaitCompletionPacket

Firefox Log Folder Paths

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Firefox Log Folder Paths

Diunggah oleh

Hak Cipta:

Format Tersedia

pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:EssentialInit, log:"Start of d

iagnostic log for process with command line: \"C:\Users\i92segoa\Desktop\Firefox

pid:4092, tid:2168, tick:0x33D6F82, lvl:LOG, func:FinalInit, log:"@TEMPLATES@ =

n\Time Zones to \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\T

alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersio

alias mapping from \REGISTRY\MACHINE\SOFTWARE\Microsoft\TermServLicensing to \RE

pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:_AddAliasMapping, log:"Adding

pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:RecurseDirectoryConfig, log:"A

:"Done loading embedded system layerss."

dding root directory @PROFILECOMMON@ (at \Device\HarddiskVolume2\ProgramData) wi

alias mapping from \??\C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\

pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:_AddAliasMapping, log:"Adding

pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:RecurseDirectoryConfig, log:"A

pid:4092, tid:2168, tick:0x33D6F92, lvl:LOG, func:RecurseRegistryConfig, log:"Du

pid:4092, tid:2168, tick:0x33D6F92, lvl:OK, func:LdrGetDllHandle, status:0x0, na

00, disposition:0x2, type:0x0, protect:0x2, handle:0x78

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FA1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtEnumerateKey, status:0x0, ind

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtClose, status:0x0, handle:0xE

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtClose, status:0x0, handle:0x1

pid:4092, tid:2168, tick:0x33D6FB1, lvl:OK, func:NtMapViewOfSection, status:0x0,

, status:0x0, module:0x77670000, name:"ImmIMPQueryIMEW", ordinal:0x0, address:0x

, status:0x0, module:0x77670000, name:"ImmNotifyIME", ordinal:0x0, address:0x776

, status:0x0, module:0x77670000, name:"ImmProcessKey", ordinal:0x0, address:0x77

0034, name:"EMPTY", class:0x2, length:0x78, resultlength:0x768FB0, handle:0x218,

plicate regkey Microsoft will not be added as it is at lower layer."

pid:4092, tid:2168, tick:0x33D6FC1, lvl:OK, func:LdrGetDllHandle, status:0x0, na

x0, module:"ole32.dll", handle:0x75580000

x0, module:"rpcrt4.dll", handle:0x77000000

dding directory dictionaries with flags: 2."

C70070, image:0x0, caller:0x6471ED5D

, status:0x0, module:0x77670000, name:"ImmGetContext", ordinal:0x0, address:0x77

x0, module:"gdi32.dll", handle:0x779F0000