10:27:54,7345414 NOTEPAD.EXE 2604 Process Start SUCCESS Parent PID: 9636, Command line: "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\Angelo, Current directory: C:\WINDOWS\system32\, Environment: =::=::\ ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Users\Angelo Braz\AppData\Roaming CommonProgramFiles=C:\Program Files\Common Files CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files CommonProgramW6432=C:\Program Files\Common Files COMPUTERNAME=DESKTOP-T0H8SRB ComSpec=C:\WINDOWS\system32\cmd.exe DriverData=C:\Windows\System32\Drivers\DriverData ESET_OPTIONS= FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer FPS_BROWSER_USER_PROFILE_STRING=Default HOMEDRIVE=C: HOMEPATH=\Users\Angelo Braz LOCALAPPDATA=C:\Users\Angelo Braz\AppData\Local LOGONSERVER=\\DESKTOP-T0H8SRB NUMBER_OF_PROCESSORS=6 OneDrive=C:\Users\Angelo Braz\OneDrive OneDriveConsumer=C:\Users\Angelo Braz\OneDrive OS=Windows_NT Path=C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files (x86)\dotnet\;C:\Users\Angelo Braz\AppData\Local\Microsoft\WindowsApps; PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC PROCESSOR_ARCHITECTURE=AMD64 PROCESSOR_IDENTIFIER=AMD64 Family 16 Model 10 Stepping 0, AuthenticAMD PROCESSOR_LEVEL=16 PROCESSOR_REVISION=0a00 ProgramData=C:\ProgramData ProgramFiles=C:\Program Files ProgramFiles(x86)=C:\Program Files (x86) ProgramW6432=C:\Program Files PSModulePath=C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ PUBLIC=C:\Users\Public SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\Users\ANGELO~1\AppData\Local\Temp TMP=C:\Users\ANGELO~1\AppData\Local\Temp USERDOMAIN=DESKTOP-T0H8SRB USERDOMAIN_ROAMINGPROFILE=DESKTOP-T0H8SRB USERNAME=Angelo USERPROFILE=C:\Users\Angelo Braz VBOX_HWVIRTEX_IGNORE_SVM_IN_USE=1 windir=C:\WINDOWS 10:27:54,7345761 NOTEPAD.EXE 2604 Thread Create SUCCESS Thread ID: 1028 10:27:54,8203633 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\notepad.exe SUCCESS Image Base: 0x7ff6e3d60000, Image Size: 0x38000 10:27:54,8209518 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\ntdll.dll SUCCESS Image Base: 0x7ffb65bf0000, Image Size: 0x1f8000 10:27:54,8213603 NOTEPAD.EXE 2604 CreateFile C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: None, AllocationSize: n/a, OpenResult: Opened 10:27:54,8215071 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf SUCCESS AllocationSize: 20.480, EndOfFile: 20.117, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:54,8215720 NOTEPAD.EXE 2604 ReadFile C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf SUCCESS Offset: 0, Length: 20.117, Priority: Normal 10:27:54,8216429 NOTEPAD.EXE 2604 ReadFile C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf SUCCESS Offset: 0, Length: 20.117, I/O Flags: Non-cached, Paging I/O, Priority: Normal 10:27:54,8257222 NOTEPAD.EXE 2604 CloseFile C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf SUCCESS 10:27:54,8569718 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Session Manager REPARSE Desired Access: Query Value 10:27:54,8570190 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Desired Access: Query Value 10:27:54,8570700 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Session Manager\RaiseExceptionOnPossibleDeadlock NAME NOT FOUND Length: 80 10:27:54,8571126 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS 10:27:54,8571590 NOTEPAD.EXE 2604 RegOpenKey HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap REPARSE Desired Access: Query Value 10:27:54,8571972 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Session Manager\Segment Heap NAME NOT FOUND Desired Access: Query Value 10:27:54,8572718 NOTEPAD.EXE 2604 RegOpenKey HKLM\SYSTEM\CurrentControlSet\Control\Session Manager REPARSE Desired Access: Query Value, Enumerate Sub Keys 10:27:54,8573151 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Desired Access: Query Value, Enumerate Sub Keys 10:27:54,8573639 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Session Manager\ResourcePolicies NAME NOT FOUND Length: 24 10:27:54,8574045 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS 10:27:54,8582890 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32 SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened 10:27:54,8591206 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\kernel32.dll SUCCESS Image Base: 0x7ffb64450000, Image Size: 0xbf000 10:27:54,8600892 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\KernelBase.dll SUCCESS Image Base: 0x7ffb634e0000, Image Size: 0x2f6000 10:27:54,8622595 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\3c74afb9-8d82-44e3-b52c-365dbf48382a NAME NOT FOUND Length: 528 10:27:54,8624625 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\KernelBase.dll SUCCESS Name: \Windows\System32\KernelBase.dll 10:27:54,8627866 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys REPARSE Desired Access: Read 10:27:54,8628381 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys NAME NOT FOUND Desired Access: Read 10:27:54,8633787 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\05f95efe-7f75-49c7-a994-60a55cc09571 NAME NOT FOUND Length: 528 10:27:54,8635435 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\KernelBase.dll SUCCESS Name: \Windows\System32\KernelBase.dll 10:27:54,8638653 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\e36c4458-ed80-4ad7-a8be-52dda1eb5f1c NAME NOT FOUND Length: 528 10:27:54,8644774 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\kernel32.dll SUCCESS Name: \Windows\System32\kernel32.dll 10:27:54,8646978 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:54,8656131 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:54,8660219 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\SafeBoot\Option REPARSE Desired Access: Query Value, Set Value 10:27:54,8660620 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\SafeBoot\Option NAME NOT FOUND Desired Access: Query Value, Set Value 10:27:54,8661187 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Srp\GP\DLL REPARSE Desired Access: Read 10:27:54,8663333 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Srp\GP\DLL NAME NOT FOUND Desired Access: Read 10:27:54,8663844 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers SUCCESS Desired Access: Query Value 10:27:54,8664938 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled NAME NOT FOUND Length: 80 10:27:54,8665724 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers SUCCESS 10:27:54,8666243 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers NAME NOT FOUND Desired Access: Query Value 10:27:54,8667090 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\FileSystem\ REPARSE Desired Access: Read 10:27:54,8668538 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\FileSystem SUCCESS Desired Access: Read 10:27:54,8669035 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\FileSystem\LongPathsEnabled SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:54,8669761 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\FileSystem SUCCESS 10:27:54,8670648 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\FileSystem\ REPARSE Desired Access: Read 10:27:54,8671073 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\FileSystem SUCCESS Desired Access: Read 10:27:54,8671596 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\FileSystem\LPGO NAME NOT FOUND Length: 20 10:27:54,8672072 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\FileSystem SUCCESS 10:27:54,8688236 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\gdi32.dll SUCCESS Image Base: 0x7ffb65000000, Image Size: 0x2c000 10:27:54,8711766 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\win32u.dll SUCCESS Image Base: 0x7ffb63bf0000, Image Size: 0x22000 10:27:54,8719596 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\gdi32full.dll SUCCESS Image Base: 0x7ffb63ad0000, Image Size: 0x115000 10:27:54,8728587 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\msvcp_win.dll SUCCESS Image Base: 0x7ffb63810000, Image Size: 0x9d000 10:27:54,8736898 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\ucrtbase.dll SUCCESS Image Base: 0x7ffb638b0000, Image Size: 0x100000 10:27:54,8739281 NOTEPAD.EXE 2604 Thread Create SUCCESS Thread ID: 2764 10:27:54,8747202 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\user32.dll SUCCESS Image Base: 0x7ffb64570000, Image Size: 0x19d000 10:27:54,8754901 NOTEPAD.EXE 2604 Thread Create SUCCESS Thread ID: 2760 10:27:54,8760680 NOTEPAD.EXE 2604 Thread Create SUCCESS Thread ID: 9248 10:27:54,8763804 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\combase.dll SUCCESS Image Base: 0x7ffb63f50000, Image Size: 0x354000 10:27:54,8765673 NOTEPAD.EXE 2604 RegOpenKey HKLM\SYSTEM\CurrentControlSet\Control\Session Manager REPARSE Desired Access: Query Value, Enumerate Sub Keys 10:27:54,8766881 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Desired Access: Query Value, Enumerate Sub Keys 10:27:54,8768515 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Session Manager\ResourcePolicies NAME NOT FOUND Length: 24 10:27:54,8769861 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS 10:27:54,8780521 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\rpcrt4.dll SUCCESS Image Base: 0x7ffb64710000, Image Size: 0x126000 10:27:54,8791459 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\SHCore.dll SUCCESS Image Base: 0x7ffb65100000, Image Size: 0xad000 10:27:54,8799893 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\msvcrt.dll SUCCESS Image Base: 0x7ffb65ad0000, Image Size: 0x9e000 10:27:54,8804066 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots NAME NOT FOUND Desired Access: Enumerate Sub Keys 10:27:54,8812515 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\NOTEPAD.EXE.Local NAME NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 10:27:54,8816730 NOTEPAD.EXE 2604 CreateFile C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened 10:27:54,8823607 NOTEPAD.EXE 2604 CreateFile C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,8824372 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll SUCCESS CreationTime: 15/07/2021 14:44:59, LastAccessTime: 09/08/2023 10:27:49, LastWriteTime: 09/07/2021 14:18:06, ChangeTime: 09/08/2023 10:11:08, FileAttributes: A 10:27:54,8824814 NOTEPAD.EXE 2604 CloseFile C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll SUCCESS 10:27:54,8828335 NOTEPAD.EXE 2604 CreateFile C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,8829431 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:54,8830358 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll SUCCESS SyncType: SyncTypeOther 10:27:54,8836708 NOTEPAD.EXE 2604 Load Image C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll SUCCESS Image Base: 0x7ffb4fe10000, Image Size: 0x29a000 10:27:54,8839585 NOTEPAD.EXE 2604 CloseFile C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll SUCCESS 10:27:54,8847081 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions REPARSE Desired Access: Read 10:27:54,8847718 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions SUCCESS Desired Access: Read 10:27:54,8848253 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions\(Default) SUCCESS Type: REG_SZ, Length: 18, Data: 00060305 10:27:54,8848908 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions\000603xx SUCCESS Type: REG_SZ, Length: 26, Data: kernel32.dll 10:27:54,8867711 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\imm32.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,8868982 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\imm32.dll SUCCESS CreationTime: 15/03/2023 09:32:19, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 15/03/2023 09:32:19, ChangeTime: 09/08/2023 10:10:42, FileAttributes: A 10:27:54,8869385 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\imm32.dll SUCCESS 10:27:54,8873109 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\imm32.dll SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,8874508 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\imm32.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:54,8874919 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\System32\imm32.dll SUCCESS AllocationSize: 106.496, EndOfFile: 189.264, NumberOfLinks: 2, DeletePending: False, Directory: False 10:27:54,8875599 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\imm32.dll SUCCESS SyncType: SyncTypeOther 10:27:54,8876829 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\imm32.dll SUCCESS 10:27:54,8894818 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\imm32.dll SUCCESS Image Base: 0x7ffb650d0000, Image Size: 0x30000 10:27:54,8899262 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Error Message Instrument\ REPARSE Desired Access: Read 10:27:54,8899786 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Error Message Instrument NAME NOT FOUND Desired Access: Read 10:27:54,8900914 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\f25bcd2e-2690-55dc-3bc4-07b65b1b41c9 NAME NOT FOUND Length: 528 10:27:54,8902823 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\user32.dll SUCCESS Name: \Windows\System32\user32.dll 10:27:54,8904514 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options SUCCESS Desired Access: Query Value, Enumerate Sub Keys 10:27:54,8905051 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOTEPAD.EXE NAME NOT FOUND Desired Access: Query Value, Enumerate Sub Keys 10:27:54,8905463 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\Windows\Display NAME NOT FOUND Desired Access: Read 10:27:54,8906143 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\Windows\Display NAME NOT FOUND Desired Access: Read 10:27:54,8906575 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOTEPAD.EXE NAME NOT FOUND Desired Access: Query Value, Enumerate Sub Keys 10:27:54,8906955 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\Windows\Display NAME NOT FOUND Desired Access: Read 10:27:54,8907360 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\Windows\Display NAME NOT FOUND Desired Access: Read 10:27:54,8908138 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize SUCCESS Desired Access: Read 10:27:54,8908626 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles NAME NOT FOUND Length: 20 10:27:54,8909037 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize SUCCESS 10:27:54,8909388 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize SUCCESS Desired Access: Read 10:27:54,8909772 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck NAME NOT FOUND Length: 20 10:27:54,8910183 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize SUCCESS 10:27:54,8911206 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOTEPAD.EXE NAME NOT FOUND Desired Access: Read 10:27:54,8911968 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\Windows\Control Panel\Desktop NAME NOT FOUND Desired Access: Read 10:27:54,8912782 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop NAME NOT FOUND Desired Access: Read 10:27:54,8913402 NOTEPAD.EXE 2604 RegOpenKey HKCU\Control Panel\Desktop SUCCESS Desired Access: Read 10:27:54,8914247 NOTEPAD.EXE 2604 RegQueryValue HKCU\Control Panel\Desktop\EnablePerProcessSystemDPI SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:54,8914812 NOTEPAD.EXE 2604 RegCloseKey HKCU\Control Panel\Desktop SUCCESS 10:27:54,8916726 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32 SUCCESS Desired Access: Read 10:27:54,8917331 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32\NOTEPAD NAME NOT FOUND Length: 172 10:27:54,8917878 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32 SUCCESS 10:27:54,8918503 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility NAME NOT FOUND Desired Access: Read 10:27:54,8925770 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Maximum Allowed, Granted Access: All Access 10:27:54,8933555 NOTEPAD.EXE 2604 RegOpenKey HKCU\Control Panel\Desktop\MuiCached\MachineLanguageConfiguration NAME NOT FOUND Desired Access: Read 10:27:54,8935461 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:54,8941812 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\MUI\Settings NAME NOT FOUND Desired Access: Read 10:27:54,8942408 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Maximum Allowed, Granted Access: All Access 10:27:54,8954706 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Policies\Microsoft\Control Panel\Desktop NAME NOT FOUND Desired Access: Read 10:27:54,8955339 NOTEPAD.EXE 2604 RegOpenKey HKCU\Control Panel\Desktop\LanguageConfiguration SUCCESS Desired Access: Read 10:27:54,8957497 NOTEPAD.EXE 2604 RegEnumValue HKCU\Control Panel\Desktop\LanguageConfiguration NO MORE ENTRIES Index: 0, Length: 512 10:27:54,8958111 NOTEPAD.EXE 2604 RegCloseKey HKCU\Control Panel\Desktop\LanguageConfiguration SUCCESS 10:27:54,8958588 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:54,8959205 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\MUI\Settings NAME NOT FOUND Desired Access: Read 10:27:54,8959834 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Maximum Allowed, Granted Access: All Access 10:27:54,8960475 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Policies\Microsoft\Control Panel\Desktop NAME NOT FOUND Desired Access: Read 10:27:54,8961385 NOTEPAD.EXE 2604 RegOpenKey HKCU\Control Panel\Desktop SUCCESS Desired Access: Read 10:27:54,8962041 NOTEPAD.EXE 2604 RegQueryValue HKCU\Control Panel\Desktop\PreferredUILanguages NAME NOT FOUND Length: 12 10:27:54,8962830 NOTEPAD.EXE 2604 RegCloseKey HKCU\Control Panel\Desktop SUCCESS 10:27:54,8963704 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:54,8964355 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\MUI\Settings NAME NOT FOUND Desired Access: Read 10:27:54,8965168 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Maximum Allowed, Granted Access: All Access 10:27:54,8965814 NOTEPAD.EXE 2604 RegOpenKey HKCU\Control Panel\Desktop\MuiCached SUCCESS Desired Access: Read 10:27:54,8966375 NOTEPAD.EXE 2604 RegQueryValue HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages BUFFER OVERFLOW Length: 12 10:27:54,8968565 NOTEPAD.EXE 2604 RegQueryValue HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages SUCCESS Type: REG_MULTI_SZ, Length: 12, Data: pt-BR 10:27:54,8972346 NOTEPAD.EXE 2604 RegCloseKey HKCU\Control Panel\Desktop\MuiCached SUCCESS 10:27:54,8974271 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:54,8976020 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\LanguageOverlay\OverlayPackages\pt-BR SUCCESS Desired Access: Read 10:27:54,8976750 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\pt-br\Latest SUCCESS Type: REG_SZ, Length: 210, Data: 10:27:54,8977292 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\pt-br SUCCESS 10:27:54,8981242 NOTEPAD.EXE 2604 CreateFile C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackpt-BR_19041.64.213.0_neutral__8wekyb3d8bbwe\Windows\System32\pt-BR\notepad.exe.mui SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,8982789 NOTEPAD.EXE 2604 CreateFileMapping C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackpt-BR_19041.64.213.0_neutral__8wekyb3d8bbwe\Windows\System32\pt-BR\notepad.exe.mui FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY 10:27:54,8983413 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackpt-BR_19041.64.213.0_neutral__8wekyb3d8bbwe\Windows\System32\pt-BR\notepad.exe.mui SUCCESS AllocationSize: 16.384, EndOfFile: 23.432, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:54,8985770 NOTEPAD.EXE 2604 CreateFileMapping C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackpt-BR_19041.64.213.0_neutral__8wekyb3d8bbwe\Windows\System32\pt-BR\notepad.exe.mui SUCCESS SyncType: SyncTypeOther 10:27:54,8989500 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\540dc156-e9d6-42dc-a225-29794149a495 NAME NOT FOUND Length: 528 10:27:54,8991412 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\ntdll.dll SUCCESS Name: \Windows\System32\ntdll.dll 10:27:54,8996227 NOTEPAD.EXE 2604 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read 10:27:54,8996781 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,8997219 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows SUCCESS Desired Access: Read 10:27:54,8997749 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,8998327 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows SUCCESS 10:27:54,9019762 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOTEPAD.EXE NAME NOT FOUND Desired Access: Query Value, Enumerate Sub Keys 10:27:54,9030500 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9031122 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\OLE SUCCESS Desired Access: Read 10:27:54,9031605 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap NAME NOT FOUND Length: 20 10:27:54,9031971 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Ole SUCCESS 10:27:54,9032318 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9032661 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\OLE SUCCESS Desired Access: Read 10:27:54,9034442 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate NAME NOT FOUND Length: 20 10:27:54,9034873 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Ole SUCCESS 10:27:54,9036356 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9036728 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\OLE SUCCESS Desired Access: Read 10:27:54,9038402 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Ole\AggressiveMTATesting NAME NOT FOUND Length: 16 10:27:54,9038838 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Ole SUCCESS 10:27:54,9041157 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:54,9043273 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:54,9045321 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9045694 NOTEPAD.EXE 2604 RegOpenKey HKLM SUCCESS Desired Access: Read 10:27:54,9046083 NOTEPAD.EXE 2604 RegSetInfoKey HKLM SUCCESS KeySetInformationClass: KeySetHandleTagsInformation, Length: 0 10:27:54,9046552 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x100 10:27:54,9046927 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Ole\FeatureDevelopmentProperties NAME NOT FOUND Desired Access: Read 10:27:54,9047507 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\Packages SUCCESS Desired Access: Read 10:27:54,9048367 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\Packages SUCCESS 10:27:54,9048840 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9049193 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:54,9049755 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Microsoft\Ole\FeatureDevelopmentProperties NAME NOT FOUND Desired Access: Read 10:27:54,9050323 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x100 10:27:54,9050671 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Ole\FeatureDevelopmentProperties NAME NOT FOUND Desired Access: Read 10:27:54,9072237 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9076617 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:54,9077647 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Microsoft\Ole\FeatureDevelopmentProperties NAME NOT FOUND Desired Access: Read 10:27:54,9078225 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x100 10:27:54,9078589 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Ole SUCCESS Desired Access: Read 10:27:54,9079632 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:54,9080137 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9080474 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Local Settings REPARSE Desired Access: Read 10:27:54,9080871 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Local Settings SUCCESS Desired Access: Read 10:27:54,9081687 NOTEPAD.EXE 2604 RegSetInfoKey HKCU\Software\Classes\Local Settings SUCCESS KeySetInformationClass: KeySetHandleTagsInformation, Length: 0 10:27:54,9082348 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:54,9082869 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Local Settings SUCCESS Query: HandleTags, HandleTags: 0x100 10:27:54,9083316 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Local Settings\Software\Microsoft\Ole\FeatureDevelopmentProperties NAME NOT FOUND Desired Access: Read 10:27:54,9087989 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Local Settings BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9088556 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Local Settings SUCCESS Query: Name 10:27:54,9089433 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\Local Settings\Software\Microsoft\Ole\FeatureDevelopmentProperties NAME NOT FOUND Desired Access: Read 10:27:54,9089931 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Local Settings SUCCESS Query: HandleTags, HandleTags: 0x100 10:27:54,9090270 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Local Settings\Software\Microsoft\Ole\FeatureDevelopmentProperties NAME NOT FOUND Desired Access: Read 10:27:54,9090613 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Local Settings BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9091301 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Local Settings SUCCESS Query: Name 10:27:54,9094318 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\Local Settings\Software\Microsoft\Ole\FeatureDevelopmentProperties NAME NOT FOUND Desired Access: Read 10:27:54,9094925 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Local Settings SUCCESS Query: HandleTags, HandleTags: 0x100 10:27:54,9095290 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Local Settings\Software\Microsoft\Ole NAME NOT FOUND Desired Access: Read 10:27:54,9095656 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Local Settings BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9096052 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Local Settings SUCCESS Query: Name 10:27:54,9096693 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\Local Settings\Software\Microsoft\Ole NAME NOT FOUND Desired Access: Read 10:27:54,9097115 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Local Settings SUCCESS Query: HandleTags, HandleTags: 0x100 10:27:54,9097471 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Local Settings\Software\Microsoft SUCCESS Desired Access: Read 10:27:54,9098623 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9099006 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\OLE\Tracing NAME NOT FOUND Desired Access: Read 10:27:54,9099344 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9099653 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:54,9100100 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Microsoft\OLE\Tracing NAME NOT FOUND Desired Access: Read 10:27:54,9101619 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\1aff6089-e863-4d36-bdfd-3581f07440be NAME NOT FOUND Length: 528 10:27:54,9105388 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\combase.dll SUCCESS Name: \Windows\System32\combase.dll 10:27:54,9107073 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\f0558438-f56a-5987-47da-040ca75aef05 NAME NOT FOUND Length: 528 10:27:54,9108503 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\combase.dll SUCCESS Name: \Windows\System32\combase.dll 10:27:54,9110997 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\c7e09e2a-c663-5399-af79-2fccd321d19a NAME NOT FOUND Length: 528 10:27:54,9112266 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\combase.dll SUCCESS Name: \Windows\System32\combase.dll 10:27:54,9113316 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\703fcc13-b66f-5868-ddd9-e2db7f381ffb NAME NOT FOUND Length: 528 10:27:54,9114511 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\combase.dll SUCCESS Name: \Windows\System32\combase.dll 10:27:54,9117342 NOTEPAD.EXE 2604 RegOpenKey HKLM\SYSTEM\CurrentControlSet\Control\Session Manager REPARSE Desired Access: Query Value, Enumerate Sub Keys 10:27:54,9117839 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Desired Access: Query Value, Enumerate Sub Keys 10:27:54,9118280 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Session Manager\ResourcePolicies NAME NOT FOUND Length: 24 10:27:54,9118686 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS 10:27:54,9127012 NOTEPAD.EXE 2604 CreateFile C:\Windows\WindowsShell.Manifest SUCCESS Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9128291 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\WindowsShell.Manifest FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:54,9128740 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\WindowsShell.Manifest SUCCESS AllocationSize: 4.096, EndOfFile: 670, NumberOfLinks: 3, DeletePending: False, Directory: False 10:27:54,9129411 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\WindowsShell.Manifest SUCCESS SyncType: SyncTypeOther 10:27:54,9130517 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide SUCCESS Desired Access: Read 10:27:54,9131085 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest NAME NOT FOUND Length: 20 10:27:54,9131528 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide SUCCESS 10:27:54,9151493 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\WindowsShell.Manifest SUCCESS AllocationSize: 4.096, EndOfFile: 670, NumberOfLinks: 3, DeletePending: False, Directory: False 10:27:54,9162621 NOTEPAD.EXE 2604 CloseFile C:\Windows\WindowsShell.Manifest SUCCESS 10:27:54,9172279 NOTEPAD.EXE 2604 ReadFile C:\Windows\System32\notepad.exe SUCCESS Offset: 192.000, Length: 4.608, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:27:54,9181052 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\notepad.exe SUCCESS Name: \Windows\System32\notepad.exe 10:27:54,9185080 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:54,9190365 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:54,9202732 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\bcryptprimitives.dll SUCCESS Image Base: 0x7ffb63400000, Image Size: 0x82000 10:27:54,9206781 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\f3a71a4b-6118-4257-8ccb-39a33ba059d4 NAME NOT FOUND Length: 528 10:27:54,9209297 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\bcryptprimitives.dll SUCCESS Name: \Windows\System32\bcryptprimitives.dll 10:27:54,9212585 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy REPARSE Desired Access: Query Value 10:27:54,9213089 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy SUCCESS Desired Access: Query Value 10:27:54,9214814 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\STE NAME NOT FOUND Length: 20 10:27:54,9215190 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy SUCCESS 10:27:54,9215615 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy REPARSE Desired Access: Query Value 10:27:54,9216177 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy SUCCESS Desired Access: Query Value 10:27:54,9216571 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,9216962 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Lsa REPARSE Desired Access: Query Value 10:27:54,9217330 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS Desired Access: Query Value 10:27:54,9217693 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy NAME NOT FOUND Length: 20 10:27:54,9218004 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,9222042 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy SUCCESS 10:27:54,9224310 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS 10:27:54,9225108 NOTEPAD.EXE 2604 RegOpenKey HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration REPARSE Desired Access: Query Value 10:27:54,9225771 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration NAME NOT FOUND Desired Access: Query Value 10:27:54,9235729 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\advapi32.dll SUCCESS Image Base: 0x7ffb63ea0000, Image Size: 0xaf000 10:27:54,9247775 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\sechost.dll SUCCESS Image Base: 0x7ffb65030000, Image Size: 0x9c000 10:27:54,9257832 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\ca967c75-04bf-40b5-9a16-98b5f9332a92 NAME NOT FOUND Length: 528 10:27:54,9260920 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\sechost.dll SUCCESS Name: \Windows\System32\sechost.dll 10:27:54,9263434 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\b6fd710b-f783-4b1c-ab9c-c68099dcc0c7 NAME NOT FOUND Length: 528 10:27:54,9265087 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\sechost.dll SUCCESS Name: \Windows\System32\sechost.dll 10:27:54,9267501 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\bf30465b-e93c-46fd-9cdf-f41c8904a01f NAME NOT FOUND Length: 528 10:27:54,9268857 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\advapi32.dll SUCCESS Name: \Windows\System32\advapi32.dll 10:27:54,9270045 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\c1376338-0984-48b8-b933-9c7d779fd84d NAME NOT FOUND Length: 528 10:27:54,9271322 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\advapi32.dll SUCCESS Name: \Windows\System32\advapi32.dll 10:27:54,9274275 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\e29eb67a-714d-4d58-a598-46dee87e620b NAME NOT FOUND Length: 528 10:27:54,9276131 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\e29eb67a-714d-4d58-a598-46dee87e620b NAME NOT FOUND Length: 528 10:27:54,9278078 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\notepad.exe SUCCESS Name: \Windows\System32\notepad.exe 10:27:54,9285869 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\rpcss.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9286942 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\rpcss.dll SUCCESS CreationTime: 09/08/2023 09:58:56, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 09/08/2023 09:58:56, ChangeTime: 09/08/2023 10:09:52, FileAttributes: A 10:27:54,9287347 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\rpcss.dll SUCCESS 10:27:54,9293053 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\rpcss.dll SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9294548 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\rpcss.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:54,9294975 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\System32\rpcss.dll SUCCESS AllocationSize: 765.952, EndOfFile: 1.324.544, NumberOfLinks: 2, DeletePending: False, Directory: False 10:27:54,9297332 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\rpcss.dll SUCCESS SyncType: SyncTypeOther 10:27:54,9298579 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\rpcss.dll SUCCESS 10:27:54,9311772 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\kernel.appcore.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9312597 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\kernel.appcore.dll SUCCESS CreationTime: 14/10/2020 11:25:18, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 14/10/2020 11:25:18, ChangeTime: 09/08/2023 10:10:48, FileAttributes: A 10:27:54,9314648 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\kernel.appcore.dll SUCCESS 10:27:54,9330589 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\kernel.appcore.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9363304 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\kernel.appcore.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:54,9364452 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\kernel.appcore.dll SUCCESS SyncType: SyncTypeOther 10:27:54,9372043 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\kernel.appcore.dll SUCCESS Image Base: 0x7ffb61080000, Image Size: 0x12000 10:27:54,9374548 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\kernel.appcore.dll SUCCESS 10:27:54,9388470 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\uxtheme.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9389730 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\uxtheme.dll SUCCESS CreationTime: 10/11/2022 18:01:24, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 10/11/2022 18:01:24, ChangeTime: 09/08/2023 10:22:52, FileAttributes: A 10:27:54,9390336 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\uxtheme.dll SUCCESS 10:27:54,9394932 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\uxtheme.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9396655 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\uxtheme.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY 10:27:54,9398934 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\uxtheme.dll SUCCESS SyncType: SyncTypeOther 10:27:54,9407214 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\uxtheme.dll SUCCESS Image Base: 0x7ffb60c90000, Image Size: 0x9e000 10:27:54,9418303 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\uxtheme.dll SUCCESS 10:27:54,9428557 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:54,9429388 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9429828 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize SUCCESS Desired Access: Query Value 10:27:54,9430357 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:54,9430919 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize SUCCESS 10:27:54,9431426 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:54,9432454 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\673cf800-208a-5327-3f4b-2be44a66627a NAME NOT FOUND Length: 528 10:27:54,9434418 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\uxtheme.dll SUCCESS Name: \Windows\System32\uxtheme.dll 10:27:54,9441359 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes SUCCESS Desired Access: Maximum Allowed, Granted Access: All Access 10:27:54,9442267 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:54,9443599 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:54,9446715 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9447177 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\COM3 SUCCESS Desired Access: Read 10:27:54,9447610 NOTEPAD.EXE 2604 RegSetInfoKey HKLM\SOFTWARE\Microsoft\COM3 SUCCESS KeySetInformationClass: KeySetHandleTagsInformation, Length: 0 10:27:54,9447878 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\COM3\Com+Enabled SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:54,9448304 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\COM3 SUCCESS 10:27:54,9454821 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\clbcatq.dll SUCCESS Image Base: 0x7ffb63cc0000, Image Size: 0xa9000 10:27:54,9461341 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\WindowsRuntime SUCCESS Desired Access: Read 10:27:54,9462025 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId SUCCESS Desired Access: Read 10:27:54,9462486 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager SUCCESS Desired Access: Read 10:27:54,9463116 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager SUCCESS Query: Basic, Name: Windows.ApplicationModel.Resources.Core.ResourceManager 10:27:54,9463801 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,9464186 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server NAME NOT FOUND Length: 144 10:27:54,9464580 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath SUCCESS Type: REG_SZ, Length: 66, Data: C:\Windows\System32\MrmCoreR.dll 10:27:54,9464949 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,9465272 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,9465604 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9465938 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\CustomAttributes NAME NOT FOUND Desired Access: Read 10:27:54,9466288 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9466700 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager SUCCESS Query: Name 10:27:54,9467164 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\CustomAttributes NAME NOT FOUND Desired Access: Read 10:27:54,9467664 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer NAME NOT FOUND Length: 144 10:27:54,9468009 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser NAME NOT FOUND Length: 16 10:27:54,9468317 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker NAME NOT FOUND Length: 16 10:27:54,9468730 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer NAME NOT FOUND Length: 16 10:27:54,9469069 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions NAME NOT FOUND Length: 140 10:27:54,9469858 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags NAME NOT FOUND Length: 16 10:27:54,9470400 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9470748 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\OLE\Diagnosis NAME NOT FOUND Desired Access: Read 10:27:54,9471159 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9471468 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:54,9471882 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\OLE\Diagnosis NAME NOT FOUND Desired Access: Read 10:27:54,9472444 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:54,9473560 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:54,9475209 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager SUCCESS 10:27:54,9475839 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:54,9476309 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9476663 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes REPARSE Desired Access: Notify 10:27:54,9477012 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes SUCCESS Desired Access: Notify 10:27:54,9477447 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:54,9478010 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9478325 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\OLE SUCCESS Desired Access: Read 10:27:54,9478707 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Ole\MaxSxSHashCount NAME NOT FOUND Length: 16 10:27:54,9479049 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Ole SUCCESS 10:27:54,9485685 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\MrmCoreR.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9486782 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\MrmCoreR.dll SUCCESS CreationTime: 10/03/2022 19:53:39, LastAccessTime: 09/08/2023 10:27:53, LastWriteTime: 10/03/2022 19:53:39, ChangeTime: 09/08/2023 10:11:12, FileAttributes: A 10:27:54,9487191 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\MrmCoreR.dll SUCCESS 10:27:54,9490635 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\MrmCoreR.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9492031 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\MrmCoreR.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:54,9493229 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\MrmCoreR.dll SUCCESS SyncType: SyncTypeOther 10:27:54,9499764 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\MrmCoreR.dll SUCCESS Image Base: 0x7ffb5a4c0000, Image Size: 0xf4000 10:27:54,9504028 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\MrmCoreR.dll SUCCESS 10:27:54,9507177 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\19c13211-dec8-42d5-885a-c4cfa82ea1ed NAME NOT FOUND Length: 528 10:27:54,9508958 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\MrmCoreR.dll SUCCESS Name: \Windows\System32\MrmCoreR.dll 10:27:54,9515130 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:54,9516447 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:54,9520491 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9520968 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling NAME NOT FOUND Desired Access: Query Value 10:27:54,9521572 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9522069 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:54,9522738 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling NAME NOT FOUND Desired Access: Read 10:27:54,9523319 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9523705 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling NAME NOT FOUND Desired Access: Query Value 10:27:54,9524142 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9524512 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:54,9524970 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling NAME NOT FOUND Desired Access: Read 10:27:54,9527555 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9528160 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling NAME NOT FOUND Desired Access: Query Value 10:27:54,9528674 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9529084 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:54,9529611 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling NAME NOT FOUND Desired Access: Read 10:27:54,9531786 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9532503 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling NAME NOT FOUND Desired Access: Query Value 10:27:54,9532984 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9533749 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:54,9534452 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling NAME NOT FOUND Desired Access: Read 10:27:54,9535954 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9536340 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Mrt\_Merged NAME NOT FOUND Desired Access: Query Value 10:27:54,9536752 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9537104 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:54,9537542 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Microsoft\Windows\CurrentVersion\Mrt\_Merged NAME NOT FOUND Desired Access: Read 10:27:54,9544265 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\resources.pri NAME NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 10:27:54,9550848 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\resources.pri NAME NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 10:27:54,9564587 NOTEPAD.EXE 2604 CreateFile C:\Windows\SystemResources\notepad.exe.mun SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9565972 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\SystemResources\notepad.exe.mun FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:54,9566410 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\SystemResources\notepad.exe.mun SUCCESS AllocationSize: 94.208, EndOfFile: 105.984, NumberOfLinks: 2, DeletePending: False, Directory: False 10:27:54,9567099 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\SystemResources\notepad.exe.mun SUCCESS SyncType: SyncTypeOther 10:27:54,9586619 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Nls\CustomLocale REPARSE Desired Access: Read 10:27:54,9588952 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Nls\CustomLocale SUCCESS Desired Access: Read 10:27:54,9589427 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Nls\CustomLocale\pt-BR NAME NOT FOUND Length: 532 10:27:54,9589774 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Nls\CustomLocale SUCCESS 10:27:54,9590173 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Nls\ExtendedLocale REPARSE Desired Access: Read 10:27:54,9590538 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Nls\ExtendedLocale SUCCESS Desired Access: Read 10:27:54,9590890 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Nls\ExtendedLocale\pt-BR NAME NOT FOUND Length: 532 10:27:54,9591191 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Nls\ExtendedLocale SUCCESS 10:27:54,9591820 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Maximum Allowed, Granted Access: All Access 10:27:54,9592246 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9592550 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Notepad SUCCESS Desired Access: Read 10:27:54,9593307 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\lfEscapement SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,9593636 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\lfOrientation SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,9593932 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\lfWeight SUCCESS Type: REG_DWORD, Length: 4, Data: 700 10:27:54,9594244 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\lfItalic SUCCESS Type: REG_DWORD, Length: 4, Data: 255 10:27:54,9594513 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\lfUnderline SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,9594804 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\lfStrikeOut SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,9595068 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\lfCharSet SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,9595370 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\lfOutPrecision SUCCESS Type: REG_DWORD, Length: 4, Data: 3 10:27:54,9595644 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\lfClipPrecision SUCCESS Type: REG_DWORD, Length: 4, Data: 2 10:27:54,9595990 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\lfQuality SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:54,9596298 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\lfPitchAndFamily SUCCESS Type: REG_DWORD, Length: 4, Data: 49 10:27:54,9596603 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9596920 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Notepad\DefaultFonts SUCCESS Desired Access: Read 10:27:54,9597426 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Notepad\DefaultFonts\lfFaceName SUCCESS Type: REG_SZ, Length: 18, Data: Consolas 10:27:54,9597714 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Notepad\DefaultFonts\iPointSize SUCCESS Type: REG_DWORD, Length: 4, Data: 110 10:27:54,9598136 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Notepad\DefaultFonts SUCCESS 10:27:54,9598476 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\lfFaceName SUCCESS Type: REG_SZ, Length: 18, Data: Consolas 10:27:54,9598783 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\iPointSize SUCCESS Type: REG_DWORD, Length: 4, Data: 110 10:27:54,9599080 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\fWrap NAME NOT FOUND Length: 16 10:27:54,9599616 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:54,9600737 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:54,9601761 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\iDefaultEncoding NAME NOT FOUND Length: 16 10:27:54,9602123 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:54,9603034 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:54,9604025 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\StatusBar NAME NOT FOUND Length: 16 10:27:54,9604341 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\fSaveWindowPositions NAME NOT FOUND Length: 16 10:27:54,9604630 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\fWindowsOnlyEOL SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,9604936 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\fPasteOriginalEOL SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,9605271 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\fReverse SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:54,9605573 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\fWrapAround SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:54,9605848 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\fMatchCase SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:54,9606172 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\searchString SUCCESS Type: REG_SZ, Length: 10, Data: cabo 10:27:54,9607653 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\replaceString SUCCESS Type: REG_SZ, Length: 2, Data: 10:27:54,9608316 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\szHeader SUCCESS Type: REG_SZ, Length: 2, Data: 10:27:54,9609300 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\szTrailer SUCCESS Type: REG_SZ, Length: 2, Data: 10:27:54,9610172 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\iMarginTop SUCCESS Type: REG_DWORD, Length: 4, Data: 2500 10:27:54,9610889 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\iMarginBottom SUCCESS Type: REG_DWORD, Length: 4, Data: 2500 10:27:54,9611306 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\iMarginLeft SUCCESS Type: REG_DWORD, Length: 4, Data: 2000 10:27:54,9611585 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\iMarginRight SUCCESS Type: REG_DWORD, Length: 4, Data: 2000 10:27:54,9611854 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\iWindowPosY SUCCESS Type: REG_DWORD, Length: 4, Data: 136 10:27:54,9612109 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\iWindowPosX SUCCESS Type: REG_DWORD, Length: 4, Data: 4294967289 10:27:54,9613350 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\iWindowPosDX SUCCESS Type: REG_DWORD, Length: 4, Data: 1038 10:27:54,9613631 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\iWindowPosDY SUCCESS Type: REG_DWORD, Length: 4, Data: 638 10:27:54,9613945 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Notepad\fMLE_is_broken NAME NOT FOUND Length: 16 10:27:54,9614299 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Notepad SUCCESS 10:27:54,9621920 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\shell32.dll SUCCESS Image Base: 0x7ffb65380000, Image Size: 0x744000 10:27:54,9634639 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\30336ed4-e327-447c-9de0-51b652c86108 NAME NOT FOUND Length: 528 10:27:54,9636412 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\shell32.dll SUCCESS Name: \Windows\System32\shell32.dll 10:27:54,9638028 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\32980f26-c8f5-5767-6b26-635b3fa83c61 NAME NOT FOUND Length: 528 10:27:54,9639315 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\shell32.dll SUCCESS Name: \Windows\System32\shell32.dll 10:27:54,9640210 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\703fcc13-b66f-5868-ddd9-e2db7f381ffb NAME NOT FOUND Length: 528 10:27:54,9641416 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\shell32.dll SUCCESS Name: \Windows\System32\shell32.dll 10:27:54,9649785 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\windows.storage.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9650588 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\windows.storage.dll SUCCESS CreationTime: 09/08/2023 09:58:34, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 09/08/2023 09:58:36, ChangeTime: 09/08/2023 10:13:13, FileAttributes: A 10:27:54,9650988 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\windows.storage.dll SUCCESS 10:27:54,9654508 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\windows.storage.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9655643 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\windows.storage.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:54,9656584 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\windows.storage.dll SUCCESS SyncType: SyncTypeOther 10:27:54,9663711 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\windows.storage.dll SUCCESS Image Base: 0x7ffb61360000, Image Size: 0x793000 10:27:54,9666765 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:54,9667226 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\windows.storage.dll SUCCESS 10:27:54,9667929 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:54,9669104 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:54,9670144 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:54,9671260 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Session Manager REPARSE Desired Access: Query Value 10:27:54,9671659 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Desired Access: Query Value 10:27:54,9672033 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode NAME NOT FOUND Length: 16 10:27:54,9678202 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\wldp.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9679247 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\wldp.dll SUCCESS CreationTime: 12/04/2023 09:27:52, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 12/04/2023 09:27:52, ChangeTime: 09/08/2023 10:11:12, FileAttributes: A 10:27:54,9679603 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\wldp.dll SUCCESS 10:27:54,9682937 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\wldp.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9684258 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\wldp.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:54,9685449 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\wldp.dll SUCCESS SyncType: SyncTypeOther 10:27:54,9692234 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\wldp.dll SUCCESS Image Base: 0x7ffb62c10000, Image Size: 0x2e000 10:27:54,9694558 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\wldp.dll SUCCESS 10:27:54,9699936 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\9a2edb8f-5883-499f-aced-6e4b69d43ddf NAME NOT FOUND Length: 528 10:27:54,9701538 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\wldp.dll SUCCESS Name: \Windows\System32\wldp.dll 10:27:54,9713325 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\30336ed4-e327-447c-9de0-51b652c86108 NAME NOT FOUND Length: 528 10:27:54,9715643 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\windows.storage.dll SUCCESS Name: \Windows\System32\windows.storage.dll 10:27:54,9717576 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\a40b455c-253c-4311-ac6d-6e667edccefc NAME NOT FOUND Length: 528 10:27:54,9718889 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\windows.storage.dll SUCCESS Name: \Windows\System32\windows.storage.dll 10:27:54,9719939 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\703fcc13-b66f-5868-ddd9-e2db7f381ffb NAME NOT FOUND Length: 528 10:27:54,9721187 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\windows.storage.dll SUCCESS Name: \Windows\System32\windows.storage.dll 10:27:54,9722142 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\32980f26-c8f5-5767-6b26-635b3fa83c61 NAME NOT FOUND Length: 528 10:27:54,9723352 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\windows.storage.dll SUCCESS Name: \Windows\System32\windows.storage.dll 10:27:54,9726324 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9729152 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Desired Access: Read 10:27:54,9730348 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9730724 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091} SUCCESS Desired Access: Read 10:27:54,9731599 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS 10:27:54,9738066 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Category SUCCESS Type: REG_DWORD, Length: 4, Data: 4 10:27:54,9739398 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Name SUCCESS Type: REG_SZ, Length: 28, Data: Local AppData 10:27:54,9739897 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParentFolder NAME NOT FOUND Length: 90 10:27:54,9740325 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Description NAME NOT FOUND Length: 144 10:27:54,9740627 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\RelativePath SUCCESS Type: REG_SZ, Length: 28, Data: AppData\Local 10:27:54,9740959 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParsingName NAME NOT FOUND Length: 144 10:27:54,9741258 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\InfoTip NAME NOT FOUND Length: 144 10:27:54,9741540 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\LocalizedName NAME NOT FOUND Length: 144 10:27:54,9741867 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Icon NAME NOT FOUND Length: 144 10:27:54,9742176 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Security NAME NOT FOUND Length: 144 10:27:54,9742513 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\StreamResource NAME NOT FOUND Length: 144 10:27:54,9742820 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\StreamResourceType NAME NOT FOUND Length: 144 10:27:54,9743125 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\LocalRedirectOnly SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:54,9743604 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Roamable NAME NOT FOUND Length: 16 10:27:54,9743922 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PreCreate NAME NOT FOUND Length: 16 10:27:54,9744291 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Stream NAME NOT FOUND Length: 16 10:27:54,9744601 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PublishExpandedPath SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:54,9744873 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\DefinitionFlags NAME NOT FOUND Length: 16 10:27:54,9745146 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Attributes NAME NOT FOUND Length: 16 10:27:54,9745650 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\FolderTypeID NAME NOT FOUND Length: 90 10:27:54,9746099 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\InitFolderHandler NAME NOT FOUND Length: 90 10:27:54,9753222 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\shlwapi.dll SUCCESS Image Base: 0x7ffb64d90000, Image Size: 0x55000 10:27:54,9762477 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9765468 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PropertyBag NAME NOT FOUND Desired Access: Read 10:27:54,9765888 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091} BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9766342 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091} SUCCESS Query: Name 10:27:54,9766909 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PropertyBag NAME NOT FOUND Desired Access: Read 10:27:54,9768279 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091} SUCCESS 10:27:54,9768957 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9769315 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Desired Access: Query Value 10:27:54,9769775 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9770082 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Desired Access: Query Value 10:27:54,9770528 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9770942 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Query Value 10:27:54,9771279 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9771685 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: Name 10:27:54,9772341 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Read 10:27:54,9772943 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS 10:27:54,9773370 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:54,9774020 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9774342 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Desired Access: Read 10:27:54,9774796 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:54,9775235 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData SUCCESS Type: REG_EXPAND_SZ, Length: 56, Data: %USERPROFILE%\AppData\Local 10:27:54,9775920 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions\000603xx SUCCESS Type: REG_SZ, Length: 26, Data: kernel32.dll 10:27:54,9779714 NOTEPAD.EXE 2604 CreateFile C:\Windows\Globalization\Sorting\SortDefault.nls SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened 10:27:54,9781012 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\Globalization\Sorting\SortDefault.nls FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:54,9781487 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\Globalization\Sorting\SortDefault.nls SUCCESS AllocationSize: 1.941.504, EndOfFile: 3.371.404, NumberOfLinks: 2, DeletePending: False, Directory: False 10:27:54,9782271 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\Globalization\Sorting\SortDefault.nls SUCCESS SyncType: SyncTypeOther 10:27:54,9783173 NOTEPAD.EXE 2604 CloseFile C:\Windows\Globalization\Sorting\SortDefault.nls SUCCESS 10:27:54,9787219 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Nls\Sorting\Ids REPARSE Desired Access: Read 10:27:54,9787790 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Nls\Sorting\Ids SUCCESS Desired Access: Read 10:27:54,9788424 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Nls\Sorting\Ids\pt-BR NAME NOT FOUND Length: 90 10:27:54,9791297 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Nls\Sorting\Ids\pt NAME NOT FOUND Length: 90 10:27:54,9792766 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS 10:27:54,9798968 NOTEPAD.EXE 2604 CreateFile C:\Users\Angelo Braz\AppData\Local SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9799631 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Users\Angelo Braz\AppData\Local SUCCESS CreationTime: 17/08/2020 15:16:02, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 09/08/2023 08:24:33, ChangeTime: 09/08/2023 08:24:33, FileAttributes: D 10:27:54,9800232 NOTEPAD.EXE 2604 CloseFile C:\Users\Angelo Braz\AppData\Local SUCCESS 10:27:54,9801360 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9801718 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings NAME NOT FOUND Desired Access: Query Value 10:27:54,9802103 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9802406 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:54,9804354 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings NAME NOT FOUND Desired Access: Read 10:27:54,9805049 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9805429 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings NAME NOT FOUND Desired Access: Query Value 10:27:54,9805844 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9806165 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:54,9806626 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings NAME NOT FOUND Desired Access: Read 10:27:54,9831651 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\msctf.dll SUCCESS Image Base: 0x7ffb64330000, Image Size: 0x114000 10:27:54,9839208 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\oleaut32.dll SUCCESS Image Base: 0x7ffb65250000, Image Size: 0xcd000 10:27:54,9854411 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\ole32.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9855639 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\ole32.dll SUCCESS CreationTime: 10/05/2023 10:55:01, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 10/05/2023 10:55:01, ChangeTime: 09/08/2023 10:10:42, FileAttributes: A 10:27:54,9856182 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\ole32.dll SUCCESS 10:27:54,9862087 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\ole32.dll SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:54,9863765 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\ole32.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY 10:27:54,9864302 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\System32\ole32.dll SUCCESS AllocationSize: 655.360, EndOfFile: 1.214.808, NumberOfLinks: 2, DeletePending: False, Directory: False 10:27:54,9868385 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\ole32.dll SUCCESS SyncType: SyncTypeOther 10:27:54,9872214 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\ole32.dll SUCCESS 10:27:54,9875386 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9877987 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\OLEAUT NAME NOT FOUND Desired Access: Query Value 10:27:54,9878598 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:54,9879116 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:54,9879750 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\OLEAUT NAME NOT FOUND Desired Access: Read 10:27:54,9881754 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\ebadf775-48aa-4bf3-8f8e-ec68d113c98e NAME NOT FOUND Length: 528 10:27:54,9883754 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\msctf.dll SUCCESS Name: \Windows\System32\msctf.dll 10:27:54,9903133 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:54,9904597 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:54,9913313 NOTEPAD.EXE 2604 RegOpenKey HKLM\SYSTEM\CurrentControlSet\Control\Session Manager REPARSE Desired Access: Query Value, Enumerate Sub Keys 10:27:54,9914089 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Desired Access: Query Value, Enumerate Sub Keys 10:27:54,9914737 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Session Manager\ResourcePolicies NAME NOT FOUND Length: 24 10:27:54,9915446 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS 10:27:54,9923054 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:54,9923739 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Desired Access: Query Value, Enumerate Sub Keys 10:27:54,9925236 NOTEPAD.EXE 2604 RegSetInfoKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS KeySetInformationClass: KeySetHandleTagsInformation, Length: 0 10:27:54,9925895 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Query: Cached, SubKeys: 0, Values: 67 10:27:54,9927627 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 0, Length: 220 10:27:54,9928297 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 0, Name: Lucida Sans Unicode, Type: REG_MULTI_SZ, Length: 440, Data: MSGOTHIC.TTC,MS UI Gothic, MINGLIU.TTC,PMingLiU, SIMSUN.TTC,SimSun, GULIM.TTC,Gulim, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9942552 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 1, Length: 220 10:27:54,9943240 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 1, Name: Microsoft Sans Serif, Type: REG_MULTI_SZ, Length: 440, Data: MSGOTHIC.TTC,MS UI Gothic, YUGOTHM.TTC,Yu Gothic UI, MINGLIU.TTC,PMingLiU, SIMSUN.TTC,SimSun, GULIM.TTC,Gulim, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9944400 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 2, Length: 220 10:27:54,9945003 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 2, Name: Tahoma, Type: REG_MULTI_SZ, Length: 440, Data: MSGOTHIC.TTC,MS UI Gothic, MINGLIU.TTC,PMingLiU, SIMSUN.TTC,SimSun, GULIM.TTC,Gulim, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9946134 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 3, Length: 220 10:27:54,9946769 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 3, Name: Segoe UI, Type: REG_MULTI_SZ, Length: 848, Data: TAHOMA.TTF,Tahoma, MEIRYO.TTC,Meiryo UI,128,96, MEIRYO.TTC,Meiryo UI, MSGOTHIC.TTC,MS UI Gothic, MSJH.TTC,Microsoft JhengHei UI,128,96, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI,128,96, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic,128,96, MALGUN.TTF,Malgun Gothic, MINGLIU.TTC,PMingLiU, SIMSUN.TTC,SimSun, GULIM.TTC,Gulim, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9947883 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 4, Length: 220 10:27:54,9948477 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 4, Name: Segoe UI Bold, Type: REG_MULTI_SZ, Length: 778, Data: MEIRYOB.TTC,Meiryo UI Bold,128,96, MEIRYOB.TTC,Meiryo UI Bold, MSJHBD.TTC,Microsoft JhengHei UI Bold,128,96, MSJHBD.TTC,Microsoft JhengHei UI Bold, MSYHBD.TTC,Microsoft YaHei UI Bold,128,96, MSYHBD.TTC,Microsoft YaHei UI Bold, MALGUNBD.TTF,Malgun Gothic Bold,128,96, MALGUNBD.TTF,Malgun Gothic Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9950685 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 5, Length: 220 10:27:54,9951463 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 5, Name: Segoe UI Light, Type: REG_MULTI_SZ, Length: 778, Data: MEIRYO.TTC,Meiryo UI,128,96, MEIRYO.TTC,Meiryo UI, MSJHL.TTC,Microsoft JhengHei UI Light,128,96, MSJHL.TTC,Microsoft JhengHei UI Light, MSYHL.TTC,Microsoft YaHei UI Light,128,96, MSYHL.TTC,Microsoft YaHei UI Light, MALGUNSL.TTF,Malgun Gothic Semilight,128,96, MALGUNSL.TTF,Malgun Gothic Semilight, YUGOTHL.TTC,Yu Gothic UI Light,128,96, YUGOTHL.TTC,Yu Gothic UI Light, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9952615 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 6, Length: 220 10:27:54,9953191 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 6, Name: Segoe UI Semilight, Type: REG_MULTI_SZ, Length: 738, Data: MEIRYO.TTC,Meiryo UI,128,96, MEIRYO.TTC,Meiryo UI, MSJH.TTC,Microsoft JhengHei UI,128,96, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI,128,96, MSYH.TTC,Microsoft YaHei UI, MALGUNSL.TTF,Malgun Gothic Semilight,128,96, MALGUNSL.TTF,Malgun Gothic Semilight, YUGOTHR.TTC,Yu Gothic UI Semilight,128,96, YUGOTHR.TTC,Yu Gothic UI Semilight, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9954299 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 7, Length: 220 10:27:54,9954856 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 7, Name: Segoe UI Semibold, Type: REG_MULTI_SZ, Length: 686, Data: MEIRYO.TTC,Meiryo UI,128,96, MEIRYO.TTC,Meiryo UI, MSJH.TTC,Microsoft Jhenghei UI,128,96, MSJH.TTC,Microsoft Jhenghei UI, MSYH.TTC,Microsoft Yahei UI,128,96, MSYH.TTC,Microsoft Yahei UI, MALGUN.TTF,Malgun Gothic,128,96, MALGUN.TTF,Malgun Gothic, YUGOTHB.TTC,Yu Gothic UI Semibold,128,96, YUGOTHB.TTC,Yu Gothic UI Semibold, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9956050 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 8, Length: 220 10:27:54,9956648 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 8, Name: Ebrima, Type: REG_MULTI_SZ, Length: 748, Data: SEGOEUI.TTF,Segoe UI,110,82, SEGOEUI.TTF,Segoe UI, MEIRYO.TTC,Meiryo UI,120,96, MEIRYO.TTC,Meiryo UI, MSJH.TTC,Microsoft JhengHei UI,120,96, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI,128,96, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic,118,96, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9957747 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 9, Length: 220 10:27:54,9958282 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 9, Name: Ebrima Bold, Type: REG_MULTI_SZ, Length: 900, Data: SEGOEUIB.TTF,Segoe UI Bold,110,82, SEGOEUIB.TTF,Segoe UI Bold, MEIRYOB.TTC,Meiryo UI Bold,120,96, MEIRYOB.TTC,Meiryo UI Bold, MSJHBD.TTC,Microsoft JhengHei UI Bold,120,96, MSJHBD.TTC,Microsoft JhengHei UI Bold, MSYHBD.TTC,Microsoft YaHei UI Bold,128,96, MSYHBD.TTC,Microsoft YaHei UI Bold, MALGUNBD.TTF,Malgun Gothic Bold,118,96, MALGUNBD.TTF,Malgun Gothic Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9959450 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 10, Length: 220 10:27:54,9960045 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 10, Name: Gadugi, Type: REG_MULTI_SZ, Length: 748, Data: SEGOEUI.TTF,Segoe UI,110,82, SEGOEUI.TTF,Segoe UI, MEIRYO.TTC,Meiryo UI,120,96, MEIRYO.TTC,Meiryo UI, MSJH.TTC,Microsoft JhengHei UI,120,96, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI,128,96, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic,118,96, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9961138 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 11, Length: 220 10:27:54,9961687 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 11, Name: Gadugi Bold, Type: REG_MULTI_SZ, Length: 900, Data: SEGOEUIB.TTF,Segoe UI Bold,110,82, SEGOEUIB.TTF,Segoe UI Bold, MEIRYOB.TTC,Meiryo UI Bold,120,96, MEIRYOB.TTC,Meiryo UI Bold, MSJHBD.TTC,Microsoft JhengHei UI Bold,120,96, MSJHBD.TTC,Microsoft JhengHei UI Bold, MSYHBD.TTC,Microsoft YaHei UI Bold,128,96, MSYHBD.TTC,Microsoft YaHei UI Bold, MALGUNBD.TTF,Malgun Gothic Bold,118,96, MALGUNBD.TTF,Malgun Gothic Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9962845 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 12, Length: 220 10:27:54,9963425 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 12, Name: Khmer UI, Type: REG_MULTI_SZ, Length: 748, Data: SEGOEUI.TTF,Segoe UI,110,82, SEGOEUI.TTF,Segoe UI, MEIRYO.TTC,Meiryo UI,120,96, MEIRYO.TTC,Meiryo UI, MSJH.TTC,Microsoft JhengHei UI,120,96, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI,128,96, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic,118,96, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9964503 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 13, Length: 220 10:27:54,9965180 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 13, Name: Khmer UI Bold, Type: REG_MULTI_SZ, Length: 900, Data: SEGOEUIB.TTF,Segoe UI Bold,110,82, SEGOEUIB.TTF,Segoe UI Bold, MEIRYOB.TTC,Meiryo UI Bold,120,96, MEIRYOB.TTC,Meiryo UI Bold, MSJHBD.TTC,Microsoft JhengHei UI Bold,120,96, MSJHBD.TTC,Microsoft JhengHei UI Bold, MSYHBD.TTC,Microsoft YaHei UI Bold,128,96, MSYHBD.TTC,Microsoft YaHei UI Bold, MALGUNBD.TTF,Malgun Gothic Bold,118,96, MALGUNBD.TTF,Malgun Gothic Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9966254 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 14, Length: 220 10:27:54,9966794 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 14, Name: Lao UI, Type: REG_MULTI_SZ, Length: 748, Data: SEGOEUI.TTF,Segoe UI,110,82, SEGOEUI.TTF,Segoe UI, MEIRYO.TTC,Meiryo UI,120,96, MEIRYO.TTC,Meiryo UI, MSJH.TTC,Microsoft JhengHei UI,120,96, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI,128,96, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic,118,96, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9967839 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 15, Length: 220 10:27:54,9969978 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 15, Name: Lao UI Bold, Type: REG_MULTI_SZ, Length: 900, Data: SEGOEUIB.TTF,Segoe UI Bold,110,82, SEGOEUIB.TTF,Segoe UI Bold, MEIRYOB.TTC,Meiryo UI Bold,120,96, MEIRYOB.TTC,Meiryo UI Bold, MSJHBD.TTC,Microsoft JhengHei UI Bold,120,96, MSJHBD.TTC,Microsoft JhengHei UI Bold, MSYHBD.TTC,Microsoft YaHei UI Bold,128,96, MSYHBD.TTC,Microsoft YaHei UI Bold, MALGUNBD.TTF,Malgun Gothic Bold,118,96, MALGUNBD.TTF,Malgun Gothic Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9972491 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 16, Length: 220 10:27:54,9975538 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 16, Name: Leelawadee, Type: REG_MULTI_SZ, Length: 748, Data: SEGOEUI.TTF,Segoe UI,110,82, SEGOEUI.TTF,Segoe UI, MEIRYO.TTC,Meiryo UI,120,96, MEIRYO.TTC,Meiryo UI, MSJH.TTC,Microsoft JhengHei UI,120,96, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI,128,96, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic,118,96, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9977258 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 17, Length: 220 10:27:54,9977882 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 17, Name: Leelawadee Bold, Type: REG_MULTI_SZ, Length: 900, Data: SEGOEUIB.TTF,Segoe UI Bold,110,82, SEGOEUIB.TTF,Segoe UI Bold, MEIRYOB.TTC,Meiryo UI Bold,120,96, MEIRYOB.TTC,Meiryo UI Bold, MSJHBD.TTC,Microsoft JhengHei UI Bold,120,96, MSJHBD.TTC,Microsoft JhengHei UI Bold, MSYHBD.TTC,Microsoft YaHei UI Bold,128,96, MSYHBD.TTC,Microsoft YaHei UI Bold, MALGUNBD.TTF,Malgun Gothic Bold,118,96, MALGUNBD.TTF,Malgun Gothic Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9979082 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 18, Length: 220 10:27:54,9979647 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 18, Name: Leelawadee UI, Type: REG_MULTI_SZ, Length: 748, Data: SEGOEUI.TTF,Segoe UI,110,82, SEGOEUI.TTF,Segoe UI, MEIRYO.TTC,Meiryo UI,120,96, MEIRYO.TTC,Meiryo UI, MSJH.TTC,Microsoft JhengHei UI,120,96, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI,128,96, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic,118,96, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9980764 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 19, Length: 220 10:27:54,9981309 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 19, Name: Leelawadee UI Bold, Type: REG_MULTI_SZ, Length: 900, Data: SEGOEUIB.TTF,Segoe UI Bold,110,82, SEGOEUIB.TTF,Segoe UI Bold, MEIRYOB.TTC,Meiryo UI Bold,120,96, MEIRYOB.TTC,Meiryo UI Bold, MSJHBD.TTC,Microsoft JhengHei UI Bold,120,96, MSJHBD.TTC,Microsoft JhengHei UI Bold, MSYHBD.TTC,Microsoft YaHei UI Bold,128,96, MSYHBD.TTC,Microsoft YaHei UI Bold, MALGUNBD.TTF,Malgun Gothic Bold,118,96, MALGUNBD.TTF,Malgun Gothic Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9982363 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 20, Length: 220 10:27:54,9982902 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 20, Name: Nirmala UI, Type: REG_MULTI_SZ, Length: 748, Data: SEGOEUI.TTF,Segoe UI,110,82, SEGOEUI.TTF,Segoe UI, MEIRYO.TTC,Meiryo UI,120,96, MEIRYO.TTC,Meiryo UI, MSJH.TTC,Microsoft JhengHei UI,120,96, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI,128,96, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic,118,96, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9983988 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 21, Length: 220 10:27:54,9984532 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 21, Name: Nirmala UI Bold, Type: REG_MULTI_SZ, Length: 900, Data: SEGOEUIB.TTF,Segoe UI Bold,110,82, SEGOEUIB.TTF,Segoe UI Bold, MEIRYOB.TTC,Meiryo UI Bold,120,96, MEIRYOB.TTC,Meiryo UI Bold, MSJHBD.TTC,Microsoft JhengHei UI Bold,120,96, MSJHBD.TTC,Microsoft JhengHei UI Bold, MSYHBD.TTC,Microsoft YaHei UI Bold,128,96, MSYHBD.TTC,Microsoft YaHei UI Bold, MALGUNBD.TTF,Malgun Gothic Bold,118,96, MALGUNBD.TTF,Malgun Gothic Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9986411 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 22, Length: 220 10:27:54,9987854 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 22, Name: Nirmala UI Semilight, Type: REG_MULTI_SZ, Length: 738, Data: MEIRYO.TTC,Meiryo UI,128,96, MEIRYO.TTC,Meiryo UI, MSJH.TTC,Microsoft JhengHei UI,128,96, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI,128,96, MSYH.TTC,Microsoft YaHei UI, MALGUNSL.TTF,Malgun Gothic Semilight,128,96, MALGUNSL.TTF,Malgun Gothic Semilight, YUGOTHR.TTC,Yu Gothic UI Semilight,128,96, YUGOTHR.TTC,Yu Gothic UI Semilight, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9989473 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 23, Length: 220 10:27:54,9990142 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 23, Name: MingLiU, Type: REG_MULTI_SZ, Length: 546, Data: MICROSS.TTF,Microsoft Sans Serif,40,48, MICROSS.TTF,Microsoft Sans Serif, SIMSUN.TTC,SimSun, MSMINCHO.TTC,MS Mincho, BATANG.TTC,BatangChe, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, YUGOTHM.TTC,Yu Gothic UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9991557 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 24, Length: 220 10:27:54,9992262 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 24, Name: PMingLiU, Type: REG_MULTI_SZ, Length: 542, Data: MICROSS.TTF,Microsoft Sans Serif,40,48, MICROSS.TTF,Microsoft Sans Serif, SIMSUN.TTC,SimSun, MSMINCHO.TTC,MS PMincho, BATANG.TTC,Batang, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, YUGOTHM.TTC,Yu Gothic UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9993569 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 25, Length: 220 10:27:54,9994117 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 25, Name: MingLiU_HKSCS, Type: REG_MULTI_SZ, Length: 586, Data: MICROSS.TTF,Microsoft Sans Serif,40,48, MICROSS.TTF,Microsoft Sans Serif, MINGLIU.TTC,MingLiU, SIMSUN.TTC,SimSun, MSMINCHO.TTC,MS Mincho, BATANG.TTC,BatangChe, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, YUGOTHM.TTC,Yu Gothic UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9995288 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 26, Length: 220 10:27:54,9995850 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 26, Name: MingLiU-ExtB, Type: REG_MULTI_SZ, Length: 586, Data: MICROSS.TTF,Microsoft Sans Serif,40,48, MICROSS.TTF,Microsoft Sans Serif, MINGLIU.TTC,MingLiU, SIMSUN.TTC,SimSun, MSMINCHO.TTC,MS Mincho, BATANG.TTC,BatangChe, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, YUGOTHM.TTC,Yu Gothic UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9996975 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 27, Length: 220 10:27:54,9997619 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 27, Name: PMingLiU-ExtB, Type: REG_MULTI_SZ, Length: 584, Data: MICROSS.TTF,Microsoft Sans Serif,40,48, MICROSS.TTF,Microsoft Sans Serif, MINGLIU.TTC,PMingLiU, SIMSUN.TTC,SimSun, MSMINCHO.TTC,MS PMincho, BATANG.TTC,Batang, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, YUGOTHM.TTC,Yu Gothic UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:54,9998727 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 28, Length: 220 10:27:54,9999863 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 28, Name: MingLiU_HKSCS-ExtB, Type: REG_MULTI_SZ, Length: 638, Data: MICROSS.TTF,Microsoft Sans Serif,40,48, MICROSS.TTF,Microsoft Sans Serif, MINGLIU.TTC,MingLiU_HKSCS, MINGLIU.TTC,MingLiU, SIMSUN.TTC,SimSun, MSMINCHO.TTC,MS Mincho, BATANG.TTC,BatangChe, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, YUGOTHM.TTC,Yu Gothic UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0000940 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 29, Length: 220 10:27:55,0001505 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 29, Name: Microsoft JhengHei, Type: REG_MULTI_SZ, Length: 626, Data: SEGOEUI.TTF,Segoe UI,114,78, SEGOEUI.TTF,Segoe UI, MINGLIU.TTC,MingLiU, MSYH.TTC,Microsoft YaHei,128,96, MSYH.TTC,Microsoft YaHei, MEIRYO.TTC,Meiryo,128,85, MEIRYO.TTC,Meiryo, MALGUN.TTF,Malgun Gothic,128,96, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0002607 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 30, Length: 220 10:27:55,0003180 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 30, Name: Microsoft JhengHei Bold, Type: REG_MULTI_SZ, Length: 750, Data: SEGOEUIB.TTF,Segoe UI Bold,114,78, SEGOEUIB.TTF,Segoe UI Bold, MINGLIU.TTC,MingLiU, MSYHBD.TTC,Microsoft YaHei Bold,128,96, MSYHBD.TTC,Microsoft YaHei Bold, MEIRYOB.TTC,Meiryo Bold,128,85, MEIRYOB.TTC,Meiryo Bold, MALGUNBD.TTF,Malgun Gothic Bold,128,96, MALGUNBD.TTF,Malgun Gothic Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0004230 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 31, Length: 220 10:27:55,0004792 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 31, Name: Microsoft JhengHei UI, Type: REG_MULTI_SZ, Length: 524, Data: SEGOEUI.TTF,Segoe UI,114,78, SEGOEUI.TTF,Segoe UI, MINGLIU.TTC,MingLiU, MSYH.TTC,Microsoft YaHei UI, MEIRYO.TTC,Meiryo UI, MALGUN.TTF,Malgun Gothic,128,96, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0005872 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 32, Length: 220 10:27:55,0006458 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 32, Name: Microsoft JhengHei UI Bold, Type: REG_MULTI_SZ, Length: 622, Data: SEGOEUIB.TTF,Segoe UI Bold,114,78, SEGOEUIB.TTF,Segoe UI Bold, MINGLIU.TTC,MingLiU, MSYHBD.TTC,Microsoft YaHei UI Bold, MEIRYOB.TTC,Meiryo UI Bold, MALGUNBD.TTF,Malgun Gothic Bold,128,96, MALGUNBD.TTF,Malgun Gothic Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0007596 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 33, Length: 220 10:27:55,0008209 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 33, Name: Microsoft JhengHei UI Light, Type: REG_MULTI_SZ, Length: 638, Data: SEGOEUIL.TTF,Segoe UI Light,114,78, SEGOEUIL.TTF,Segoe UI Light, MINGLIU.TTC,MingLiU, MSYHL.TTC,Microsoft YaHei UI Light, MEIRYO.TTC,Meiryo UI, MALGUNSL.TTF,Malgun Gothic Semilight,128,96, MALGUNSL.TTF,Malgun Gothic Semilight, YUGOTHL.TTC,Yu Gothic UI Light,128,96, YUGOTHL.TTC,Yu Gothic UI Light, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0009526 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 34, Length: 220 10:27:55,0010061 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 34, Name: SimSun, Type: REG_MULTI_SZ, Length: 552, Data: MICROSS.TTF,Microsoft Sans Serif,108,122, MICROSS.TTF,Microsoft Sans Serif, MINGLIU.TTC,PMingLiU, MSMINCHO.TTC,MS PMincho, BATANG.TTC,Batang, MSYH.TTC,Microsoft YaHei UI, MSJH.TTC,Microsoft JhengHei UI, YUGOTHM.TTC,Yu Gothic UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0011154 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 35, Length: 220 10:27:55,0011688 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 35, Name: SimSun-ExtB, Type: REG_MULTI_SZ, Length: 588, Data: MICROSS.TTF,Microsoft Sans Serif,108,122, MICROSS.TTF,Microsoft Sans Serif, SIMSUN.TTC,SimSun, MINGLIU.TTC,PMingLiU, MSMINCHO.TTC,MS PMincho, BATANG.TTC,Batang, MSYH.TTC,Microsoft YaHei UI, MSJH.TTC,Microsoft JhengHei UI, YUGOTHM.TTC,Yu Gothic UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0012738 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 36, Length: 220 10:27:55,0013276 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 36, Name: NSimSun, Type: REG_MULTI_SZ, Length: 408, Data: MINGLIU.TTC,PMingLiU, MSMINCHO.TTC,MS Mincho, BATANG.TTC,BatangChe, MSYH.TTC,Microsoft YaHei UI, MSJH.TTC,Microsoft JhengHei UI, YUGOTHM.TTC,Yu Gothic UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0014372 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 37, Length: 220 10:27:55,0014908 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 37, Name: Microsoft YaHei, Type: REG_MULTI_SZ, Length: 634, Data: SEGOEUI.TTF,Segoe UI,120,80, SEGOEUI.TTF,Segoe UI, SIMSUN.TTC,SimSun, MSJH.TTC,Microsoft JhengHei,128,96, MSJH.TTC,Microsoft JhengHei, MEIRYO.TTC,Meiryo,128,85, MEIRYO.TTC,Meiryo, MALGUN.TTF,Malgun Gothic,128,96, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0016051 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 38, Length: 220 10:27:55,0016679 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 38, Name: Microsoft YaHei Bold, Type: REG_MULTI_SZ, Length: 758, Data: SEGOEUIB.TTF,Segoe UI Bold,120,80, SEGOEUIB.TTF,Segoe UI Bold, SIMSUN.TTC,SimSun, MSJHBD.TTC,Microsoft Jhenghei Bold,128,96, MSJHBD.TTC,Microsoft Jhenghei Bold, MEIRYOB.TTC,Meiryo Bold,128,85, MEIRYOB.TTC,Meiryo Bold, MALGUNBD.TTF,Malgun Gothic Bold,128,96, MALGUNBD.TTF,Malgun Gothic Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0017827 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 39, Length: 220 10:27:55,0018434 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 39, Name: Microsoft YaHei UI, Type: REG_MULTI_SZ, Length: 526, Data: SEGOEUI.TTF,Segoe UI,120,80, SEGOEUI.TTF,Segoe UI, SIMSUN.TTC,SimSun, MSJH.TTC,Microsoft Jhenghei UI, MEIRYO.TTC,Meiryo UI, MALGUN.TTF,Malgun Gothic,128,96, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0019532 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 40, Length: 220 10:27:55,0020116 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 40, Name: Microsoft YaHei UI Bold, Type: REG_MULTI_SZ, Length: 624, Data: SEGOEUIB.TTF,Segoe UI Bold,120,80, SEGOEUIB.TTF,Segoe UI Bold, SIMSUN.TTC,SimSun, MSJHBD.TTC,Microsoft Jhenghei UI Bold, MEIRYOB.TTC,Meiryo UI Bold, MALGUNBD.TTF,Malgun Gothic Bold,128,96, MALGUNBD.TTF,Malgun Gothic Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0021167 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 41, Length: 220 10:27:55,0024211 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 41, Name: Microsoft YaHei UI Light, Type: REG_MULTI_SZ, Length: 640, Data: SEGOEUIL.TTF,Segoe UI Light,120,80, SEGOEUIL.TTF,Segoe UI Light, SIMSUN.TTC,SimSun, MSJHL.TTC,Microsoft Jhenghei UI Light, MEIRYO.TTC,Meiryo UI, MALGUNSL.TTF,Malgun Gothic Semilight,128,96, MALGUNSL.TTF,Malgun Gothic Semilight, YUGOTHL.TTC,Yu Gothic UI Light,128,96, YUGOTHL.TTC,Yu Gothic UI Light, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0025993 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 42, Length: 220 10:27:55,0026844 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 42, Name: Yu Gothic UI, Type: REG_MULTI_SZ, Length: 258, Data: SEGOEUI.TTF,Segoe UI, MSJH.TTC,Microsoft JhengHei, MSYH.TTC,Microsoft YaHei, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0028391 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 43, Length: 220 10:27:55,0029288 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 43, Name: Yu Gothic UI Bold, Type: REG_MULTI_SZ, Length: 318, Data: SEGOEUIB.TTF,Segoe UI Bold, MSJHBD.TTC,Microsoft Jhenghei UI Bold, MSYHBD.TTC,Microsoft YaHei Bold, MALGUNBD.TTF,Malgun Gothic Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0030431 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 44, Length: 220 10:27:55,0034808 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 44, Name: Yu Gothic UI Light, Type: REG_MULTI_SZ, Length: 330, Data: SEGOEUIL.TTF,Segoe UI Light, MSJHL.TTC,Microsoft Jhenghei UI Light, MSYHL.TTC,Microsoft YaHei Light, MALGUNSL.TTF,Malgun Gothic Semilight, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0039294 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 45, Length: 220 10:27:55,0040174 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 45, Name: Yu Gothic UI Semilight, Type: REG_MULTI_SZ, Length: 312, Data: SEGOEUISL.TTF,Segoe UI Semilight, MSJH.TTC,Microsoft Jhenghei UI, MSYH.TTC,Microsoft YaHei, MALGUNSL.TTF,Malgun Gothic Semilight, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0041622 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 46, Length: 220 10:27:55,0042217 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 46, Name: Yu Gothic UI Semibold, Type: REG_MULTI_SZ, Length: 282, Data: SEGUISB.TTF,Segoe UI Semibold, MSJH.TTC,Microsoft Jhenghei UI, MSYH.TTC,Microsoft YaHei, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0043372 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 47, Length: 220 10:27:55,0043944 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 47, Name: Meiryo, Type: REG_MULTI_SZ, Length: 678, Data: SEGOEUI.TTF,Segoe UI,133,83, SEGOEUI.TTF,Segoe UI, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, MSGOTHIC.TTC,MS UI Gothic, MSJH.TTC,Microsoft Jhenghei,128,96, MSJH.TTC,Microsoft JhengHei, MSYH.TTC,Microsoft YaHei,128,96, MSYH.TTC,Microsoft YaHei, MALGUN.TTF,Malgun Gothic,128,96, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0045034 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 48, Length: 220 10:27:55,0045845 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 48, Name: Meiryo Bold, Type: REG_MULTI_SZ, Length: 806, Data: SEGOEUIB.TTF,Segoe UI Bold,133,83, SEGOEUIB.TTF,Segoe UI Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, MSGOTHIC.TTC,MS UI Gothic, MSJHBD.TTC,Microsoft Jhenghei Bold,128,96, MSJHBD.TTC,Microsoft Jhenghei Bold, MSYHBD.TTC,Microsoft YaHei Bold,128,96, MSYHBD.TTC,Microsoft YaHei Bold, MALGUNBD.TTF,Malgun Gothic Bold,128,96, MALGUNBD.TTF,Malgun Gothic Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0046942 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 49, Length: 220 10:27:55,0048208 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 49, Name: Meiryo UI, Type: REG_MULTI_SZ, Length: 702, Data: SEGOEUI.TTF,Segoe UI,133,83, SEGOEUI.TTF,Segoe UI, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, MSGOTHIC.TTC,MS UI Gothic, MSJH.TTC,Microsoft Jhenghei UI,128,96, MSJH.TTC,Microsoft Jhenghei UI, MSYH.TTC,Microsoft YaHei UI,128,96, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic,128,96, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0050603 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 50, Length: 220 10:27:55,0052729 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 50, Name: Meiryo UI Bold, Type: REG_MULTI_SZ, Length: 830, Data: SEGOEUIB.TTF,Segoe UI Bold,133,83, SEGOEUIB.TTF,Segoe UI Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, MSGOTHIC.TTC,MS UI Gothic, MSJHBD.TTC,Microsoft Jhenghei UI Bold,128,96, MSJHBD.TTC,Microsoft Jhenghei UI Bold, MSYHBD.TTC,Microsoft YaHei UI Bold,128,96, MSYHBD.TTC,Microsoft YaHei UI Bold, MALGUNBD.TTF,Malgun Gothic Bold,128,96, MALGUNBD.TTF,Malgun Gothic Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0054120 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 51, Length: 220 10:27:55,0054806 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 51, Name: MS Gothic, Type: REG_MULTI_SZ, Length: 392, Data: MINGLIU.TTC,MingLiU, SIMSUN.TTC,SimSun, GULIM.TTC,GulimChe, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0056299 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 52, Length: 220 10:27:55,0056901 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 52, Name: MS PGothic, Type: REG_MULTI_SZ, Length: 388, Data: MINGLIU.TTC,PMingLiU, SIMSUN.TTC,SimSun, GULIM.TTC,Gulim, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0058990 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 53, Length: 220 10:27:55,0059639 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 53, Name: MS UI Gothic, Type: REG_MULTI_SZ, Length: 536, Data: MICROSS.TTF,Microsoft Sans Serif,128,142, MICROSS.TTF,Microsoft Sans Serif, MINGLIU.TTC,PMingLiU, SIMSUN.TTC,SimSun, GULIM.TTC,Gulim, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0060788 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 54, Length: 220 10:27:55,0061334 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 54, Name: MS Mincho, Type: REG_MULTI_SZ, Length: 390, Data: MINGLIU.TTC,MingLiU, SIMSUN.TTC,SimSun, BATANG.TTC,Batang, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0062496 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 55, Length: 220 10:27:55,0063093 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 55, Name: MS PMincho, Type: REG_MULTI_SZ, Length: 392, Data: MINGLIU.TTC,PMingLiU, SIMSUN.TTC,SimSun, BATANG.TTC,Batang, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, MALGUN.TTF,Malgun Gothic, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0064159 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 56, Length: 220 10:27:55,0064711 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 56, Name: Batang, Type: REG_MULTI_SZ, Length: 404, Data: MSMINCHO.TTC,MS PMincho, MINGLIU.TTC,PMingLiU, SIMSUN.TTC,SimSun, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0066518 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 57, Length: 220 10:27:55,0067228 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 57, Name: BatangChe, Type: REG_MULTI_SZ, Length: 400, Data: MSMINCHO.TTC,MS Mincho, MINGLIU.TTC,MingLiU, SIMSUN.TTC,SimSun, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0068566 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 58, Length: 220 10:27:55,0069127 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 58, Name: Dotum, Type: REG_MULTI_SZ, Length: 408, Data: MSGOTHIC.TTC,MS UI Gothic, MINGLIU.TTC,PMingLiU, SIMSUN.TTC,SimSun, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0070823 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 59, Length: 220 10:27:55,0071402 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 59, Name: DotumChe, Type: REG_MULTI_SZ, Length: 400, Data: MSGOTHIC.TTC,MS Gothic, MINGLIU.TTC,MingLiU, SIMSUN.TTC,SimSun, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0072568 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 60, Length: 220 10:27:55,0073136 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 60, Name: Gulim, Type: REG_MULTI_SZ, Length: 556, Data: MICROSS.TTF,Microsoft Sans Serif,128,140, MICROSS.TTF,Microsoft Sans Serif, MSGOTHIC.TTC,MS UI Gothic, MINGLIU.TTC,PMingLiU, SIMSUN.TTC,SimSun, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0074251 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 61, Length: 220 10:27:55,0074806 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 61, Name: GulimChe, Type: REG_MULTI_SZ, Length: 400, Data: MSGOTHIC.TTC,MS Gothic, MINGLIU.TTC,MingLiU, SIMSUN.TTC,SimSun, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0076020 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 62, Length: 220 10:27:55,0076572 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 62, Name: Gungsuh, Type: REG_MULTI_SZ, Length: 404, Data: MSMINCHO.TTC,MS PMincho, MINGLIU.TTC,PMingLiU, SIMSUN.TTC,SimSun, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0077617 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 63, Length: 220 10:27:55,0078168 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 63, Name: GungsuhChe, Type: REG_MULTI_SZ, Length: 400, Data: MSMINCHO.TTC,MS Mincho, MINGLIU.TTC,MingLiU, SIMSUN.TTC,SimSun, MALGUN.TTF,Malgun Gothic, YUGOTHM.TTC,Yu Gothic UI, MSJH.TTC,Microsoft JhengHei UI, MSYH.TTC,Microsoft YaHei UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0079301 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 64, Length: 220 10:27:55,0079880 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 64, Name: Malgun Gothic, Type: REG_MULTI_SZ, Length: 666, Data: SEGOEUI.TTF,Segoe UI,130,81, SEGOEUI.TTF,Segoe UI, GULIM.TTC,Gulim, MEIRYO.TTC,Meiryo UI,128,96, MEIRYO.TTC,Meiryo UI, MSJH.TTC,Microsoft Jhenghei UI,128,96, MSJH.TTC,Microsoft Jhenghei UI, MSYH.TTC,Microsoft YaHei UI,128,96, MSYH.TTC,Microsoft YaHei UI, YUGOTHM.TTC,Yu Gothic UI,128,96, YUGOTHM.TTC,Yu Gothic UI, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0080974 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 65, Length: 220 10:27:55,0081536 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 65, Name: Malgun Gothic Bold, Type: REG_MULTI_SZ, Length: 790, Data: SEGOEUIB.TTF,Segoe UI Bold,130,81, SEGOEUIB.TTF,Segoe UI Bold, GULIM.TTC,Gulim, MEIRYOB.TTC,Meiryo UI Bold,128,96, MEIRYOB.TTC,Meiryo UI Bold, MSJHBD.TTC,Microsoft Jhenghei UI Bold,128,96, MSJHBD.TTC,Microsoft Jhenghei UI Bold, MSYHBD.TTC,Microsoft YaHei UI Bold,128,96, MSYHBD.TTC,Microsoft YaHei UI Bold, YUGOTHB.TTC,Yu Gothic UI Bold,128,96, YUGOTHB.TTC,Yu Gothic UI Bold, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0083354 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink BUFFER OVERFLOW Index: 66, Length: 220 10:27:55,0084036 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS Index: 66, Name: Malgun Gothic Semilight, Type: REG_MULTI_SZ, Length: 754, Data: SEGOEUISL.TTF,Segoe UI Semilight,130,81, SEGOEUISL.TTF,Segoe UI Semilight, GULIM.TTC,Gulim, MEIRYO.TTC,Meiryo UI,128,96, MEIRYO.TTC,Meiryo UI, MSJH.TTC,Microsoft Jhenghei UI,128,96, MSJH.TTC,Microsoft Jhenghei UI, MSYH.TTC,Microsoft YaHei UI,128,96, MSYH.TTC,Microsoft YaHei UI, YUGOTHR.TTC,Yu Gothic UI Semilight,128,96, YUGOTHR.TTC,Yu Gothic UI Semilight, SEGUISYM.TTF,Segoe UI Symbol 10:27:55,0085398 NOTEPAD.EXE 2604 RegEnumValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink NO MORE ENTRIES Index: 67, Length: 220 10:27:55,0086060 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink SUCCESS 10:27:55,0091400 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0092252 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0 SUCCESS Desired Access: Query Value 10:27:55,0093215 NOTEPAD.EXE 2604 RegSetInfoKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0 SUCCESS KeySetInformationClass: KeySetHandleTagsInformation, Length: 0 10:27:55,0093759 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable NAME NOT FOUND Length: 16 10:27:55,0094414 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath SUCCESS Type: REG_SZ, Length: 66, Data: C:\Windows\Fonts\staticcache.dat 10:27:55,0095048 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0 SUCCESS 10:27:55,0098757 NOTEPAD.EXE 2604 CreateFile C:\Windows\Fonts\StaticCache.dat SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,0100194 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\Fonts\StaticCache.dat SUCCESS AllocationSize: 8.699.904, EndOfFile: 19.267.584, NumberOfLinks: 2, DeletePending: False, Directory: False 10:27:55,0101048 NOTEPAD.EXE 2604 ReadFile C:\Windows\Fonts\StaticCache.dat SUCCESS Offset: 0, Length: 60, Priority: Normal 10:27:55,0101984 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\Fonts\StaticCache.dat FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY 10:27:55,0103517 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\Fonts\StaticCache.dat SUCCESS AllocationSize: 8.699.904, EndOfFile: 19.267.584, NumberOfLinks: 2, DeletePending: False, Directory: False 10:27:55,0104876 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\Fonts\StaticCache.dat SUCCESS SyncType: SyncTypeOther 10:27:55,0133645 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\TextShaping.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,0134793 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\TextShaping.dll SUCCESS CreationTime: 16/10/2021 10:33:50, LastAccessTime: 09/08/2023 10:27:53, LastWriteTime: 16/10/2021 10:33:50, ChangeTime: 09/08/2023 10:02:42, FileAttributes: A 10:27:55,0135711 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\TextShaping.dll SUCCESS 10:27:55,0140590 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\TextShaping.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,0142016 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\TextShaping.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY 10:27:55,0143410 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\TextShaping.dll SUCCESS SyncType: SyncTypeOther 10:27:55,0150936 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\TextShaping.dll SUCCESS Image Base: 0x7ffb57be0000, Image Size: 0xac000 10:27:55,0153220 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\TextShaping.dll SUCCESS 10:27:55,0169382 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0170022 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS Desired Access: Query Value 10:27:55,0171072 NOTEPAD.EXE 2604 RegSetInfoKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS KeySetInformationClass: KeySetHandleTagsInformation, Length: 0 10:27:55,0171709 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1 NAME NOT FOUND Length: 53 10:27:55,0172335 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2 SUCCESS Type: REG_SZ, Length: 24, Data: SimSun-ExtB 10:27:55,0172981 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2 SUCCESS Type: REG_SZ, Length: 24, Data: SimSun-ExtB 10:27:55,0173682 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3 NAME NOT FOUND Length: 53 10:27:55,0174269 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4 NAME NOT FOUND Length: 53 10:27:55,0174829 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5 NAME NOT FOUND Length: 53 10:27:55,0175417 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6 NAME NOT FOUND Length: 53 10:27:55,0175970 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7 NAME NOT FOUND Length: 53 10:27:55,0176554 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8 NAME NOT FOUND Length: 53 10:27:55,0177265 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9 NAME NOT FOUND Length: 53 10:27:55,0179897 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10 NAME NOT FOUND Length: 53 10:27:55,0181003 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11 NAME NOT FOUND Length: 53 10:27:55,0181722 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12 NAME NOT FOUND Length: 53 10:27:55,0182648 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13 NAME NOT FOUND Length: 53 10:27:55,0183263 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14 NAME NOT FOUND Length: 53 10:27:55,0183845 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15 NAME NOT FOUND Length: 53 10:27:55,0184524 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16 NAME NOT FOUND Length: 53 10:27:55,0185203 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS 10:27:55,0185895 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0186484 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS Desired Access: Query Value, Enumerate Sub Keys 10:27:55,0187170 NOTEPAD.EXE 2604 RegSetInfoKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS KeySetInformationClass: KeySetHandleTagsInformation, Length: 0 10:27:55,0187866 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS Query: Cached, SubKeys: 4, Values: 1 10:27:55,0188493 NOTEPAD.EXE 2604 RegEnumKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS Index: 0, Name: MingLiU 10:27:55,0189169 NOTEPAD.EXE 2604 RegEnumKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS Index: 1, Name: MingLiU_HKSCS 10:27:55,0189699 NOTEPAD.EXE 2604 RegEnumKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS Index: 2, Name: PMingLiU 10:27:55,0190210 NOTEPAD.EXE 2604 RegEnumKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS Index: 3, Name: SimSun 10:27:55,0193238 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS Query: HandleTags, HandleTags: 0x100 10:27:55,0193878 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI NAME NOT FOUND Desired Access: Query Value 10:27:55,0194458 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0195021 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS Query: Name 10:27:55,0195677 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI NAME NOT FOUND Desired Access: Read 10:27:55,0196336 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS 10:27:55,0208561 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager SUCCESS Desired Access: Read 10:27:55,0209227 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager SUCCESS Query: Basic, Name: Windows.Security.EnterpriseData.ProtectionPolicyManager 10:27:55,0209732 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivationType SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0210180 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Server NAME NOT FOUND Length: 144 10:27:55,0210576 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\DllPath SUCCESS Type: REG_EXPAND_SZ, Length: 84, Data: %SystemRoot%\system32\windows.storage.dll 10:27:55,0211135 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Threading SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0212393 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\TrustLevel SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0212841 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0213239 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\CustomAttributes NAME NOT FOUND Desired Access: Read 10:27:55,0213612 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0214458 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager SUCCESS Query: Name 10:27:55,0215066 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\CustomAttributes NAME NOT FOUND Desired Access: Read 10:27:55,0215889 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\RemoteServer NAME NOT FOUND Length: 144 10:27:55,0217631 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateAsUser NAME NOT FOUND Length: 16 10:27:55,0218886 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInSharedBroker NAME NOT FOUND Length: 16 10:27:55,0219266 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInBrokerForMediumILContainer NAME NOT FOUND Length: 16 10:27:55,0219959 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Permissions NAME NOT FOUND Length: 140 10:27:55,0220278 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateOnHostFlags NAME NOT FOUND Length: 16 10:27:55,0220814 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager SUCCESS 10:27:55,0223928 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT SUCCESS Desired Access: Read 10:27:55,0224479 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT SUCCESS Query: Basic, Name: Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT 10:27:55,0225009 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivationType SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0225380 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Server NAME NOT FOUND Length: 144 10:27:55,0226136 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\DllPath SUCCESS Type: REG_SZ, Length: 62, Data: C:\Windows\System32\efswrt.dll 10:27:55,0226540 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Threading SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0226959 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\TrustLevel SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,0227329 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0227679 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\CustomAttributes NAME NOT FOUND Desired Access: Read 10:27:55,0228032 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0228414 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT SUCCESS Query: Name 10:27:55,0228881 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\CustomAttributes NAME NOT FOUND Desired Access: Read 10:27:55,0229370 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\RemoteServer NAME NOT FOUND Length: 144 10:27:55,0229694 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateAsUser NAME NOT FOUND Length: 16 10:27:55,0230387 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInSharedBroker NAME NOT FOUND Length: 16 10:27:55,0230798 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInBrokerForMediumILContainer NAME NOT FOUND Length: 16 10:27:55,0231211 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Permissions NAME NOT FOUND Length: 140 10:27:55,0231525 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateOnHostFlags NAME NOT FOUND Length: 16 10:27:55,0232003 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT SUCCESS 10:27:55,0241694 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\efswrt.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,0242889 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\efswrt.dll SUCCESS CreationTime: 10/08/2022 12:10:56, LastAccessTime: 09/08/2023 10:22:32, LastWriteTime: 10/08/2022 12:10:56, ChangeTime: 09/08/2023 10:13:14, FileAttributes: A 10:27:55,0243303 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\efswrt.dll SUCCESS 10:27:55,0246989 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\efswrt.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,0248372 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\efswrt.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,0251735 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\efswrt.dll SUCCESS SyncType: SyncTypeOther 10:27:55,0258386 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\efswrt.dll SUCCESS Image Base: 0x7ffb43140000, Image Size: 0xdd000 10:27:55,0261783 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\efswrt.dll SUCCESS 10:27:55,0269948 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\mpr.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,0270089 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\WinTypes.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,0271206 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\mpr.dll SUCCESS CreationTime: 13/07/2022 21:22:30, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 13/07/2022 21:22:30, ChangeTime: 09/08/2023 10:13:14, FileAttributes: A 10:27:55,0271314 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\WinTypes.dll SUCCESS CreationTime: 12/04/2023 09:27:52, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 12/04/2023 09:27:52, ChangeTime: 09/08/2023 10:13:14, FileAttributes: A 10:27:55,0271903 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\mpr.dll SUCCESS 10:27:55,0271927 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\WinTypes.dll SUCCESS 10:27:55,0276895 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\WinTypes.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,0277028 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\mpr.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,0278313 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\WinTypes.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,0278532 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\mpr.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,0279243 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\WinTypes.dll SUCCESS SyncType: SyncTypeOther 10:27:55,0279382 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\mpr.dll SUCCESS SyncType: SyncTypeOther 10:27:55,0286866 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\WinTypes.dll SUCCESS Image Base: 0x7ffb5fda0000, Image Size: 0x154000 10:27:55,0287796 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\mpr.dll SUCCESS Image Base: 0x7ffb5c420000, Image Size: 0x1d000 10:27:55,0289643 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\WinTypes.dll SUCCESS 10:27:55,0289978 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\mpr.dll SUCCESS 10:27:55,0293276 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0293727 NOTEPAD.EXE 2604 RegOpenKey HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder REPARSE Desired Access: Read 10:27:55,0294236 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\control\NetworkProvider\HwOrder SUCCESS Desired Access: Read 10:27:55,0294841 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0295218 NOTEPAD.EXE 2604 RegOpenKey HKLM\system\CurrentControlSet\control\NetworkProvider\ProviderOrder REPARSE Desired Access: Read 10:27:55,0295657 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\control\NetworkProvider\ProviderOrder SUCCESS Desired Access: Read 10:27:55,0297282 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\5eb60b36-6206-5538-e60a-0a7af8a1e59d NAME NOT FOUND Length: 528 10:27:55,0299204 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\mpr.dll SUCCESS Name: \Windows\System32\mpr.dll 10:27:55,0301628 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\4e7add1a-6945-435a-82b6-612688ba9f57 NAME NOT FOUND Length: 528 10:27:55,0302961 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\WinTypes.dll SUCCESS Name: \Windows\System32\WinTypes.dll 10:27:55,0305464 NOTEPAD.EXE 2604 ReadFile C:\Windows\System32\efswrt.dll SUCCESS Offset: 844.800, Length: 14.336, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:27:55,0309737 NOTEPAD.EXE 2604 ReadFile C:\Windows\System32\efswrt.dll SUCCESS Offset: 836.608, Length: 8.192, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:27:55,0312981 NOTEPAD.EXE 2604 ReadFile C:\Windows\System32\efswrt.dll SUCCESS Offset: 766.976, Length: 16.384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:27:55,0316769 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\c755ef4d-de1c-4e7d-a10d-b8d1e26f5035 NAME NOT FOUND Length: 528 10:27:55,0319240 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\318bbc33-cdfd-42c0-b5e5-57ed92e8935f NAME NOT FOUND Length: 528 10:27:55,0320827 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\318bbc33-cdfd-42c0-b5e5-57ed92e8935f NAME NOT FOUND Length: 528 10:27:55,0322144 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\efswrt.dll SUCCESS Name: \Windows\System32\efswrt.dll 10:27:55,0323518 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\703fcc13-b66f-5868-ddd9-e2db7f381ffb NAME NOT FOUND Length: 528 10:27:55,0324754 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\efswrt.dll SUCCESS Name: \Windows\System32\efswrt.dll 10:27:55,0325794 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\3d1d28b1-73f5-5937-3446-0de4df173ff5 NAME NOT FOUND Length: 528 10:27:55,0327159 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\efswrt.dll SUCCESS Name: \Windows\System32\efswrt.dll 10:27:55,0329486 NOTEPAD.EXE 2604 ReadFile C:\Windows\System32\efswrt.dll SUCCESS Offset: 783.360, Length: 16.384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:27:55,0332793 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication SUCCESS Desired Access: Read 10:27:55,0333354 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication SUCCESS Query: Basic, Name: Windows.ApplicationModel.Core.CoreApplication 10:27:55,0333907 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivationType SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0335346 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Server NAME NOT FOUND Length: 144 10:27:55,0336022 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\DllPath SUCCESS Type: REG_SZ, Length: 80, Data: C:\Windows\System32\twinapi.appcore.dll 10:27:55,0336548 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Threading SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0336907 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\TrustLevel SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0337284 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0337737 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\CustomAttributes NAME NOT FOUND Desired Access: Read 10:27:55,0338119 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0338514 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication SUCCESS Query: Name 10:27:55,0339099 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\CustomAttributes NAME NOT FOUND Desired Access: Read 10:27:55,0339627 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\RemoteServer NAME NOT FOUND Length: 144 10:27:55,0339991 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateAsUser NAME NOT FOUND Length: 16 10:27:55,0340504 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInSharedBroker NAME NOT FOUND Length: 16 10:27:55,0340827 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInBrokerForMediumILContainer NAME NOT FOUND Length: 16 10:27:55,0341222 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Permissions NAME NOT FOUND Length: 140 10:27:55,0341536 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateOnHostFlags NAME NOT FOUND Length: 16 10:27:55,0342065 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication SUCCESS 10:27:55,0348753 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\twinapi.appcore.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,0349633 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\twinapi.appcore.dll SUCCESS CreationTime: 27/05/2023 17:50:51, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 27/05/2023 17:50:51, ChangeTime: 09/08/2023 10:11:03, FileAttributes: A 10:27:55,0350051 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\twinapi.appcore.dll SUCCESS 10:27:55,0353640 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\twinapi.appcore.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,0354870 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\twinapi.appcore.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,0355865 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\twinapi.appcore.dll SUCCESS SyncType: SyncTypeOther 10:27:55,0363358 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\twinapi.appcore.dll SUCCESS Image Base: 0x7ffb5e4c0000, Image Size: 0x207000 10:27:55,0368304 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\twinapi.appcore.dll SUCCESS 10:27:55,0372016 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\bc71577f-76e9-583a-ecd6-62d0250d900f NAME NOT FOUND Length: 528 10:27:55,0373661 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\twinapi.appcore.dll SUCCESS Name: \Windows\System32\twinapi.appcore.dll 10:27:55,0374702 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\072665fb-8953-5a85-931d-d06aeab3d109 NAME NOT FOUND Length: 528 10:27:55,0375986 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\twinapi.appcore.dll SUCCESS Name: \Windows\System32\twinapi.appcore.dll 10:27:55,0378426 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\a9da4dcc-e78e-5ce7-4078-411a9928f082 NAME NOT FOUND Length: 528 10:27:55,0379692 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\twinapi.appcore.dll SUCCESS Name: \Windows\System32\twinapi.appcore.dll 10:27:55,0381470 NOTEPAD.EXE 2604 Thread Create SUCCESS Thread ID: 2936 10:27:55,0383656 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Rpc\Extensions SUCCESS Desired Access: Read 10:27:55,0384172 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL SUCCESS Type: REG_EXPAND_SZ, Length: 24, Data: combase.dll 10:27:55,0384582 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Rpc\Extensions SUCCESS 10:27:55,0385523 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0386006 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Rpc SUCCESS Desired Access: Read 10:27:55,0386453 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Rpc\MaxRpcSize NAME NOT FOUND Length: 16 10:27:55,0386850 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Rpc SUCCESS 10:27:55,0387817 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Services\CCG REPARSE Desired Access: Read 10:27:55,0388247 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Services\CCG NAME NOT FOUND Desired Access: Read 10:27:55,0388693 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Services\CCG REPARSE Desired Access: Read 10:27:55,0389204 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Services\CCG NAME NOT FOUND Desired Access: Read 10:27:55,0389700 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName REPARSE Desired Access: Read 10:27:55,0390137 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Desired Access: Read 10:27:55,0390564 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS Type: REG_SZ, Length: 32, Data: DESKTOP-T0H8SRB 10:27:55,0390936 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS 10:27:55,0391297 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\Setup SUCCESS Desired Access: Read 10:27:55,0391653 NOTEPAD.EXE 2604 RegQueryValue HKLM\SYSTEM\Setup\OOBEInProgress SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0392026 NOTEPAD.EXE 2604 RegCloseKey HKLM\SYSTEM\Setup SUCCESS 10:27:55,0392535 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\Setup SUCCESS Desired Access: Read 10:27:55,0392870 NOTEPAD.EXE 2604 RegQueryValue HKLM\SYSTEM\Setup\SystemSetupInProgress SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0393199 NOTEPAD.EXE 2604 RegCloseKey HKLM\SYSTEM\Setup SUCCESS 10:27:55,0393543 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOTEPAD.EXE NAME NOT FOUND Desired Access: Query Value, Enumerate Sub Keys 10:27:55,0394815 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0395164 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\Windows NT\Rpc NAME NOT FOUND Desired Access: Read 10:27:55,0395567 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0395979 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:55,0396390 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Policies\Microsoft\Windows NT\Rpc NAME NOT FOUND Desired Access: Read 10:27:55,0397508 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0400841 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Rpc SUCCESS Desired Access: Query Value 10:27:55,0401339 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Rpc\IdleTimerWindow NAME NOT FOUND Length: 16 10:27:55,0401768 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Rpc SUCCESS 10:27:55,0406025 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet SUCCESS Desired Access: Read 10:27:55,0406522 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet SUCCESS Query: Basic, Name: Windows.Foundation.Collections.PropertySet 10:27:55,0407034 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivationType SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0407636 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Server NAME NOT FOUND Length: 144 10:27:55,0408069 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\DllPath SUCCESS Type: REG_SZ, Length: 66, Data: C:\Windows\System32\WinTypes.dll 10:27:55,0408486 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Threading SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0408816 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\TrustLevel SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0409234 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0409601 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\CustomAttributes NAME NOT FOUND Desired Access: Read 10:27:55,0409981 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0410638 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet SUCCESS Query: Name 10:27:55,0411423 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\CustomAttributes NAME NOT FOUND Desired Access: Read 10:27:55,0411997 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\RemoteServer NAME NOT FOUND Length: 144 10:27:55,0412438 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateAsUser NAME NOT FOUND Length: 16 10:27:55,0412769 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInSharedBroker NAME NOT FOUND Length: 16 10:27:55,0413149 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInBrokerForMediumILContainer NAME NOT FOUND Length: 16 10:27:55,0413552 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Permissions NAME NOT FOUND Length: 140 10:27:55,0413899 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateOnHostFlags NAME NOT FOUND Length: 16 10:27:55,0414569 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet SUCCESS 10:27:55,0416759 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0417809 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\XAML SUCCESS Desired Access: Query Value 10:27:55,0418346 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\XAML\OneCoreTransformsEnabledByDefault NAME NOT FOUND Length: 16 10:27:55,0418689 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\XAML SUCCESS 10:27:55,0428464 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,0429875 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,0431432 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Policies\Microsoft\Windows\Appx SUCCESS Desired Access: Read 10:27:55,0432172 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense SUCCESS Type: REG_DWORD, Length: 4, Data: 65535 10:27:55,0432617 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Policies\Microsoft\Windows\Appx SUCCESS 10:27:55,0433081 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock SUCCESS Desired Access: Read 10:27:55,0433588 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0433976 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock SUCCESS 10:27:55,0440327 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0440737 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\OLE\AppCompat SUCCESS Desired Access: Read 10:27:55,0441469 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel NAME NOT FOUND Length: 16 10:27:55,0441996 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Ole\AppCompat SUCCESS 10:27:55,0442663 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes SUCCESS Desired Access: Maximum Allowed, Granted Access: All Access 10:27:55,0443171 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,0444001 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0444357 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0444875 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\AppID\NOTEPAD.EXE NAME NOT FOUND Desired Access: Read 10:27:55,0445393 NOTEPAD.EXE 2604 RegOpenKey HKCR\AppID\NOTEPAD.EXE NAME NOT FOUND Desired Access: Read 10:27:55,0445852 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0446218 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,0446733 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\AppID\NOTEPAD.EXE NAME NOT FOUND Desired Access: Read 10:27:55,0447387 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,0447928 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0448361 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,0448921 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\AppID\NOTEPAD.EXE NAME NOT FOUND Desired Access: Read 10:27:55,0449440 NOTEPAD.EXE 2604 RegOpenKey HKCR\AppID\NOTEPAD.EXE NAME NOT FOUND Desired Access: Read 10:27:55,0449878 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0450350 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,0451258 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\AppID\NOTEPAD.EXE NAME NOT FOUND Desired Access: Read 10:27:55,0451819 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0452335 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\OLE\AppCompat SUCCESS Desired Access: Read 10:27:55,0452906 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel NAME NOT FOUND Length: 16 10:27:55,0453333 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Ole\AppCompat SUCCESS 10:27:55,0453657 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0454054 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\OLE SUCCESS Desired Access: Read 10:27:55,0454793 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Ole\DefaultAccessPermission NAME NOT FOUND Length: 144 10:27:55,0461842 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\rpcss.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,0463065 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\rpcss.dll SUCCESS CreationTime: 09/08/2023 09:58:56, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 09/08/2023 09:58:56, ChangeTime: 09/08/2023 10:09:52, FileAttributes: A 10:27:55,0463509 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\rpcss.dll SUCCESS 10:27:55,0467947 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\rpcss.dll SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,0469490 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\rpcss.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,0469936 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\System32\rpcss.dll SUCCESS AllocationSize: 765.952, EndOfFile: 1.324.544, NumberOfLinks: 2, DeletePending: False, Directory: False 10:27:55,0471250 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\rpcss.dll SUCCESS SyncType: SyncTypeOther 10:27:55,0472928 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\rpcss.dll SUCCESS 10:27:55,0481194 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Ole SUCCESS 10:27:55,0485131 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Lsa REPARSE Desired Access: Query Value 10:27:55,0485626 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS Desired Access: Query Value 10:27:55,0486106 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Lsa\AnonymousAppContainerImpersonationLevelCheck NAME NOT FOUND Length: 80 10:27:55,0486619 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS 10:27:55,0489261 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Lsa REPARSE Desired Access: Query Value 10:27:55,0489726 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS Desired Access: Query Value 10:27:55,0490371 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,0490849 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS 10:27:55,0497886 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,0498429 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0499000 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0499551 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046} NAME NOT FOUND Desired Access: Read 10:27:55,0500172 NOTEPAD.EXE 2604 RegOpenKey HKCR\Interface\{00000134-0000-0000-C000-000000000046} SUCCESS Desired Access: Read 10:27:55,0500761 NOTEPAD.EXE 2604 RegQueryKey HKCR\Interface\{00000134-0000-0000-C000-000000000046} SUCCESS Query: Name 10:27:55,0501877 NOTEPAD.EXE 2604 RegQueryKey HKCR\Interface\{00000134-0000-0000-C000-000000000046} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0502432 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32 NAME NOT FOUND Desired Access: Read 10:27:55,0502910 NOTEPAD.EXE 2604 RegQueryKey HKCR\Interface\{00000134-0000-0000-C000-000000000046} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0503777 NOTEPAD.EXE 2604 RegOpenKey HKCR\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32 SUCCESS Desired Access: Read 10:27:55,0504319 NOTEPAD.EXE 2604 RegQueryKey HKCR\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32 SUCCESS Query: Name 10:27:55,0504776 NOTEPAD.EXE 2604 RegQueryKey HKCR\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0505293 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0505783 NOTEPAD.EXE 2604 RegQueryValue HKCR\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default) SUCCESS Type: REG_SZ, Length: 78, Data: {00000320-0000-0000-C000-000000000046} 10:27:55,0506267 NOTEPAD.EXE 2604 RegCloseKey HKCR\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32 SUCCESS 10:27:55,0506640 NOTEPAD.EXE 2604 RegCloseKey HKCR\Interface\{00000134-0000-0000-C000-000000000046} SUCCESS 10:27:55,0509291 NOTEPAD.EXE 2604 Thread Create SUCCESS Thread ID: 2932 10:27:55,0519651 NOTEPAD.EXE 2604 Thread Create SUCCESS Thread ID: 2612 10:27:55,0525568 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,0526341 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0526695 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0527160 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Interface\{C50898F6-C536-5F47-8583-8B2C2438A13B} NAME NOT FOUND Desired Access: Read 10:27:55,0528040 NOTEPAD.EXE 2604 RegOpenKey HKCR\Interface\{C50898F6-C536-5F47-8583-8B2C2438A13B} SUCCESS Desired Access: Read 10:27:55,0528649 NOTEPAD.EXE 2604 RegQueryKey HKCR\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b} SUCCESS Query: Name 10:27:55,0529103 NOTEPAD.EXE 2604 RegQueryKey HKCR\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0529564 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32 NAME NOT FOUND Desired Access: Read 10:27:55,0530031 NOTEPAD.EXE 2604 RegQueryKey HKCR\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0530405 NOTEPAD.EXE 2604 RegOpenKey HKCR\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32 SUCCESS Desired Access: Read 10:27:55,0530828 NOTEPAD.EXE 2604 RegQueryKey HKCR\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32 SUCCESS Query: Name 10:27:55,0531254 NOTEPAD.EXE 2604 RegQueryKey HKCR\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0531758 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0532167 NOTEPAD.EXE 2604 RegQueryValue HKCR\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32\(Default) SUCCESS Type: REG_SZ, Length: 78, Data: {11659a23-5884-4d1b-9cf6-67d6f4f90b36} 10:27:55,0532618 NOTEPAD.EXE 2604 RegCloseKey HKCR\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32 SUCCESS 10:27:55,0532967 NOTEPAD.EXE 2604 RegCloseKey HKCR\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b} SUCCESS 10:27:55,0533640 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,0534040 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0534342 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0534700 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659A23-5884-4D1B-9CF6-67D6F4F90B36} NAME NOT FOUND Desired Access: Read 10:27:55,0535171 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659A23-5884-4D1B-9CF6-67D6F4F90B36} SUCCESS Desired Access: Read 10:27:55,0535658 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0536067 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0536497 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs NAME NOT FOUND Desired Access: Query Value 10:27:55,0536891 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0537283 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs NAME NOT FOUND Desired Access: Query Value 10:27:55,0537664 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0538019 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0538452 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,0538883 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0539417 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0539792 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0540699 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0541357 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\ActivateOnHostFlags NAME NOT FOUND Length: 16 10:27:55,0541829 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0542559 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0543278 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0543732 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\(Default) BUFFER OVERFLOW Length: 12 10:27:55,0544122 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0544505 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0544945 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0545414 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\(Default) SUCCESS Type: REG_SZ, Length: 32, Data: Ptype_PSFactory 10:27:55,0545844 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0546331 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0546816 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocServer32 NAME NOT FOUND Desired Access: Read 10:27:55,0547271 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0547665 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocServer32 SUCCESS Desired Access: Read 10:27:55,0548122 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: Name 10:27:55,0548591 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0549065 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0549482 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\InprocServer32 NAME NOT FOUND Length: 12 10:27:55,0549841 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: Name 10:27:55,0550260 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0550693 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0551185 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\(Default) BUFFER OVERFLOW Length: 12 10:27:55,0551553 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: Name 10:27:55,0551943 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0552373 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0552832 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\(Default) SUCCESS Type: REG_SZ, Length: 66, Data: C:\Windows\System32\WinTypes.dll 10:27:55,0553253 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: Name 10:27:55,0553649 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0554093 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0554549 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\ThreadingModel SUCCESS Type: REG_SZ, Length: 10, Data: Both 10:27:55,0555001 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS 10:27:55,0555352 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0555750 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0556205 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler32 NAME NOT FOUND Desired Access: Query Value 10:27:55,0556631 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0557027 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler32 NAME NOT FOUND Desired Access: Query Value 10:27:55,0557414 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0557775 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0558271 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler32 NAME NOT FOUND Desired Access: Read 10:27:55,0558757 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0559210 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0559676 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,0560119 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0560495 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,0560917 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0561296 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0561770 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler NAME NOT FOUND Desired Access: Read 10:27:55,0562332 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS 10:27:55,0567179 NOTEPAD.EXE 2604 CreateFile C:\Windows\Registration\R000000000015.clb SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened 10:27:55,0568627 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\Registration\R000000000015.clb SUCCESS AllocationSize: 24.576, EndOfFile: 23.360, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,0569203 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\Registration\R000000000015.clb FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,0569667 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\Registration\R000000000015.clb SUCCESS AllocationSize: 24.576, EndOfFile: 23.360, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,0570598 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\Registration\R000000000015.clb SUCCESS SyncType: SyncTypeOther 10:27:55,0573251 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,0573730 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0574065 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0574474 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659A23-5884-4D1B-9CF6-67D6F4F90B36} NAME NOT FOUND Desired Access: Read 10:27:55,0574984 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659A23-5884-4D1B-9CF6-67D6F4F90B36} SUCCESS Desired Access: Read 10:27:55,0575533 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0575956 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0576459 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs NAME NOT FOUND Desired Access: Query Value 10:27:55,0576898 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0577279 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs NAME NOT FOUND Desired Access: Query Value 10:27:55,0577740 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0578125 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0578763 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,0579222 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0579682 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0580076 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0580543 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0580972 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\ActivateOnHostFlags NAME NOT FOUND Length: 16 10:27:55,0581359 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0581768 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0582261 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0582676 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\(Default) BUFFER OVERFLOW Length: 12 10:27:55,0583150 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0583564 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0584023 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0584424 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\(Default) SUCCESS Type: REG_SZ, Length: 32, Data: Ptype_PSFactory 10:27:55,0584801 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0585180 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0585611 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocServer32 NAME NOT FOUND Desired Access: Read 10:27:55,0585999 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0586347 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocServer32 SUCCESS Desired Access: Read 10:27:55,0586760 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: Name 10:27:55,0587170 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0587594 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0587996 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\InprocServer32 NAME NOT FOUND Length: 12 10:27:55,0588334 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: Name 10:27:55,0588713 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0589144 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0589559 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\(Default) BUFFER OVERFLOW Length: 12 10:27:55,0589908 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: Name 10:27:55,0590298 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0590727 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0591144 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\(Default) SUCCESS Type: REG_SZ, Length: 66, Data: C:\Windows\System32\WinTypes.dll 10:27:55,0591521 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: Name 10:27:55,0591910 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0592347 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0592833 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\ThreadingModel SUCCESS Type: REG_SZ, Length: 10, Data: Both 10:27:55,0593280 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 SUCCESS 10:27:55,0593655 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0594238 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0594783 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler32 NAME NOT FOUND Desired Access: Query Value 10:27:55,0595237 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0595696 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler32 NAME NOT FOUND Desired Access: Query Value 10:27:55,0596070 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0596439 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0596913 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler32 NAME NOT FOUND Desired Access: Read 10:27:55,0597337 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0597729 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0598175 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,0598568 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0598920 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,0599284 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0599642 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0600099 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler NAME NOT FOUND Desired Access: Read 10:27:55,0600610 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0600992 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0601431 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer32 NAME NOT FOUND Desired Access: Read 10:27:55,0601837 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0602193 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer32 NAME NOT FOUND Desired Access: Read 10:27:55,0602630 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0603043 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0603536 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer32 NAME NOT FOUND Desired Access: Read 10:27:55,0603982 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0604374 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0604834 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,0605469 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\AppID NAME NOT FOUND Length: 112 10:27:55,0605843 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0606265 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0606784 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer NAME NOT FOUND Desired Access: Query Value 10:27:55,0607216 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0607600 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer NAME NOT FOUND Desired Access: Query Value 10:27:55,0608012 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0608402 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0608916 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer NAME NOT FOUND Desired Access: Read 10:27:55,0609373 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,0609798 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0610131 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0610516 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659A23-5884-4D1B-9CF6-67D6F4F90B36} NAME NOT FOUND Desired Access: Read 10:27:55,0610988 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659A23-5884-4D1B-9CF6-67D6F4F90B36} SUCCESS Desired Access: Read 10:27:55,0611482 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0611899 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0612350 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\Elevation NAME NOT FOUND Desired Access: Read 10:27:55,0612767 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0613147 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\Elevation NAME NOT FOUND Desired Access: Read 10:27:55,0613667 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0614111 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0614586 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\Elevation NAME NOT FOUND Desired Access: Read 10:27:55,0615107 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS 10:27:55,0615485 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS 10:27:55,0615903 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,0616303 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0616619 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0616980 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659A23-5884-4D1B-9CF6-67D6F4F90B36} NAME NOT FOUND Desired Access: Read 10:27:55,0617422 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659A23-5884-4D1B-9CF6-67D6F4F90B36} SUCCESS Desired Access: Read 10:27:55,0617885 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0618275 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0618712 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,0619134 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,0619492 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,0619888 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,0620257 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS Query: Name 10:27:55,0620867 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,0621348 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36} SUCCESS 10:27:55,0657841 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide SUCCESS Desired Access: Read 10:27:55,0658523 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest NAME NOT FOUND Length: 20 10:27:55,0659015 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide SUCCESS 10:27:55,0662820 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\uxtheme.dll.Config NAME NOT FOUND Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a 10:27:55,0666815 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\uxtheme.dll SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,1156706 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\uxtheme.dll SUCCESS 10:27:55,1158549 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots NAME NOT FOUND Desired Access: Enumerate Sub Keys 10:27:55,1168294 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\NOTEPAD.EXE.Local NAME NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 10:27:55,1172523 NOTEPAD.EXE 2604 CreateFile C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened 10:27:55,1174174 NOTEPAD.EXE 2604 CloseFile C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e SUCCESS 10:27:55,1180617 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,1182149 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,1186346 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1186988 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Query Value 10:27:55,1187712 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations NAME NOT FOUND Length: 16 10:27:55,1188334 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,1190539 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1191234 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,1191875 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,1193055 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,1194210 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,1215327 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,1216474 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,1220139 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,1221267 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,1222374 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,1223393 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,1225125 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,1225559 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1225839 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1226296 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7} NAME NOT FOUND Desired Access: Read 10:27:55,1226984 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7} SUCCESS Desired Access: Read 10:27:55,1227649 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1228022 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1228454 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\TreatAs NAME NOT FOUND Desired Access: Query Value 10:27:55,1228960 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1229334 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\TreatAs NAME NOT FOUND Desired Access: Query Value 10:27:55,1229714 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,1230075 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1230566 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,1231026 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1231500 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1231865 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1232339 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1232738 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\ActivateOnHostFlags NAME NOT FOUND Length: 16 10:27:55,1233085 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1233440 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1233845 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1234262 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\(Default) BUFFER OVERFLOW Length: 12 10:27:55,1234628 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1234968 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1235400 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1235754 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\(Default) SUCCESS Type: REG_SZ, Length: 42, Data: MSAA AccPropServices 10:27:55,1236201 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1236572 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1237069 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 NAME NOT FOUND Desired Access: Read 10:27:55,1237510 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1237992 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Desired Access: Read 10:27:55,1238492 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: Name 10:27:55,1238877 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1239285 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1239756 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32\InprocServer32 NAME NOT FOUND Length: 12 10:27:55,1240146 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: Name 10:27:55,1240528 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1240932 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1241327 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32\(Default) BUFFER OVERFLOW Length: 12 10:27:55,1241669 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: Name 10:27:55,1242156 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1242594 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1243054 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32\(Default) SUCCESS Type: REG_SZ, Length: 62, Data: C:\Windows\System32\oleacc.dll 10:27:55,1243406 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: Name 10:27:55,1243763 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1244167 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1244588 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32\ThreadingModel SUCCESS Type: REG_SZ, Length: 20, Data: Apartment 10:27:55,1245180 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS 10:27:55,1245541 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1245973 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1246406 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocHandler32 NAME NOT FOUND Desired Access: Query Value 10:27:55,1246785 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1247191 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocHandler32 NAME NOT FOUND Desired Access: Query Value 10:27:55,1247557 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,1248959 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1249426 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocHandler32 NAME NOT FOUND Desired Access: Read 10:27:55,1249878 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1250312 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1250842 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,1251272 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1251658 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,1252099 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,1252505 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1253061 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocHandler NAME NOT FOUND Desired Access: Read 10:27:55,1253552 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS 10:27:55,1254870 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,1255351 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1255712 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1256155 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7} NAME NOT FOUND Desired Access: Read 10:27:55,1256727 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7} SUCCESS Desired Access: Read 10:27:55,1257252 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1257705 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1258174 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\TreatAs NAME NOT FOUND Desired Access: Query Value 10:27:55,1258630 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1259075 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\TreatAs NAME NOT FOUND Desired Access: Query Value 10:27:55,1259563 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,1259997 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1260504 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,1260976 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1261488 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1261982 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1262460 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1263175 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\ActivateOnHostFlags NAME NOT FOUND Length: 16 10:27:55,1263612 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1264068 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1264773 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1265329 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\(Default) BUFFER OVERFLOW Length: 12 10:27:55,1265894 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1266412 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1266912 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1267366 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\(Default) SUCCESS Type: REG_SZ, Length: 42, Data: MSAA AccPropServices 10:27:55,1267951 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1268435 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1269010 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 NAME NOT FOUND Desired Access: Read 10:27:55,1269549 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1270063 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Desired Access: Read 10:27:55,1270756 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: Name 10:27:55,1271247 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1271819 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1274008 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32\InprocServer32 NAME NOT FOUND Length: 12 10:27:55,1274533 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: Name 10:27:55,1275104 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1275670 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1276161 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32\(Default) BUFFER OVERFLOW Length: 12 10:27:55,1276825 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: Name 10:27:55,1277669 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1278171 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1278652 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32\(Default) SUCCESS Type: REG_SZ, Length: 62, Data: C:\Windows\System32\oleacc.dll 10:27:55,1279093 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: Name 10:27:55,1279545 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1280101 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1280570 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32\ThreadingModel SUCCESS Type: REG_SZ, Length: 20, Data: Apartment 10:27:55,1281086 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 SUCCESS 10:27:55,1281983 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1282506 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1283019 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocHandler32 NAME NOT FOUND Desired Access: Query Value 10:27:55,1290950 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1291355 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocHandler32 NAME NOT FOUND Desired Access: Query Value 10:27:55,1291809 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,1292245 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1292777 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocHandler32 NAME NOT FOUND Desired Access: Read 10:27:55,1293283 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1293717 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1294444 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,1295025 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1295476 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,1295968 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,1299562 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1300264 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocHandler NAME NOT FOUND Desired Access: Read 10:27:55,1300845 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1307594 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1308184 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\LocalServer32 NAME NOT FOUND Desired Access: Read 10:27:55,1308844 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1317585 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\LocalServer32 NAME NOT FOUND Desired Access: Read 10:27:55,1318161 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,1318660 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1320023 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\LocalServer32 NAME NOT FOUND Desired Access: Read 10:27:55,1320888 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1321317 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1321827 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1322303 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\AppID NAME NOT FOUND Length: 112 10:27:55,1322813 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1323853 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1324459 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\LocalServer NAME NOT FOUND Desired Access: Query Value 10:27:55,1325837 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1327384 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\LocalServer NAME NOT FOUND Desired Access: Query Value 10:27:55,1327906 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,1328366 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1328935 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\LocalServer NAME NOT FOUND Desired Access: Read 10:27:55,1329487 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,1330354 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1330708 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1331122 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7} NAME NOT FOUND Desired Access: Read 10:27:55,1331824 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7} SUCCESS Desired Access: Read 10:27:55,1332495 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1345327 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1345888 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\Elevation NAME NOT FOUND Desired Access: Read 10:27:55,1347497 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1347924 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\Elevation NAME NOT FOUND Desired Access: Read 10:27:55,1348401 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,1349053 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1353617 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\Elevation NAME NOT FOUND Desired Access: Read 10:27:55,1354277 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS 10:27:55,1354971 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS 10:27:55,1355470 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,1356319 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1356768 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1357207 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7} NAME NOT FOUND Desired Access: Read 10:27:55,1357785 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7} SUCCESS Desired Access: Read 10:27:55,1358400 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1358948 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1359461 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,1359920 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1371327 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,1371791 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,1372253 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS Query: Name 10:27:55,1372793 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,1374185 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} SUCCESS 10:27:55,1400915 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\oleacc.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,1403838 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\oleacc.dll SUCCESS CreationTime: 15/01/2021 09:55:40, LastAccessTime: 09/08/2023 10:27:49, LastWriteTime: 15/01/2021 09:55:40, ChangeTime: 09/08/2023 10:02:43, FileAttributes: A 10:27:55,1404476 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\oleacc.dll SUCCESS 10:27:55,1409090 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\oleacc.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,1410863 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\oleacc.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,1411957 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\oleacc.dll SUCCESS SyncType: SyncTypeOther 10:27:55,1419082 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\oleacc.dll SUCCESS Image Base: 0x7ffb49d20000, Image Size: 0x66000 10:27:55,1423025 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\oleacc.dll SUCCESS 10:27:55,1433357 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\oleaccrc.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,1435261 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\oleaccrc.dll SUCCESS CreationTime: 07/12/2019 06:09:05, LastAccessTime: 09/08/2023 10:27:49, LastWriteTime: 07/12/2019 06:09:05, ChangeTime: 09/08/2023 10:02:43, FileAttributes: A 10:27:55,1438601 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\oleaccrc.dll SUCCESS 10:27:55,1444125 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\oleaccrc.dll SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,1448032 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\oleaccrc.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,1448669 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Windows\System32\oleaccrc.dll SUCCESS AllocationSize: 4.096, EndOfFile: 4.608, NumberOfLinks: 2, DeletePending: False, Directory: False 10:27:55,1449656 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\oleaccrc.dll SUCCESS SyncType: SyncTypeOther 10:27:55,1450830 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\oleaccrc.dll SUCCESS 10:27:55,1457946 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes SUCCESS Desired Access: Maximum Allowed, Granted Access: All Access 10:27:55,1462273 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,1462947 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1463388 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1464006 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32 NAME NOT FOUND Desired Access: Read 10:27:55,1464741 NOTEPAD.EXE 2604 RegOpenKey HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32 SUCCESS Desired Access: Read 10:27:55,1465448 NOTEPAD.EXE 2604 RegQueryKey HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32 SUCCESS Query: Name 10:27:55,1465904 NOTEPAD.EXE 2604 RegQueryKey HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1466417 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,1467640 NOTEPAD.EXE 2604 RegQueryValue HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32\(Default) SUCCESS Type: REG_SZ, Length: 78, Data: {00020424-0000-0000-C000-000000000046} 10:27:55,1468284 NOTEPAD.EXE 2604 RegCloseKey HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32 SUCCESS 10:27:55,1472378 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots NAME NOT FOUND Desired Access: Enumerate Sub Keys 10:27:55,1479935 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\NOTEPAD.EXE.Local NAME NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 10:27:55,1483975 NOTEPAD.EXE 2604 CreateFile C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened 10:27:55,1499813 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,1503374 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,1872751 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,1874974 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,1903911 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1906282 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\CTF\Compatibility\NOTEPAD.EXE NAME NOT FOUND Desired Access: Read 10:27:55,1907044 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,1907528 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:55,1908128 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\CTF\Compatibility\NOTEPAD.EXE NAME NOT FOUND Desired Access: Read 10:27:55,1914492 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1915512 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\CTF\Compatibility\NOTEPAD.EXE NAME NOT FOUND Desired Access: Read 10:27:55,1916066 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,1916544 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:55,1917590 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\CTF\Compatibility\NOTEPAD.EXE NAME NOT FOUND Desired Access: Read 10:27:55,1922256 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,1922798 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE SUCCESS Desired Access: Query Value 10:27:55,1923430 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE NAME NOT FOUND Length: 16 10:27:55,1923997 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE SUCCESS 10:27:55,1927438 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,1928910 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,1941921 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\TextInputFramework.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,1943100 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\TextInputFramework.dll SUCCESS CreationTime: 09/08/2023 09:58:33, LastAccessTime: 09/08/2023 10:27:52, LastWriteTime: 09/08/2023 09:58:34, ChangeTime: 09/08/2023 10:09:53, FileAttributes: A 10:27:55,1943669 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\TextInputFramework.dll SUCCESS 10:27:55,1948728 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\TextInputFramework.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,1950281 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\TextInputFramework.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY 10:27:55,1951913 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\TextInputFramework.dll SUCCESS SyncType: SyncTypeOther 10:27:55,1959941 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\TextInputFramework.dll SUCCESS Image Base: 0x7ffb5c140000, Image Size: 0xfa000 10:27:55,1964793 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\TextInputFramework.dll SUCCESS 10:27:55,1971017 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\CoreUIComponents.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,1971200 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\CoreMessaging.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,1971809 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\CoreUIComponents.dll SUCCESS CreationTime: 14/10/2020 11:25:10, LastAccessTime: 09/08/2023 10:27:52, LastWriteTime: 14/10/2020 11:25:10, ChangeTime: 09/08/2023 10:02:40, FileAttributes: A 10:27:55,1972036 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\CoreMessaging.dll SUCCESS CreationTime: 09/08/2023 09:58:56, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 09/08/2023 09:58:56, ChangeTime: 09/08/2023 10:10:01, FileAttributes: A 10:27:55,1972174 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\CoreUIComponents.dll SUCCESS 10:27:55,1972407 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\CoreMessaging.dll SUCCESS 10:27:55,1976669 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\CoreUIComponents.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,1976791 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\CoreMessaging.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,1977811 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\CoreUIComponents.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,1977962 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\CoreMessaging.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,1978857 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\CoreMessaging.dll SUCCESS SyncType: SyncTypeOther 10:27:55,1978867 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\CoreUIComponents.dll SUCCESS SyncType: SyncTypeOther 10:27:55,1987498 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\CoreMessaging.dll SUCCESS Image Base: 0x7ffb60950000, Image Size: 0xf2000 10:27:55,1988036 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\CoreUIComponents.dll SUCCESS Image Base: 0x7ffb605f0000, Image Size: 0x35e000 10:27:55,1991456 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\CoreUIComponents.dll SUCCESS 10:27:55,1997378 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\ws2_32.dll SUCCESS Image Base: 0x7ffb63c30000, Image Size: 0x6b000 10:27:55,2000252 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\CoreMessaging.dll SUCCESS 10:27:55,2004290 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\ntmarta.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2005352 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\ntmarta.dll SUCCESS CreationTime: 14/10/2020 11:25:32, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 14/10/2020 11:25:32, ChangeTime: 09/08/2023 10:10:47, FileAttributes: A 10:27:55,2005712 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\ntmarta.dll SUCCESS 10:27:55,2009113 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\ntmarta.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2010440 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\ntmarta.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,2011314 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\ntmarta.dll SUCCESS SyncType: SyncTypeOther 10:27:55,2018330 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\ntmarta.dll SUCCESS Image Base: 0x7ffb623c0000, Image Size: 0x33000 10:27:55,2020497 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\ntmarta.dll SUCCESS 10:27:55,2024917 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\d0f1a5c6-fc43-48ae-99bf-efb1c38be9d1 NAME NOT FOUND Length: 528 10:27:55,2026860 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\ws2_32.dll SUCCESS Name: \Windows\System32\ws2_32.dll 10:27:55,2030857 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\3720dda7-caea-4af3-a138-375aafc3f1d6 NAME NOT FOUND Length: 528 10:27:55,2032369 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\CoreUIComponents.dll SUCCESS Name: \Windows\System32\CoreUIComponents.dll 10:27:55,2034998 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\ebadf775-48aa-4bf3-8f8e-ec68d113c98e NAME NOT FOUND Length: 528 10:27:55,2036500 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\TextInputFramework.dll SUCCESS Name: \Windows\System32\TextInputFramework.dll 10:27:55,2037820 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\3f30522e-d47a-407c-9067-2e928d00d54e NAME NOT FOUND Length: 528 10:27:55,2039428 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\TextInputFramework.dll SUCCESS Name: \Windows\System32\TextInputFramework.dll 10:27:55,2041850 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2042401 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName NAME NOT FOUND Desired Access: Read 10:27:55,2045242 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2047734 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:55,2048455 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName NAME NOT FOUND Desired Access: Read 10:27:55,2050049 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,2051619 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,2058429 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2058991 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\CTF\ SUCCESS Desired Access: Read 10:27:55,2059593 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\CTF\EnableAnchorContext NAME NOT FOUND Length: 16 10:27:55,2060193 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\CTF SUCCESS 10:27:55,2074384 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,2084865 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,2112883 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,2116870 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,2122053 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2124155 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows SUCCESS Desired Access: Read 10:27:55,2127888 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer NAME NOT FOUND Length: 16 10:27:55,2129820 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows SUCCESS 10:27:55,2131396 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2134284 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Input SUCCESS Desired Access: Read 10:27:55,2135740 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Input\ResyncResetTime NAME NOT FOUND Length: 16 10:27:55,2137363 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Input\MaxResyncAttempts NAME NOT FOUND Length: 16 10:27:55,2138714 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Input SUCCESS 10:27:55,2143088 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,2145759 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,2151048 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,2153069 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,2157599 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,2159771 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,2170752 NOTEPAD.EXE 2604 CreateFile C:\Windows\SystemResources\USER32.dll.mun NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a 10:27:55,2199597 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:55,2200876 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2201800 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\CTF\DirectSwitchHotkeys SUCCESS Desired Access: Read 10:27:55,2202720 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:55,2203323 NOTEPAD.EXE 2604 RegEnumKey HKCU\SOFTWARE\Microsoft\CTF\DirectSwitchHotkeys NO MORE ENTRIES Index: 0, Length: 288 10:27:55,2203937 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\CTF\DirectSwitchHotkeys SUCCESS 10:27:55,2267274 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,2268486 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,2273946 NOTEPAD.EXE 2604 CreateFile C:\Users SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2275351 NOTEPAD.EXE 2604 QueryDirectory C:\Users\Angelo SUCCESS FileInformationClass: FileBothDirectoryInformation, Filter: Angelo, 2: Angelo 10:27:55,2276277 NOTEPAD.EXE 2604 CloseFile C:\Users SUCCESS 10:27:55,2281701 NOTEPAD.EXE 2604 CreateFile C:\Users\Angelo SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened 10:27:55,2284437 NOTEPAD.EXE 2604 ReadFile C:\Windows\System32\notepad.exe SUCCESS Offset: 58.368, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:27:55,2312555 NOTEPAD.EXE 2604 ReadFile C:\Windows\System32\notepad.exe SUCCESS Offset: 58.368, Length: 32.768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:27:55,2368607 NOTEPAD.EXE 2604 QueryInformationVolume C:\Users\Angelo SUCCESS VolumeCreationTime: 30/07/2015 01:37:21, VolumeSerialNumber: 326D-4F07, SupportsObjects: True, VolumeLabel: 10:27:55,2369046 NOTEPAD.EXE 2604 QueryAllInformationFile C:\Users\Angelo BUFFER OVERFLOW CreationTime: 13/10/2018 12:25:41, LastAccessTime: 09/08/2023 10:13:18, LastWriteTime: 13/10/2018 12:25:54, ChangeTime: 17/08/2020 17:33:43, FileAttributes: A, AllocationSize: 4.096, EndOfFile: 660 10:27:55,2375963 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\urlmon.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2377576 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\urlmon.dll SUCCESS CreationTime: 09/08/2023 09:59:10, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 09/08/2023 09:59:10, ChangeTime: 09/08/2023 10:13:12, FileAttributes: A 10:27:55,2378269 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\urlmon.dll SUCCESS 10:27:55,2384517 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\urlmon.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2387435 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\urlmon.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,2388420 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\urlmon.dll SUCCESS SyncType: SyncTypeOther 10:27:55,2395005 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\urlmon.dll SUCCESS Image Base: 0x7ffb58ed0000, Image Size: 0x1ed000 10:27:55,2399645 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\urlmon.dll SUCCESS 10:27:55,2409967 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\srvcli.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2410036 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\iertutil.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2411174 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\srvcli.dll SUCCESS CreationTime: 13/07/2023 09:42:50, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 13/07/2023 09:42:50, ChangeTime: 09/08/2023 10:11:01, FileAttributes: A 10:27:55,2411566 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\netutils.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2412015 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\srvcli.dll SUCCESS 10:27:55,2412604 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\iertutil.dll SUCCESS CreationTime: 09/08/2023 09:59:10, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 09/08/2023 09:59:11, ChangeTime: 09/08/2023 10:13:12, FileAttributes: A 10:27:55,2412956 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\netutils.dll SUCCESS CreationTime: 14/10/2020 11:25:32, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 14/10/2020 11:25:32, ChangeTime: 09/08/2023 10:12:24, FileAttributes: A 10:27:55,2413095 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\iertutil.dll SUCCESS 10:27:55,2413390 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\netutils.dll SUCCESS 10:27:55,2417102 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\srvcli.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2417990 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\netutils.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2418466 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\iertutil.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2418590 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\srvcli.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,2419471 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\srvcli.dll SUCCESS SyncType: SyncTypeOther 10:27:55,2419522 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\netutils.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,2419998 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\iertutil.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,2420412 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\netutils.dll SUCCESS SyncType: SyncTypeOther 10:27:55,2420875 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\iertutil.dll SUCCESS SyncType: SyncTypeOther 10:27:55,2428830 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\srvcli.dll SUCCESS Image Base: 0x7ffb58d40000, Image Size: 0x29000 10:27:55,2429789 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\iertutil.dll SUCCESS Image Base: 0x7ffb5ac30000, Image Size: 0x2bc000 10:27:55,2430334 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\netutils.dll SUCCESS Image Base: 0x7ffb62770000, Image Size: 0xc000 10:27:55,2431240 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\srvcli.dll SUCCESS 10:27:55,2432706 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\netutils.dll SUCCESS 10:27:55,2433482 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\iertutil.dll SUCCESS 10:27:55,2440595 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\0bca4784-8257-51a0-d9ec-24fe1fe4c90d NAME NOT FOUND Length: 528 10:27:55,2442494 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\iertutil.dll SUCCESS Name: \Windows\System32\iertutil.dll 10:27:55,2444251 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2444657 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters REPARSE Desired Access: Query Value 10:27:55,2445127 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters SUCCESS Desired Access: Query Value 10:27:55,2446785 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RpcCacheTimeout NAME NOT FOUND Length: 16 10:27:55,2447203 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters SUCCESS 10:27:55,2450570 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\urlmon.dll SUCCESS Name: \Windows\System32\urlmon.dll 10:27:55,2452983 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\ff32ada1-5a4b-583c-889e-a3c027b201f5 NAME NOT FOUND Length: 528 10:27:55,2454531 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\urlmon.dll SUCCESS Name: \Windows\System32\urlmon.dll 10:27:55,2462330 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32 SUCCESS Desired Access: Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Free Space Query, Attributes: n/a, ShareMode: None, AllocationSize: n/a, OpenResult: Opened 10:27:55,2542510 NOTEPAD.EXE 2604 QuerySizeInformationVolume C:\Windows\System32 SUCCESS TotalAllocationUnits: 29.041.610, AvailableAllocationUnits: 612.262, SectorsPerAllocationUnit: 8, BytesPerSector: 512 10:27:55,2543014 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32 SUCCESS 10:27:55,2547376 NOTEPAD.EXE 2604 CreateFile C:\Windows SUCCESS Desired Access: Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Free Space Query, Attributes: n/a, ShareMode: None, AllocationSize: n/a, OpenResult: Opened 10:27:55,2548461 NOTEPAD.EXE 2604 QuerySizeInformationVolume C:\Windows SUCCESS TotalAllocationUnits: 29.041.610, AvailableAllocationUnits: 612.262, SectorsPerAllocationUnit: 8, BytesPerSector: 512 10:27:55,2548874 NOTEPAD.EXE 2604 CloseFile C:\Windows SUCCESS 10:27:55,2551280 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2551704 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Internet Explorer\Main SUCCESS Desired Access: Read 10:27:55,2552309 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow NAME NOT FOUND Length: 144 10:27:55,2552869 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2553218 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Internet Explorer\Main SUCCESS Desired Access: Read 10:27:55,2553772 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow NAME NOT FOUND Length: 144 10:27:55,2554557 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging NAME NOT FOUND Length: 144 10:27:55,2555042 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging NAME NOT FOUND Length: 144 10:27:55,2555732 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging NAME NOT FOUND Length: 144 10:27:55,2556617 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging NAME NOT FOUND Length: 144 10:27:55,2557472 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs NAME NOT FOUND Length: 144 10:27:55,2557976 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs NAME NOT FOUND Length: 144 10:27:55,2559048 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2559399 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Internet Explorer\Security SUCCESS Desired Access: Read 10:27:55,2559877 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer NAME NOT FOUND Length: 144 10:27:55,2560289 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2560630 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Internet Explorer\Security SUCCESS Desired Access: Read 10:27:55,2561077 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer NAME NOT FOUND Length: 144 10:27:55,2561623 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2562004 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\Internet Explorer\Main NAME NOT FOUND Desired Access: Read 10:27:55,2562419 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2562776 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:55,2563235 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Policies\Microsoft\Internet Explorer\Main NAME NOT FOUND Desired Access: Read 10:27:55,2563953 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2564314 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Policies\Microsoft\Internet Explorer\Main NAME NOT FOUND Desired Access: Read 10:27:55,2564709 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2565081 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2565644 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Policies\Microsoft\Internet Explorer\Main NAME NOT FOUND Desired Access: Read 10:27:55,2566111 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth NAME NOT FOUND Length: 144 10:27:55,2566514 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth NAME NOT FOUND Length: 144 10:27:55,2567164 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth NAME NOT FOUND Length: 16 10:27:55,2567599 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth NAME NOT FOUND Length: 16 10:27:55,2568297 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2568638 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS Desired Access: Read 10:27:55,2569100 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize NAME NOT FOUND Length: 16 10:27:55,2569465 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2569783 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS Desired Access: Read 10:27:55,2570209 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize NAME NOT FOUND Length: 16 10:27:55,2570559 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2570893 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS Desired Access: Read 10:27:55,2571301 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize NAME NOT FOUND Length: 16 10:27:55,2571704 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2572029 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS Desired Access: Read 10:27:55,2572463 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize NAME NOT FOUND Length: 16 10:27:55,2573176 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode NAME NOT FOUND Length: 16 10:27:55,2573538 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode NAME NOT FOUND Length: 16 10:27:55,2573902 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode NAME NOT FOUND Length: 16 10:27:55,2574308 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,2574961 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2575505 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS Desired Access: Query Value 10:27:55,2575996 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only NAME NOT FOUND Length: 16 10:27:55,2576378 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS 10:27:55,2576807 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2577170 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl NAME NOT FOUND Desired Access: Query Value 10:27:55,2577642 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2578029 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:55,2578647 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl NAME NOT FOUND Desired Access: Read 10:27:55,2579216 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2579581 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl NAME NOT FOUND Desired Access: Query Value 10:27:55,2579965 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2580370 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2581020 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl NAME NOT FOUND Desired Access: Read 10:27:55,2581496 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2581851 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Desired Access: Query Value 10:27:55,2582297 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2582649 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Desired Access: Query Value 10:27:55,2583398 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2583754 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562 NAME NOT FOUND Desired Access: Query Value 10:27:55,2584130 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2584527 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Query: Name 10:27:55,2585164 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562 NAME NOT FOUND Desired Access: Read 10:27:55,2585643 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2586006 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562 NAME NOT FOUND Desired Access: Query Value 10:27:55,2586388 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2587581 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Query: Name 10:27:55,2588103 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562 NAME NOT FOUND Desired Access: Read 10:27:55,2589590 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2589987 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION NAME NOT FOUND Desired Access: Query Value 10:27:55,2590379 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2590745 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Query: Name 10:27:55,2591845 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION NAME NOT FOUND Desired Access: Read 10:27:55,2592348 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2592746 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION NAME NOT FOUND Desired Access: Query Value 10:27:55,2593239 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2593674 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Query: Name 10:27:55,2594176 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION NAME NOT FOUND Desired Access: Read 10:27:55,2595101 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2595439 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE NAME NOT FOUND Desired Access: Query Value 10:27:55,2595893 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2596325 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Query: Name 10:27:55,2596851 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE NAME NOT FOUND Desired Access: Read 10:27:55,2597336 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2597733 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE NAME NOT FOUND Desired Access: Query Value 10:27:55,2598125 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2598709 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS Query: Name 10:27:55,2599165 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE NAME NOT FOUND Desired Access: Read 10:27:55,2601706 NOTEPAD.EXE 2604 CreateFileMapping C:\Users\Angelo FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,2602371 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Users\Angelo SUCCESS AllocationSize: 4.096, EndOfFile: 660, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,2603157 NOTEPAD.EXE 2604 CreateFileMapping C:\Users\Angelo SUCCESS SyncType: SyncTypeOther 10:27:55,2604127 NOTEPAD.EXE 2604 CloseFile C:\Users\Angelo SUCCESS 10:27:55,2604869 NOTEPAD.EXE 2604 ReadFile C:\Users\Angelo SUCCESS Offset: 0, Length: 660, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:27:55,2676487 NOTEPAD.EXE 2604 CreateFile C:\Users SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2678196 NOTEPAD.EXE 2604 QueryDirectory C:\Users\Angelo SUCCESS FileInformationClass: FileBothDirectoryInformation, Filter: Angelo, 2: Angelo 10:27:55,2685625 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\comdlg32.dll SUCCESS Image Base: 0x7ffb64cb0000, Image Size: 0xda000 10:27:55,2703631 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\ole32.dll SUCCESS Image Base: 0x7ffb63d70000, Image Size: 0x12a000 10:27:55,2711797 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2712454 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\OLE\Tracing NAME NOT FOUND Desired Access: Read 10:27:55,2712951 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2713405 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:55,2713935 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Microsoft\OLE\Tracing NAME NOT FOUND Desired Access: Read 10:27:55,2716797 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\1aff6089-e863-4d36-bdfd-3581f07440be NAME NOT FOUND Length: 528 10:27:55,2719145 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\ole32.dll SUCCESS Name: \Windows\System32\ole32.dll 10:27:55,2720796 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\f0558438-f56a-5987-47da-040ca75aef05 NAME NOT FOUND Length: 528 10:27:55,2722856 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\ole32.dll SUCCESS Name: \Windows\System32\ole32.dll 10:27:55,2726926 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2727367 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Query Value 10:27:55,2728028 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer NAME NOT FOUND Length: 16 10:27:55,2728538 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,2729007 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2729474 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,2730057 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2730701 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2731615 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,2732350 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2732903 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Query Value 10:27:55,2733422 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin NAME NOT FOUND Length: 16 10:27:55,2733961 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,2734579 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2735062 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,2735610 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2736004 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2736720 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,2737411 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2737859 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Query Value 10:27:55,2738658 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel NAME NOT FOUND Length: 16 10:27:55,2739193 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,2739681 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2740105 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,2740575 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2741067 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2741691 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,2742437 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2742878 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Query Value 10:27:55,2743419 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders NAME NOT FOUND Length: 16 10:27:55,2743852 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,2744218 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2744599 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,2745068 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2745462 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2745982 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,2746558 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2747117 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Query Value 10:27:55,2747698 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon NAME NOT FOUND Length: 16 10:27:55,2748087 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,2748444 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2748855 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,2749315 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2749703 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2750198 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,2750967 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2751682 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\NOTEPAD.EXE NAME NOT FOUND Desired Access: Query Value, Enumerate Sub Keys 10:27:55,2752230 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2752605 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:55,2753312 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\NOTEPAD.EXE NAME NOT FOUND Desired Access: Read 10:27:55,2754589 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2756121 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace SUCCESS Desired Access: Query Value 10:27:55,2756638 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ValidateRegItems NAME NOT FOUND Length: 16 10:27:55,2757091 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace SUCCESS 10:27:55,2757523 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2757889 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace SUCCESS Desired Access: Query Value 10:27:55,2758345 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\MonitorRegistry SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,2758767 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace SUCCESS 10:27:55,2760875 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\notepad.exe SUCCESS Name: \Windows\System32\notepad.exe 10:27:55,2762885 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2763279 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Query Value 10:27:55,2763808 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups NAME NOT FOUND Length: 16 10:27:55,2764250 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,2764717 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2765083 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,2765570 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2765968 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2766564 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,2769919 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2770406 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2770741 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2771116 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder NAME NOT FOUND Desired Access: Query Value 10:27:55,2771621 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder SUCCESS Desired Access: Query Value 10:27:55,2772991 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder SUCCESS Query: Name 10:27:55,2773578 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2774271 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,2774774 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes NAME NOT FOUND Length: 16 10:27:55,2775162 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder SUCCESS Query: Name 10:27:55,2775584 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2776063 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,2776531 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes NAME NOT FOUND Length: 16 10:27:55,2776912 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder SUCCESS Query: Name 10:27:55,2777357 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2777822 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,2778288 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes NAME NOT FOUND Length: 16 10:27:55,2778651 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder SUCCESS Query: Name 10:27:55,2779266 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2779742 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,2780235 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\FolderValueFlags SUCCESS Type: REG_DWORD, Length: 4, Data: 1581568 10:27:55,2780886 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder SUCCESS 10:27:55,2781758 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2782258 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder NAME NOT FOUND Desired Access: Query Value 10:27:55,2782823 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2783325 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2784059 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder NAME NOT FOUND Desired Access: Read 10:27:55,2784565 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2784927 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder NAME NOT FOUND Desired Access: Query Value 10:27:55,2785349 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2785739 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:55,2786246 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder NAME NOT FOUND Desired Access: Read 10:27:55,2786878 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2787247 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum NAME NOT FOUND Desired Access: Query Value 10:27:55,2787681 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2788163 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2788702 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum NAME NOT FOUND Desired Access: Read 10:27:55,2789171 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2789618 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum SUCCESS Desired Access: Query Value 10:27:55,2790268 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} NAME NOT FOUND Length: 16 10:27:55,2790725 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum SUCCESS 10:27:55,2791809 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2792209 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace SUCCESS Desired Access: Query Value 10:27:55,2792824 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\ValidateRegItems NAME NOT FOUND Length: 16 10:27:55,2793246 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace SUCCESS 10:27:55,2793723 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2794207 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace SUCCESS Desired Access: Query Value 10:27:55,2794730 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\MonitorRegistry NAME NOT FOUND Length: 16 10:27:55,2795118 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace SUCCESS 10:27:55,2796210 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2796657 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2796962 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2797429 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Enumerate Sub Keys 10:27:55,2798017 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions SUCCESS Desired Access: Enumerate Sub Keys 10:27:55,2798799 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: Name 10:27:55,2799271 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2799717 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,2800205 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions SUCCESS Index: 0, Name: {fbeb8a05-beee-4442-804e-409d6c4515e9} 10:27:55,2800770 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2801178 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2801473 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2801835 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Query Value 10:27:55,2802305 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Desired Access: Query Value 10:27:55,2802860 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: Name 10:27:55,2803235 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2803718 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,2804131 NOTEPAD.EXE 2604 RegQueryValue HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask SUCCESS Type: REG_DWORD, Length: 4, Data: 32 10:27:55,2804524 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS 10:27:55,2804963 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions NO MORE ENTRIES Index: 1, Length: 288 10:27:55,2805675 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions SUCCESS 10:27:55,2807113 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2807694 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Query Value 10:27:55,2811605 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions NAME NOT FOUND Length: 16 10:27:55,2812185 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,2812616 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2813082 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,2813578 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2814130 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2816069 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,2827919 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\propsys.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2829195 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\propsys.dll SUCCESS CreationTime: 10/06/2022 19:49:56, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 10/06/2022 19:49:56, ChangeTime: 09/08/2023 10:13:14, FileAttributes: A 10:27:55,2829705 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\propsys.dll SUCCESS 10:27:55,2835732 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\propsys.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,2837627 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\propsys.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,2838812 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\propsys.dll SUCCESS SyncType: SyncTypeOther 10:27:55,2847325 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\propsys.dll SUCCESS Image Base: 0x7ffb5edf0000, Image Size: 0xf6000 10:27:55,2850092 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\propsys.dll SUCCESS 10:27:55,2854738 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\32980f26-c8f5-5767-6b26-635b3fa83c61 NAME NOT FOUND Length: 528 10:27:55,2856639 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\propsys.dll SUCCESS Name: \Windows\System32\propsys.dll 10:27:55,2858393 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\703fcc13-b66f-5868-ddd9-e2db7f381ffb NAME NOT FOUND Length: 528 10:27:55,2859753 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\propsys.dll SUCCESS Name: \Windows\System32\propsys.dll 10:27:55,2861339 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2861770 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap SUCCESS Desired Access: Read 10:27:55,2863477 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\. NAME NOT FOUND Length: 144 10:27:55,2864321 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap SUCCESS 10:27:55,2865033 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2865607 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2866081 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2866693 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2867475 NOTEPAD.EXE 2604 RegOpenKey HKCR\. NAME NOT FOUND Desired Access: Read 10:27:55,2867963 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2868486 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2869097 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2871047 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,2872560 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,2875696 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,2876778 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,2878131 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2878587 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Query Value 10:27:55,2879121 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden NAME NOT FOUND Length: 16 10:27:55,2879549 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,2879917 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2880282 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,2880758 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2881552 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2882271 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,2883038 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2883421 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Desired Access: Query Value 10:27:55,2883889 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellState BUFFER OVERFLOW Length: 12 10:27:55,2884375 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellState SUCCESS Type: REG_BINARY, Length: 36, Data: 24 00 00 00 3F 28 00 00 00 00 00 00 00 00 00 00 10:27:55,2884922 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS 10:27:55,2885400 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2885805 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Query Value 10:27:55,2886316 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView NAME NOT FOUND Length: 16 10:27:55,2886728 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,2887149 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2887537 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,2888009 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2888411 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2888968 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,2889642 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2890343 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Query Value 10:27:55,2890998 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell NAME NOT FOUND Length: 16 10:27:55,2891574 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,2891982 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2892413 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,2892823 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2893194 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2893743 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,2894276 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2894713 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Query Value 10:27:55,2895193 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess NAME NOT FOUND Length: 16 10:27:55,2895612 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,2896067 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2896529 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,2896956 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2897332 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2897849 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,2898418 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2898803 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Query Value 10:27:55,2899259 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling NAME NOT FOUND Length: 16 10:27:55,2899713 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,2900090 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2900498 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,2900986 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2901363 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2901961 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,2902432 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2902804 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced SUCCESS Desired Access: Query Value 10:27:55,2903272 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,2903679 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,2904043 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,2904427 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,2904801 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,2905150 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,2905482 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,2905840 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,2906189 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,2906562 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,2907010 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,2907648 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,2908833 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,2909961 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling NAME NOT FOUND Length: 16 10:27:55,2910371 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,2910748 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,2911112 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,2911480 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowStatusBar SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,2911877 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced SUCCESS 10:27:55,2912986 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2913429 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2913887 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2914276 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2914787 NOTEPAD.EXE 2604 RegOpenKey HKCR\. NAME NOT FOUND Desired Access: Read 10:27:55,2915298 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2915728 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2916336 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2917009 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2917496 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2918065 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2918580 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2919118 NOTEPAD.EXE 2604 RegOpenKey HKCR\. NAME NOT FOUND Desired Access: Read 10:27:55,2919594 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2920036 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2920595 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2921157 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2921592 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2921943 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2922425 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\.\OpenWithProgids NAME NOT FOUND Desired Access: Read 10:27:55,2922889 NOTEPAD.EXE 2604 RegOpenKey HKCR\.\OpenWithProgids NAME NOT FOUND Desired Access: Read 10:27:55,2923361 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2923797 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2924356 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\.\OpenWithProgids NAME NOT FOUND Desired Access: Read 10:27:55,2924901 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2925292 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.\OpenWithProgids NAME NOT FOUND Desired Access: Read 10:27:55,2925824 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2926313 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,2926907 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.\OpenWithProgids NAME NOT FOUND Desired Access: Read 10:27:55,2928003 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2928572 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SUCCESS Desired Access: Read 10:27:55,2929298 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2929926 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. SUCCESS Desired Access: Read 10:27:55,2930637 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2931026 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. SUCCESS Desired Access: Read 10:27:55,2931623 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2932177 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.\UserChoice NAME NOT FOUND Desired Access: Query Value 10:27:55,2932751 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2933222 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. SUCCESS Query: Name 10:27:55,2933908 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.\UserChoice NAME NOT FOUND Desired Access: Read 10:27:55,2935010 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. SUCCESS 10:27:55,2935486 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. SUCCESS 10:27:55,2936535 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2936965 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2937424 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2937822 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2938328 NOTEPAD.EXE 2604 RegOpenKey HKCR\. NAME NOT FOUND Desired Access: Read 10:27:55,2938812 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2939281 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2939856 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2940418 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2940838 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2941179 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2941700 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2942228 NOTEPAD.EXE 2604 RegOpenKey HKCR\. NAME NOT FOUND Desired Access: Read 10:27:55,2942697 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2943092 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2943615 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2944360 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2945048 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2945407 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2947123 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2947876 NOTEPAD.EXE 2604 RegOpenKey HKCR\. NAME NOT FOUND Desired Access: Read 10:27:55,2948413 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2948866 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2949419 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2950019 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2950429 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2950784 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2951274 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2951824 NOTEPAD.EXE 2604 RegOpenKey HKCR\. NAME NOT FOUND Desired Access: Read 10:27:55,2952313 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2952749 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2953272 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2953839 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2954385 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2955006 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2955402 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Unknown NAME NOT FOUND Desired Access: Read 10:27:55,2955924 NOTEPAD.EXE 2604 RegOpenKey HKCR\Unknown SUCCESS Desired Access: Read 10:27:55,2956440 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,2956863 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2957371 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Unknown\CurVer NAME NOT FOUND Desired Access: Query Value 10:27:55,2957861 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2958384 NOTEPAD.EXE 2604 RegOpenKey HKCR\Unknown\CurVer NAME NOT FOUND Desired Access: Query Value 10:27:55,2958792 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2959231 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,2959812 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\Unknown\CurVer NAME NOT FOUND Desired Access: Read 10:27:55,2960382 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,2960786 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2961251 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Unknown NAME NOT FOUND Desired Access: Read 10:27:55,2961671 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2962041 NOTEPAD.EXE 2604 RegOpenKey HKCR\Unknown SUCCESS Desired Access: Read 10:27:55,2962579 NOTEPAD.EXE 2604 RegCloseKey HKCR\Unknown SUCCESS 10:27:55,2963124 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,2963734 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2964300 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Unknown\ShellEx\IconHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,2964763 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2965230 NOTEPAD.EXE 2604 RegOpenKey HKCR\Unknown\ShellEx\IconHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,2965619 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2966060 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,2966688 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\Unknown\ShellEx\IconHandler NAME NOT FOUND Desired Access: Read 10:27:55,2967275 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2967752 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2968106 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2968501 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\SystemFileAssociations\. NAME NOT FOUND Desired Access: Read 10:27:55,2968997 NOTEPAD.EXE 2604 RegOpenKey HKCR\SystemFileAssociations\. NAME NOT FOUND Desired Access: Read 10:27:55,2969582 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2970086 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2970642 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\SystemFileAssociations\. NAME NOT FOUND Desired Access: Read 10:27:55,2971166 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2971680 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2972027 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2972580 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\SystemFileAssociations\. NAME NOT FOUND Desired Access: Read 10:27:55,2973111 NOTEPAD.EXE 2604 RegOpenKey HKCR\SystemFileAssociations\. NAME NOT FOUND Desired Access: Read 10:27:55,2973555 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2973937 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2975074 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\SystemFileAssociations\. NAME NOT FOUND Desired Access: Read 10:27:55,2975986 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2976392 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2976730 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2977106 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\. NAME NOT FOUND Desired Access: Query Value 10:27:55,2977554 NOTEPAD.EXE 2604 RegOpenKey HKCR\. NAME NOT FOUND Desired Access: Query Value 10:27:55,2977988 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2978377 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2978917 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\. NAME NOT FOUND Desired Access: Read 10:27:55,2979408 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2979852 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2980175 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2982053 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\SystemFileAssociations\. NAME NOT FOUND Desired Access: Query Value 10:27:55,2982575 NOTEPAD.EXE 2604 RegOpenKey HKCR\SystemFileAssociations\. NAME NOT FOUND Desired Access: Query Value 10:27:55,2983087 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2983616 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,2984169 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\SystemFileAssociations\. NAME NOT FOUND Desired Access: Read 10:27:55,2984718 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,2985075 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2985514 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Unknown NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,2985913 NOTEPAD.EXE 2604 RegQueryValue HKCR\Unknown\DocObject NAME NOT FOUND Length: 12 10:27:55,2986257 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,2987774 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2988234 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Unknown\DocObject NAME NOT FOUND Desired Access: Query Value 10:27:55,2988624 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2988972 NOTEPAD.EXE 2604 RegOpenKey HKCR\Unknown\DocObject NAME NOT FOUND Desired Access: Query Value 10:27:55,2989323 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2989712 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,2991029 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\Unknown\DocObject NAME NOT FOUND Desired Access: Read 10:27:55,2991850 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,2992279 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2992887 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Unknown NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,2993330 NOTEPAD.EXE 2604 RegQueryValue HKCR\Unknown\BrowseInPlace NAME NOT FOUND Length: 12 10:27:55,2994028 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,2994394 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2994854 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Unknown\BrowseInPlace NAME NOT FOUND Desired Access: Query Value 10:27:55,2995318 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2995683 NOTEPAD.EXE 2604 RegOpenKey HKCR\Unknown\BrowseInPlace NAME NOT FOUND Desired Access: Query Value 10:27:55,2996047 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,2996421 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,2996992 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\Unknown\BrowseInPlace NAME NOT FOUND Desired Access: Read 10:27:55,2997588 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,2998038 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2998507 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Unknown\Clsid NAME NOT FOUND Desired Access: Query Value 10:27:55,2998912 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,2999280 NOTEPAD.EXE 2604 RegOpenKey HKCR\Unknown\Clsid NAME NOT FOUND Desired Access: Query Value 10:27:55,2999670 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,3000032 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,3000487 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\Unknown\Clsid NAME NOT FOUND Desired Access: Read 10:27:55,3000947 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,3001485 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,3002085 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Unknown NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,3002863 NOTEPAD.EXE 2604 RegQueryValue HKCR\Unknown\IsShortcut NAME NOT FOUND Length: 12 10:27:55,3003354 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,3003806 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,3004325 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Unknown NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,3004795 NOTEPAD.EXE 2604 RegQueryValue HKCR\Unknown\AlwaysShowExt BUFFER OVERFLOW Length: 12 10:27:55,3005220 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: Name 10:27:55,3005605 NOTEPAD.EXE 2604 RegQueryKey HKCR\Unknown SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,3006084 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Unknown NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,3006661 NOTEPAD.EXE 2604 RegQueryValue HKCR\Unknown\NeverShowExt NAME NOT FOUND Length: 12 10:27:55,3007182 NOTEPAD.EXE 2604 RegCloseKey HKCR\Unknown SUCCESS 10:27:55,3008478 NOTEPAD.EXE 2604 CloseFile C:\Users SUCCESS 10:27:55,3096046 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,3097659 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS Desired Access: Query Value, Enumerate Sub Keys 10:27:55,3098213 NOTEPAD.EXE 2604 RegSetInfoKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS KeySetInformationClass: KeySetHandleTagsInformation, Length: 0 10:27:55,3098555 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS Query: HandleTags, HandleTags: 0x100 10:27:55,3098949 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Consolas NAME NOT FOUND Desired Access: Query Value 10:27:55,3099328 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,3100046 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS Query: Name 10:27:55,3100753 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Consolas NAME NOT FOUND Desired Access: Read 10:27:55,3103822 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback SUCCESS 10:27:55,4029597 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:27:55,4031685 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:27:55,4296380 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4298305 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced SUCCESS Desired Access: Query Value 10:27:55,4299510 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4300790 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced SUCCESS 10:27:55,4309130 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\policymanager.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,4309998 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\policymanager.dll SUCCESS CreationTime: 13/07/2023 09:43:09, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 13/07/2023 09:43:09, ChangeTime: 09/08/2023 10:11:19, FileAttributes: A 10:27:55,4310462 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\policymanager.dll SUCCESS 10:27:55,4314547 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\policymanager.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,4316494 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\policymanager.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,4317936 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\policymanager.dll SUCCESS SyncType: SyncTypeOther 10:27:55,4325189 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\policymanager.dll SUCCESS Image Base: 0x7ffb5d660000, Image Size: 0xa1000 10:27:55,4328133 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\policymanager.dll SUCCESS 10:27:55,4334071 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\msvcp110_win.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,4334984 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\msvcp110_win.dll SUCCESS CreationTime: 14/10/2020 11:24:44, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 14/10/2020 11:24:44, ChangeTime: 09/08/2023 10:11:19, FileAttributes: A 10:27:55,4335485 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\msvcp110_win.dll SUCCESS 10:27:55,4340256 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\msvcp110_win.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,4341831 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\msvcp110_win.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,4343323 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\msvcp110_win.dll SUCCESS SyncType: SyncTypeOther 10:27:55,4350166 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\msvcp110_win.dll SUCCESS Image Base: 0x7ffb62310000, Image Size: 0x8a000 10:27:55,4352155 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\msvcp110_win.dll SUCCESS 10:27:55,4358385 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\WMI\Security\ffdb0cfd-833c-4f16-ad3f-ec4be3cc1af5 NAME NOT FOUND Length: 528 10:27:55,4361373 NOTEPAD.EXE 2604 QueryNameInformationFile C:\Windows\System32\policymanager.dll SUCCESS Name: \Windows\System32\policymanager.dll 10:27:55,4363579 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4365096 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\PolicyManager\default\Start\HideRecentJumplists SUCCESS Desired Access: Read 10:27:55,4365848 NOTEPAD.EXE 2604 RegSetInfoKey HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists SUCCESS KeySetInformationClass: KeySetHandleTagsInformation, Length: 0 10:27:55,4366465 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\PolicyType SUCCESS Type: REG_DWORD, Length: 4, Data: 4 10:27:55,4366995 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\Behavior SUCCESS Type: REG_DWORD, Length: 4, Data: 139312 10:27:55,4367752 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\MergeAlgorithm SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4369263 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\RegKeyPathRedirectMapped NAME NOT FOUND Length: 16 10:27:55,4369641 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\RegKeyPathRedirect NAME NOT FOUND Length: 12 10:27:55,4370152 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\grouppolicyname BUFFER OVERFLOW Length: 12 10:27:55,4372090 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\grouppolicyname SUCCESS Type: REG_SZ, Length: 40, Data: NoRecentDocsHistory 10:27:55,4372647 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\grouppolicypath BUFFER OVERFLOW Length: 12 10:27:55,4373088 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\grouppolicypath SUCCESS Type: REG_SZ, Length: 120, Data: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 10:27:55,4375914 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\grouppolicyismultisz NAME NOT FOUND Length: 16 10:27:55,4377147 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\grouppolicymultiszSeparatorChar NAME NOT FOUND Length: 12 10:27:55,4378912 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\ADMXMetadataUser NAME NOT FOUND Length: 12 10:27:55,4379449 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\ADMXMetadataDevice NAME NOT FOUND Length: 12 10:27:55,4380246 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\ADMXMetadataBoth NAME NOT FOUND Length: 12 10:27:55,4381630 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\30Value NAME NOT FOUND Length: 12 10:27:55,4383167 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\Value SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,4384797 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists SUCCESS 10:27:55,4387861 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:55,4388373 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4388722 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,4389176 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4389879 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,4390557 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,4391160 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:55,4392408 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4393170 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\PolicyManager\current\S-1-5-21-467048075-196725563-1868618205-1001\Start NAME NOT FOUND Desired Access: Read 10:27:55,4393690 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4394302 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:55,4395657 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Microsoft\PolicyManager\current\S-1-5-21-467048075-196725563-1868618205-1001\Start NAME NOT FOUND Desired Access: Read 10:27:55,4398042 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4400281 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\PolicyManager\current\S-1-5-21-467048075-196725563-1868618205-1001\Start NAME NOT FOUND Desired Access: Read 10:27:55,4402464 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4403348 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:55,4403958 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Microsoft\PolicyManager\current\S-1-5-21-467048075-196725563-1868618205-1001\Start NAME NOT FOUND Desired Access: Read 10:27:55,4405338 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:55,4406170 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4406573 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,4406999 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4407365 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,4407959 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,4408469 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:55,4409023 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4409388 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\PolicyManager\default\Start\HideRecentJumplists SUCCESS Desired Access: Read 10:27:55,4409989 NOTEPAD.EXE 2604 RegSetInfoKey HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists SUCCESS KeySetInformationClass: KeySetHandleTagsInformation, Length: 0 10:27:55,4410435 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\PolicyType SUCCESS Type: REG_DWORD, Length: 4, Data: 4 10:27:55,4410794 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\Behavior SUCCESS Type: REG_DWORD, Length: 4, Data: 139312 10:27:55,4411167 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\MergeAlgorithm SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4411555 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\RegKeyPathRedirectMapped NAME NOT FOUND Length: 16 10:27:55,4412348 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\RegKeyPathRedirect NAME NOT FOUND Length: 12 10:27:55,4412685 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\grouppolicyname BUFFER OVERFLOW Length: 12 10:27:55,4413160 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\grouppolicyname SUCCESS Type: REG_SZ, Length: 40, Data: NoRecentDocsHistory 10:27:55,4413611 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\grouppolicypath BUFFER OVERFLOW Length: 12 10:27:55,4413929 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\grouppolicypath SUCCESS Type: REG_SZ, Length: 120, Data: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 10:27:55,4414271 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\grouppolicyismultisz NAME NOT FOUND Length: 16 10:27:55,4414596 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\grouppolicymultiszSeparatorChar NAME NOT FOUND Length: 12 10:27:55,4415076 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\ADMXMetadataUser NAME NOT FOUND Length: 12 10:27:55,4415371 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\ADMXMetadataDevice NAME NOT FOUND Length: 12 10:27:55,4415754 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\ADMXMetadataBoth NAME NOT FOUND Length: 12 10:27:55,4416719 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\30Value NAME NOT FOUND Length: 12 10:27:55,4417073 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists\Value SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,4417752 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRecentJumplists SUCCESS 10:27:55,4418694 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4419066 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Read 10:27:55,4419586 NOTEPAD.EXE 2604 RegSetInfoKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS KeySetInformationClass: KeySetHandleTagsInformation, Length: 0 10:27:55,4419914 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory SUCCESS Type: REG_DWORD, Length: 4, Data: 0 10:27:55,4420357 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,4421067 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4421505 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\PolicyManager\current\Device\Start SUCCESS Desired Access: Read 10:27:55,4422191 NOTEPAD.EXE 2604 RegSetInfoKey HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Start SUCCESS KeySetInformationClass: KeySetHandleTagsInformation, Length: 0 10:27:55,4422790 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Start\HideRecentJumplists_ProviderSet NAME NOT FOUND Length: 16 10:27:55,4423431 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Start SUCCESS 10:27:55,4423999 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4424364 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Desired Access: Read 10:27:55,4424866 NOTEPAD.EXE 2604 RegSetInfoKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS KeySetInformationClass: KeySetHandleTagsInformation, Length: 0 10:27:55,4425260 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory BUFFER OVERFLOW Length: 12 10:27:55,4425709 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS 10:27:55,4429202 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4429605 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Desired Access: Read 10:27:55,4430098 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4430489 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\ SUCCESS Desired Access: Read 10:27:55,4430985 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS 10:27:55,4431355 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\Data BUFFER OVERFLOW Length: 144 10:27:55,4431772 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\Data SUCCESS Type: REG_BINARY, Length: 1.370, Data: D6 0D 00 00 0D F0 AD BA 41 00 00 00 08 00 00 00 10:27:55,4432428 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000} SUCCESS 10:27:55,4432846 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4433210 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Desired Access: Read 10:27:55,4433663 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4434913 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\ SUCCESS Desired Access: Read 10:27:55,4435493 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS 10:27:55,4435998 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\Generation SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4436474 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000} SUCCESS 10:27:55,4437559 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4438502 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Desired Access: Read 10:27:55,4439553 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4441421 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\ SUCCESS Desired Access: Read 10:27:55,4442061 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS 10:27:55,4444842 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\Generation SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4445513 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000} SUCCESS 10:27:55,4446623 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\cfgmgr32.dll SUCCESS Image Base: 0x7ffb63490000, Image Size: 0x4e000 10:27:55,4447573 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4448228 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Policies\Microsoft\Windows\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,4448717 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4449115 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:55,4449923 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Policies\Microsoft\Windows\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,4450634 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4451475 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Policies\Microsoft\Windows\Explorer NAME NOT FOUND Desired Access: Query Value 10:27:55,4452591 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} SUCCESS Desired Access: All Access 10:27:55,4453387 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4454378 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Properties NAME NOT FOUND Desired Access: Query Value 10:27:55,4454965 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,4457032 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Policies\Microsoft\Windows\Explorer NAME NOT FOUND Desired Access: Read 10:27:55,4458125 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} SUCCESS 10:27:55,4459021 NOTEPAD.EXE 2604 CreateFile C:\ SUCCESS Desired Access: Read Data/List Directory, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,4459770 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} SUCCESS Desired Access: All Access 10:27:55,4460404 NOTEPAD.EXE 2604 QueryRemoteProtocolInformation C:\ INVALID PARAMETER 10:27:55,4461021 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Properties NAME NOT FOUND Desired Access: Query Value 10:27:55,4461254 NOTEPAD.EXE 2604 QueryDirectory C:\Users SUCCESS FileInformationClass: FileIdBothDirectoryInformation, Filter: Users, 2: Users 10:27:55,4462370 NOTEPAD.EXE 2604 CloseFile C:\ SUCCESS 10:27:55,4463778 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} SUCCESS 10:27:55,4465501 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,4466578 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4467074 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4467530 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D} NAME NOT FOUND Desired Access: Read 10:27:55,4467963 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4468067 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D} SUCCESS Desired Access: Read 10:27:55,4468451 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Desired Access: Read 10:27:55,4468692 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4469080 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4469190 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4469654 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-100000000000}\ SUCCESS Desired Access: Read 10:27:55,4470005 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs NAME NOT FOUND Desired Access: Query Value 10:27:55,4470210 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS 10:27:55,4470607 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4470903 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-100000000000}\Data BUFFER OVERFLOW Length: 144 10:27:55,4471248 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs NAME NOT FOUND Desired Access: Query Value 10:27:55,4471490 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-100000000000}\Data SUCCESS Type: REG_BINARY, Length: 1.370, Data: D6 0D 00 00 0D F0 AD BA 01 00 00 00 08 00 00 00 10:27:55,4472267 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4473259 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-100000000000} SUCCESS 10:27:55,4474702 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4476274 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,4476292 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4479008 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Desired Access: Read 10:27:55,4479199 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4480458 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4481195 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4481914 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-100000000000}\ SUCCESS Desired Access: Read 10:27:55,4482755 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4483122 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS 10:27:55,4484119 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4484168 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-100000000000}\Generation SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4485346 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\ActivateOnHostFlags NAME NOT FOUND Length: 16 10:27:55,4485418 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-100000000000} SUCCESS 10:27:55,4486454 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4489279 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4490299 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4491104 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Desired Access: Read 10:27:55,4491739 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4492877 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4493380 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\(Default) BUFFER OVERFLOW Length: 12 10:27:55,4494221 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{6bf97209-0000-0000-0000-100000000000}\ SUCCESS Desired Access: Read 10:27:55,4496414 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4497358 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS 10:27:55,4498484 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4498520 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{6bf97209-0000-0000-0000-100000000000}\Data BUFFER OVERFLOW Length: 144 10:27:55,4499182 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{6bf97209-0000-0000-0000-100000000000}\Data SUCCESS Type: REG_BINARY, Length: 1.370, Data: D6 0D 00 00 0D F0 AD BA 01 00 00 00 08 00 00 00 10:27:55,4499324 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4499750 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{6bf97209-0000-0000-0000-100000000000} SUCCESS 10:27:55,4500012 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\(Default) SUCCESS Type: REG_SZ, Length: 48, Data: Memory Mapped Cache Mgr 10:27:55,4500255 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4500737 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4501032 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Desired Access: Read 10:27:55,4501243 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4501464 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4501744 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocServer32 NAME NOT FOUND Desired Access: Read 10:27:55,4501890 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{6bf97209-0000-0000-0000-100000000000}\ SUCCESS Desired Access: Read 10:27:55,4502222 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4502362 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS 10:27:55,4502620 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocServer32 SUCCESS Desired Access: Read 10:27:55,4502664 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{6bf97209-0000-0000-0000-100000000000}\Generation SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4503949 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{6bf97209-0000-0000-0000-100000000000} SUCCESS 10:27:55,4504307 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: Name 10:27:55,4504873 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4505868 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4506940 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32\InprocServer32 NAME NOT FOUND Length: 12 10:27:55,4507895 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: Name 10:27:55,4508364 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4509035 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4509449 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Desired Access: Read 10:27:55,4509637 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4510035 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4510185 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32\(Default) BUFFER OVERFLOW Length: 12 10:27:55,4510522 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-90d11b000000}\ SUCCESS Desired Access: Read 10:27:55,4510598 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: Name 10:27:55,4511073 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4511233 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS 10:27:55,4511714 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4511793 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-90d11b000000}\Data BUFFER OVERFLOW Length: 144 10:27:55,4512273 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-90d11b000000}\Data SUCCESS Type: REG_BINARY, Length: 1.370, Data: D6 0D 00 00 0D F0 AD BA 01 00 00 00 08 00 00 00 10:27:55,4512307 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32\(Default) SUCCESS Type: REG_EXPAND_SZ, Length: 68, Data: %SystemRoot%\system32\propsys.dll 10:27:55,4512809 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-90d11b000000} SUCCESS 10:27:55,4512918 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: Name 10:27:55,4513302 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4513402 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4513664 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Desired Access: Read 10:27:55,4513975 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4514118 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4514457 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-90d11b000000}\ SUCCESS Desired Access: Read 10:27:55,4514590 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32\(Default) SUCCESS Type: REG_EXPAND_SZ, Length: 68, Data: %SystemRoot%\system32\propsys.dll 10:27:55,4515149 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS 10:27:55,4515269 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: Name 10:27:55,4515459 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-90d11b000000}\Generation SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4515732 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4515814 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-90d11b000000} SUCCESS 10:27:55,4516530 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4517052 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32\ThreadingModel SUCCESS Type: REG_SZ, Length: 10, Data: Both 10:27:55,4517544 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS 10:27:55,4518001 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4518557 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4519086 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4519195 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler32 NAME NOT FOUND Desired Access: Query Value 10:27:55,4519539 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Desired Access: Read 10:27:55,4519749 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4519989 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4520170 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler32 NAME NOT FOUND Desired Access: Query Value 10:27:55,4520454 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\ SUCCESS Desired Access: Read 10:27:55,4520651 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4521342 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS 10:27:55,4521749 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4521882 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\Data BUFFER OVERFLOW Length: 144 10:27:55,4522369 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\Data SUCCESS Type: REG_BINARY, Length: 1.370, Data: D6 0D 00 00 0D F0 AD BA 41 00 00 00 08 00 00 00 10:27:55,4522420 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler32 NAME NOT FOUND Desired Access: Read 10:27:55,4523010 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4523090 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000} SUCCESS 10:27:55,4523922 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4524082 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4525176 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Desired Access: Read 10:27:55,4525247 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,4526364 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4526525 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4526851 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\ SUCCESS Desired Access: Read 10:27:55,4527291 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,4527345 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS 10:27:55,4528068 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\Generation SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4528116 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4528509 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000} SUCCESS 10:27:55,4528637 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4529376 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler NAME NOT FOUND Desired Access: Read 10:27:55,4529984 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS 10:27:55,4531252 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,4531964 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4532540 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4532998 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D} NAME NOT FOUND Desired Access: Read 10:27:55,4533543 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D} SUCCESS Desired Access: Read 10:27:55,4534128 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4534757 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4535390 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs NAME NOT FOUND Desired Access: Query Value 10:27:55,4535893 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4536500 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs NAME NOT FOUND Desired Access: Query Value 10:27:55,4537137 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4537750 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4538441 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,4539009 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4540998 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4547346 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4552582 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4561448 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\ActivateOnHostFlags NAME NOT FOUND Length: 16 10:27:55,4565919 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4567709 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4569088 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4569741 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\(Default) BUFFER OVERFLOW Length: 12 10:27:55,4570391 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4571027 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4571884 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4572488 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\(Default) SUCCESS Type: REG_SZ, Length: 48, Data: Memory Mapped Cache Mgr 10:27:55,4573056 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4573630 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4588852 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocServer32 NAME NOT FOUND Desired Access: Read 10:27:55,4589596 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4599099 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocServer32 SUCCESS Desired Access: Read 10:27:55,4616981 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: Name 10:27:55,4618232 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4618880 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4619590 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32\InprocServer32 NAME NOT FOUND Length: 12 10:27:55,4620546 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: Name 10:27:55,4621235 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4621993 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4622693 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32\(Default) BUFFER OVERFLOW Length: 12 10:27:55,4623188 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: Name 10:27:55,4623705 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4624255 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4624812 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32\(Default) SUCCESS Type: REG_EXPAND_SZ, Length: 68, Data: %SystemRoot%\system32\propsys.dll 10:27:55,4625344 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: Name 10:27:55,4626250 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4626879 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4627459 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32\(Default) SUCCESS Type: REG_EXPAND_SZ, Length: 68, Data: %SystemRoot%\system32\propsys.dll 10:27:55,4628105 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: Name 10:27:55,4628594 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4629256 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4629992 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32\ThreadingModel SUCCESS Type: REG_SZ, Length: 10, Data: Both 10:27:55,4630715 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 SUCCESS 10:27:55,4632119 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4632677 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4633415 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler32 NAME NOT FOUND Desired Access: Query Value 10:27:55,4634074 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4634686 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler32 NAME NOT FOUND Desired Access: Query Value 10:27:55,4635825 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4636358 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4636990 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler32 NAME NOT FOUND Desired Access: Read 10:27:55,4637663 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4638316 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4638889 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,4639428 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4639893 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,4640372 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4640848 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4641429 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler NAME NOT FOUND Desired Access: Read 10:27:55,4642007 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4642549 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4643085 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer32 NAME NOT FOUND Desired Access: Read 10:27:55,4643582 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4644015 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer32 NAME NOT FOUND Desired Access: Read 10:27:55,4644470 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4646001 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4646612 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer32 NAME NOT FOUND Desired Access: Read 10:27:55,4647165 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4647612 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4648130 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4648641 NOTEPAD.EXE 2604 RegQueryValue HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\AppID NAME NOT FOUND Length: 112 10:27:55,4649081 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4649585 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4650254 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer NAME NOT FOUND Desired Access: Query Value 10:27:55,4650785 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4651254 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer NAME NOT FOUND Desired Access: Query Value 10:27:55,4651719 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4652172 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4652751 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer NAME NOT FOUND Desired Access: Read 10:27:55,4661299 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,4662051 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4667263 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4667993 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D} NAME NOT FOUND Desired Access: Read 10:27:55,4668672 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D} SUCCESS Desired Access: Read 10:27:55,4669542 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4670266 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4670903 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\Elevation NAME NOT FOUND Desired Access: Read 10:27:55,4671507 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4671986 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\Elevation NAME NOT FOUND Desired Access: Read 10:27:55,4672502 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4672995 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4673644 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\Elevation NAME NOT FOUND Desired Access: Read 10:27:55,4674764 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS 10:27:55,4675278 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS 10:27:55,4675862 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,4676924 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4677981 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4678845 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D} NAME NOT FOUND Desired Access: Read 10:27:55,4680210 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D} SUCCESS Desired Access: Read 10:27:55,4680830 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4681393 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4681951 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,4682481 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4683814 NOTEPAD.EXE 2604 RegOpenKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,4684662 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4685309 NOTEPAD.EXE 2604 RegQueryKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS Query: Name 10:27:55,4686070 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs NAME NOT FOUND Desired Access: Read 10:27:55,4686838 NOTEPAD.EXE 2604 RegCloseKey HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} SUCCESS 10:27:55,4692716 NOTEPAD.EXE 2604 CreateFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches NAME COLLISION Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0 10:27:55,4700149 NOTEPAD.EXE 2604 CreateFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches SUCCESS Desired Access: Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,4701349 NOTEPAD.EXE 2604 QuerySecurityFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches BUFFER OVERFLOW Information: DACL 10:27:55,4701781 NOTEPAD.EXE 2604 CloseFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches SUCCESS 10:27:55,4707425 NOTEPAD.EXE 2604 CreateFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches SUCCESS Desired Access: Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,4711007 NOTEPAD.EXE 2604 QuerySecurityFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches SUCCESS Information: DACL 10:27:55,4711846 NOTEPAD.EXE 2604 CloseFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches SUCCESS 10:27:55,4716876 NOTEPAD.EXE 2604 CreateFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches\cversions.1.db SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened 10:27:55,4718391 NOTEPAD.EXE 2604 CreateFileMapping C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches\cversions.1.db FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,4718810 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches\cversions.1.db SUCCESS AllocationSize: 16.384, EndOfFile: 16.384, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,4719563 NOTEPAD.EXE 2604 CreateFileMapping C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches\cversions.1.db SUCCESS SyncType: SyncTypeOther 10:27:55,4720854 NOTEPAD.EXE 2604 CloseFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches\cversions.1.db SUCCESS 10:27:55,4725535 NOTEPAD.EXE 2604 CreateFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000025c.db SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened 10:27:55,4726698 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000025c.db SUCCESS AllocationSize: 167.936, EndOfFile: 165.832, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,4727443 NOTEPAD.EXE 2604 CreateFileMapping C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000025c.db FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,4727861 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000025c.db SUCCESS AllocationSize: 167.936, EndOfFile: 165.832, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,4728621 NOTEPAD.EXE 2604 CreateFileMapping C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000025c.db SUCCESS SyncType: SyncTypeOther 10:27:55,4729714 NOTEPAD.EXE 2604 CloseFile C:\Users\Angelo Braz\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000025c.db SUCCESS 10:27:55,4736653 NOTEPAD.EXE 2604 CreateFile C:\Users\desktop.ini SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,4738172 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Users\desktop.ini SUCCESS AllocationSize: 176, EndOfFile: 174, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,4738691 NOTEPAD.EXE 2604 ReadFile C:\Users\desktop.ini SUCCESS Offset: 0, Length: 174, Priority: Normal 10:27:55,4739591 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Users\desktop.ini SUCCESS CreationTime: 07/12/2019 06:14:54, LastAccessTime: 09/08/2023 10:27:55, LastWriteTime: 07/12/2019 06:12:42, ChangeTime: 17/08/2020 14:41:12, FileAttributes: HSA 10:27:55,4740703 NOTEPAD.EXE 2604 CloseFile C:\Users\desktop.ini SUCCESS 10:27:55,4744016 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,4744801 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4745795 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4746531 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Directory SUCCESS Desired Access: Read 10:27:55,4747195 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: Name 10:27:55,4748945 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4749405 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4750072 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Directory\ShellEx\IconHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,4750639 NOTEPAD.EXE 2604 RegOpenKey HKCR\Directory\ShellEx\IconHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,4751386 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4752160 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: Name 10:27:55,4752844 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\Directory\ShellEx\IconHandler NAME NOT FOUND Desired Access: Read 10:27:55,4756425 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,4756919 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4757260 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4757852 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Folder NAME NOT FOUND Desired Access: Read 10:27:55,4758409 NOTEPAD.EXE 2604 RegOpenKey HKCR\Folder SUCCESS Desired Access: Read 10:27:55,4759662 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: Name 10:27:55,4762711 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4763977 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Folder\ShellEx\IconHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,4764440 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4764802 NOTEPAD.EXE 2604 RegOpenKey HKCR\Folder\ShellEx\IconHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,4765339 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4765788 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: Name 10:27:55,4766288 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\Folder\ShellEx\IconHandler NAME NOT FOUND Desired Access: Read 10:27:55,4766935 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,4767409 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4767752 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4768135 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\AllFilesystemObjects NAME NOT FOUND Desired Access: Read 10:27:55,4768641 NOTEPAD.EXE 2604 RegOpenKey HKCR\AllFilesystemObjects SUCCESS Desired Access: Read 10:27:55,4769272 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: Name 10:27:55,4770363 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4770795 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\AllFilesystemObjects\ShellEx\IconHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,4771354 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4773327 NOTEPAD.EXE 2604 RegOpenKey HKCR\AllFilesystemObjects\ShellEx\IconHandler NAME NOT FOUND Desired Access: Query Value 10:27:55,4773905 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4774385 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: Name 10:27:55,4774932 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler NAME NOT FOUND Desired Access: Read 10:27:55,4775747 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: Name 10:27:55,4776217 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4776755 NOTEPAD.EXE 2604 RegOpenKey HKCR\Directory SUCCESS Desired Access: Maximum Allowed, Granted Access: Read 10:27:55,4777454 NOTEPAD.EXE 2604 RegQueryValue HKCU\Software\Classes\Directory\DocObject NAME NOT FOUND Length: 12 10:27:55,4777820 NOTEPAD.EXE 2604 RegQueryValue HKCR\Directory\DocObject NAME NOT FOUND Length: 12 10:27:55,4778411 NOTEPAD.EXE 2604 RegCloseKey HKCR\Directory SUCCESS 10:27:55,4778803 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: Name 10:27:55,4779239 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4779567 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4779935 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Directory\DocObject NAME NOT FOUND Desired Access: Query Value 10:27:55,4780484 NOTEPAD.EXE 2604 RegOpenKey HKCR\Directory\DocObject NAME NOT FOUND Desired Access: Query Value 10:27:55,4780987 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4781414 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: Name 10:27:55,4781949 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\Directory\DocObject NAME NOT FOUND Desired Access: Read 10:27:55,4782584 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: Name 10:27:55,4782953 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4783471 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Folder NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4784001 NOTEPAD.EXE 2604 RegQueryValue HKCR\Folder\DocObject NAME NOT FOUND Length: 12 10:27:55,4784426 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: Name 10:27:55,4784962 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4785485 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Folder\DocObject NAME NOT FOUND Desired Access: Query Value 10:27:55,4785914 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4786289 NOTEPAD.EXE 2604 RegOpenKey HKCR\Folder\DocObject NAME NOT FOUND Desired Access: Query Value 10:27:55,4786656 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4787044 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: Name 10:27:55,4787538 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\Folder\DocObject NAME NOT FOUND Desired Access: Read 10:27:55,4788088 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: Name 10:27:55,4789022 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4789598 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\AllFilesystemObjects NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4790055 NOTEPAD.EXE 2604 RegQueryValue HKCR\AllFilesystemObjects\DocObject NAME NOT FOUND Length: 12 10:27:55,4790570 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: Name 10:27:55,4791139 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4791712 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\AllFilesystemObjects\DocObject NAME NOT FOUND Desired Access: Query Value 10:27:55,4792494 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4793046 NOTEPAD.EXE 2604 RegOpenKey HKCR\AllFilesystemObjects\DocObject NAME NOT FOUND Desired Access: Query Value 10:27:55,4793413 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4793800 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: Name 10:27:55,4794339 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\AllFilesystemObjects\DocObject NAME NOT FOUND Desired Access: Read 10:27:55,4794926 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: Name 10:27:55,4795347 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4795706 NOTEPAD.EXE 2604 RegOpenKey HKCR\Directory SUCCESS Desired Access: Maximum Allowed, Granted Access: Read 10:27:55,4796126 NOTEPAD.EXE 2604 RegQueryValue HKCU\Software\Classes\Directory\BrowseInPlace NAME NOT FOUND Length: 12 10:27:55,4796635 NOTEPAD.EXE 2604 RegQueryValue HKCR\Directory\BrowseInPlace NAME NOT FOUND Length: 12 10:27:55,4797020 NOTEPAD.EXE 2604 RegCloseKey HKCR\Directory SUCCESS 10:27:55,4797370 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: Name 10:27:55,4797905 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4798312 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4798713 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Directory\BrowseInPlace NAME NOT FOUND Desired Access: Query Value 10:27:55,4800242 NOTEPAD.EXE 2604 RegOpenKey HKCR\Directory\BrowseInPlace NAME NOT FOUND Desired Access: Query Value 10:27:55,4801405 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4802260 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: Name 10:27:55,4803238 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\Directory\BrowseInPlace NAME NOT FOUND Desired Access: Read 10:27:55,4803795 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: Name 10:27:55,4804244 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4804679 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Folder NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4805117 NOTEPAD.EXE 2604 RegQueryValue HKCR\Folder\BrowseInPlace NAME NOT FOUND Length: 12 10:27:55,4805488 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: Name 10:27:55,4805881 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4806321 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Folder\BrowseInPlace NAME NOT FOUND Desired Access: Query Value 10:27:55,4806762 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4807138 NOTEPAD.EXE 2604 RegOpenKey HKCR\Folder\BrowseInPlace NAME NOT FOUND Desired Access: Query Value 10:27:55,4807542 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4807914 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: Name 10:27:55,4808730 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\Folder\BrowseInPlace NAME NOT FOUND Desired Access: Read 10:27:55,4809921 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: Name 10:27:55,4810343 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4810782 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\AllFilesystemObjects NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4811258 NOTEPAD.EXE 2604 RegQueryValue HKCR\AllFilesystemObjects\BrowseInPlace NAME NOT FOUND Length: 12 10:27:55,4811614 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: Name 10:27:55,4811988 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4812404 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\AllFilesystemObjects\BrowseInPlace NAME NOT FOUND Desired Access: Query Value 10:27:55,4814154 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4814598 NOTEPAD.EXE 2604 RegOpenKey HKCR\AllFilesystemObjects\BrowseInPlace NAME NOT FOUND Desired Access: Query Value 10:27:55,4815297 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4816088 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: Name 10:27:55,4816647 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace NAME NOT FOUND Desired Access: Read 10:27:55,4817427 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: Name 10:27:55,4817878 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4818201 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4820179 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Directory\Clsid NAME NOT FOUND Desired Access: Query Value 10:27:55,4820745 NOTEPAD.EXE 2604 RegOpenKey HKCR\Directory\Clsid NAME NOT FOUND Desired Access: Query Value 10:27:55,4821188 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4821670 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: Name 10:27:55,4822345 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\Directory\Clsid NAME NOT FOUND Desired Access: Read 10:27:55,4823277 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: Name 10:27:55,4823826 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4824359 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Folder\Clsid NAME NOT FOUND Desired Access: Query Value 10:27:55,4824825 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4825263 NOTEPAD.EXE 2604 RegOpenKey HKCR\Folder\Clsid NAME NOT FOUND Desired Access: Query Value 10:27:55,4825791 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4826196 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: Name 10:27:55,4826885 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\Folder\Clsid NAME NOT FOUND Desired Access: Read 10:27:55,4827514 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: Name 10:27:55,4828072 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4828619 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\AllFilesystemObjects\Clsid NAME NOT FOUND Desired Access: Query Value 10:27:55,4829082 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4829660 NOTEPAD.EXE 2604 RegOpenKey HKCR\AllFilesystemObjects\Clsid NAME NOT FOUND Desired Access: Query Value 10:27:55,4830088 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4830450 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: Name 10:27:55,4830913 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Classes\AllFilesystemObjects\Clsid NAME NOT FOUND Desired Access: Read 10:27:55,4831427 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: Name 10:27:55,4831808 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4832158 NOTEPAD.EXE 2604 RegOpenKey HKCR\Directory SUCCESS Desired Access: Maximum Allowed, Granted Access: Read 10:27:55,4832701 NOTEPAD.EXE 2604 RegQueryValue HKCU\Software\Classes\Directory\IsShortcut NAME NOT FOUND Length: 12 10:27:55,4833027 NOTEPAD.EXE 2604 RegQueryValue HKCR\Directory\IsShortcut NAME NOT FOUND Length: 12 10:27:55,4833438 NOTEPAD.EXE 2604 RegCloseKey HKCR\Directory SUCCESS 10:27:55,4833879 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: Name 10:27:55,4834270 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4834683 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Folder NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4835103 NOTEPAD.EXE 2604 RegQueryValue HKCR\Folder\IsShortcut NAME NOT FOUND Length: 12 10:27:55,4835531 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: Name 10:27:55,4836347 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4836837 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\AllFilesystemObjects NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4837217 NOTEPAD.EXE 2604 RegQueryValue HKCR\AllFilesystemObjects\IsShortcut NAME NOT FOUND Length: 12 10:27:55,4837604 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: Name 10:27:55,4838031 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4838412 NOTEPAD.EXE 2604 RegOpenKey HKCR\Directory SUCCESS Desired Access: Maximum Allowed, Granted Access: Read 10:27:55,4838855 NOTEPAD.EXE 2604 RegQueryValue HKCU\Software\Classes\Directory\AlwaysShowExt NAME NOT FOUND Length: 12 10:27:55,4839168 NOTEPAD.EXE 2604 RegQueryValue HKCR\Directory\AlwaysShowExt BUFFER OVERFLOW Length: 12 10:27:55,4839588 NOTEPAD.EXE 2604 RegCloseKey HKCR\Directory SUCCESS 10:27:55,4839941 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: Name 10:27:55,4840307 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes\Directory SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4840677 NOTEPAD.EXE 2604 RegOpenKey HKCR\Directory SUCCESS Desired Access: Maximum Allowed, Granted Access: Read 10:27:55,4841070 NOTEPAD.EXE 2604 RegQueryValue HKCU\Software\Classes\Directory\NeverShowExt NAME NOT FOUND Length: 12 10:27:55,4841379 NOTEPAD.EXE 2604 RegQueryValue HKCR\Directory\NeverShowExt NAME NOT FOUND Length: 12 10:27:55,4841745 NOTEPAD.EXE 2604 RegCloseKey HKCR\Directory SUCCESS 10:27:55,4842126 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: Name 10:27:55,4842496 NOTEPAD.EXE 2604 RegQueryKey HKCR\Folder SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4842901 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Folder NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4843317 NOTEPAD.EXE 2604 RegQueryValue HKCR\Folder\NeverShowExt NAME NOT FOUND Length: 12 10:27:55,4843725 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: Name 10:27:55,4844239 NOTEPAD.EXE 2604 RegQueryKey HKCR\AllFilesystemObjects SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4844657 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\AllFilesystemObjects NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4845044 NOTEPAD.EXE 2604 RegQueryValue HKCR\AllFilesystemObjects\NeverShowExt NAME NOT FOUND Length: 12 10:27:55,4845602 NOTEPAD.EXE 2604 RegCloseKey HKCU\Software\Classes\Directory SUCCESS 10:27:55,4846059 NOTEPAD.EXE 2604 RegCloseKey HKCR\Folder SUCCESS 10:27:55,4846467 NOTEPAD.EXE 2604 RegCloseKey HKCR\AllFilesystemObjects SUCCESS 10:27:55,4851630 NOTEPAD.EXE 2604 CreateFile C:\Users SUCCESS Desired Access: Read Data/List Directory, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,4852910 NOTEPAD.EXE 2604 QueryRemoteProtocolInformation C:\Users INVALID PARAMETER 10:27:55,4853861 NOTEPAD.EXE 2604 QueryDirectory C:\Users\Angelo SUCCESS FileInformationClass: FileIdBothDirectoryInformation, Filter: Angelo, 2: Angelo 10:27:55,4855170 NOTEPAD.EXE 2604 CloseFile C:\Users SUCCESS 10:27:55,4857346 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4857780 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Desired Access: Read 10:27:55,4858336 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4858673 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641} SUCCESS Desired Access: Read 10:27:55,4859217 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS 10:27:55,4859698 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category SUCCESS Type: REG_DWORD, Length: 4, Data: 4 10:27:55,4860068 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name SUCCESS Type: REG_SZ, Length: 16, Data: Desktop 10:27:55,4860577 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder NAME NOT FOUND Length: 90 10:27:55,4860889 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description NAME NOT FOUND Length: 144 10:27:55,4861211 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath SUCCESS Type: REG_SZ, Length: 16, Data: Desktop 10:27:55,4861600 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName NAME NOT FOUND Length: 144 10:27:55,4861928 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip NAME NOT FOUND Length: 144 10:27:55,4862276 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName SUCCESS Type: REG_EXPAND_SZ, Length: 84, Data: @%SystemRoot%\system32\shell32.dll,-21769 10:27:55,4862959 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon SUCCESS Type: REG_EXPAND_SZ, Length: 80, Data: %SystemRoot%\system32\imageres.dll,-183 10:27:55,4863325 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security NAME NOT FOUND Length: 144 10:27:55,4863819 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource NAME NOT FOUND Length: 144 10:27:55,4864333 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType NAME NOT FOUND Length: 144 10:27:55,4864725 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly NAME NOT FOUND Length: 16 10:27:55,4865156 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4865549 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4865967 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream NAME NOT FOUND Length: 16 10:27:55,4866294 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4866595 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\DefinitionFlags NAME NOT FOUND Length: 16 10:27:55,4866938 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4867259 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID NAME NOT FOUND Length: 90 10:27:55,4867644 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler NAME NOT FOUND Length: 90 10:27:55,4868268 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4868750 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag SUCCESS Desired Access: Read 10:27:55,4869335 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641} SUCCESS 10:27:55,4870301 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4870667 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Desired Access: Query Value 10:27:55,4871118 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4871481 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Query Value 10:27:55,4871889 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4872405 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: Name 10:27:55,4873039 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Read 10:27:55,4873561 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS 10:27:55,4874216 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:55,4874684 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4875030 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Desired Access: Read 10:27:55,4875490 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:55,4875827 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop SUCCESS Type: REG_EXPAND_SZ, Length: 40, Data: D:\Área de Trabalho 10:27:55,4876780 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS 10:27:55,4878183 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,4879070 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4879461 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4880102 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Enumerate Sub Keys 10:27:55,4880638 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions SUCCESS Desired Access: Enumerate Sub Keys 10:27:55,4881216 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: Name 10:27:55,4881664 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4882115 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4882592 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions SUCCESS Index: 0, Name: {fbeb8a05-beee-4442-804e-409d6c4515e9} 10:27:55,4883045 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,4883468 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4883799 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4884273 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Query Value 10:27:55,4885507 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Desired Access: Query Value 10:27:55,4886128 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: Name 10:27:55,4887038 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4887591 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4888057 NOTEPAD.EXE 2604 RegQueryValue HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask SUCCESS Type: REG_DWORD, Length: 4, Data: 32 10:27:55,4888505 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS 10:27:55,4888989 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions NO MORE ENTRIES Index: 1, Length: 288 10:27:55,4889399 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions SUCCESS 10:27:55,4894078 NOTEPAD.EXE 2604 CreateFile D:\Área de Trabalho\desktop.ini SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,4896003 NOTEPAD.EXE 2604 QueryStandardInformationFile D:\Área de Trabalho\desktop.ini SUCCESS AllocationSize: 280, EndOfFile: 278, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,4896639 NOTEPAD.EXE 2604 ReadFile D:\Área de Trabalho\desktop.ini SUCCESS Offset: 0, Length: 278, Priority: Normal 10:27:55,4897657 NOTEPAD.EXE 2604 QueryBasicInformationFile D:\Área de Trabalho\desktop.ini SUCCESS CreationTime: 18/06/2014 22:58:49, LastAccessTime: 09/08/2023 10:27:55, LastWriteTime: 17/08/2020 17:46:36, ChangeTime: 30/12/2020 22:34:33, FileAttributes: HSA 10:27:55,4898052 NOTEPAD.EXE 2604 CloseFile D:\Área de Trabalho\desktop.ini SUCCESS 10:27:55,4899725 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4900130 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Desired Access: Read 10:27:55,4900770 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4901126 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE} SUCCESS Desired Access: Read 10:27:55,4901681 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS 10:27:55,4902048 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Category SUCCESS Type: REG_DWORD, Length: 4, Data: 4 10:27:55,4902519 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Name SUCCESS Type: REG_SZ, Length: 20, Data: Libraries 10:27:55,4903134 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParentFolder SUCCESS Type: REG_SZ, Length: 78, Data: {3EB685DB-65F9-4CF6-A03A-E3EF65729F3D} 10:27:55,4903486 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Description NAME NOT FOUND Length: 144 10:27:55,4903825 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\RelativePath SUCCESS Type: REG_SZ, Length: 56, Data: Microsoft\Windows\Libraries 10:27:55,4904208 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParsingName NAME NOT FOUND Length: 144 10:27:55,4904554 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InfoTip NAME NOT FOUND Length: 144 10:27:55,4904892 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalizedName NAME NOT FOUND Length: 144 10:27:55,4905207 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Icon NAME NOT FOUND Length: 144 10:27:55,4905967 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Security NAME NOT FOUND Length: 144 10:27:55,4906322 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResource NAME NOT FOUND Length: 144 10:27:55,4906671 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResourceType NAME NOT FOUND Length: 144 10:27:55,4907025 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalRedirectOnly NAME NOT FOUND Length: 16 10:27:55,4907574 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Roamable NAME NOT FOUND Length: 16 10:27:55,4907893 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PreCreate SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4908302 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Stream NAME NOT FOUND Length: 16 10:27:55,4908623 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PublishExpandedPath SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4909070 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\DefinitionFlags NAME NOT FOUND Length: 16 10:27:55,4909387 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Attributes NAME NOT FOUND Length: 16 10:27:55,4909928 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\FolderTypeID NAME NOT FOUND Length: 90 10:27:55,4910288 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InitFolderHandler NAME NOT FOUND Length: 90 10:27:55,4910748 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4911110 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PropertyBag NAME NOT FOUND Desired Access: Read 10:27:55,4911715 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4912151 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE} SUCCESS Query: Name 10:27:55,4912749 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PropertyBag NAME NOT FOUND Desired Access: Read 10:27:55,4913346 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE} SUCCESS 10:27:55,4914204 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4914561 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Desired Access: Query Value 10:27:55,4915041 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4915493 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Query Value 10:27:55,4915994 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4916389 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: Name 10:27:55,4916964 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Read 10:27:55,4917819 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS 10:27:55,4918639 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:55,4919104 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4919428 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Desired Access: Read 10:27:55,4919965 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:55,4920338 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE} NAME NOT FOUND Length: 142 10:27:55,4921202 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4921531 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Desired Access: Read 10:27:55,4921935 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4922572 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D} SUCCESS Desired Access: Read 10:27:55,4922988 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS 10:27:55,4923303 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category SUCCESS Type: REG_DWORD, Length: 4, Data: 4 10:27:55,4923629 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name SUCCESS Type: REG_SZ, Length: 16, Data: AppData 10:27:55,4923991 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder NAME NOT FOUND Length: 90 10:27:55,4924315 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description NAME NOT FOUND Length: 144 10:27:55,4924622 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath SUCCESS Type: REG_SZ, Length: 32, Data: AppData\Roaming 10:27:55,4925828 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName NAME NOT FOUND Length: 144 10:27:55,4926132 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip NAME NOT FOUND Length: 144 10:27:55,4926430 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName NAME NOT FOUND Length: 144 10:27:55,4926739 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon NAME NOT FOUND Length: 144 10:27:55,4927029 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security NAME NOT FOUND Length: 144 10:27:55,4927331 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource NAME NOT FOUND Length: 144 10:27:55,4927633 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType NAME NOT FOUND Length: 144 10:27:55,4927978 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly NAME NOT FOUND Length: 16 10:27:55,4928394 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable NAME NOT FOUND Length: 16 10:27:55,4928708 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate NAME NOT FOUND Length: 16 10:27:55,4929767 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream NAME NOT FOUND Length: 16 10:27:55,4930220 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath NAME NOT FOUND Length: 16 10:27:55,4930575 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\DefinitionFlags NAME NOT FOUND Length: 16 10:27:55,4932523 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes NAME NOT FOUND Length: 16 10:27:55,4933042 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID NAME NOT FOUND Length: 90 10:27:55,4933427 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler NAME NOT FOUND Length: 90 10:27:55,4933862 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4934235 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag NAME NOT FOUND Desired Access: Read 10:27:55,4934627 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4935125 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D} SUCCESS Query: Name 10:27:55,4935662 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag NAME NOT FOUND Desired Access: Read 10:27:55,4936558 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D} SUCCESS 10:27:55,4937025 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4937393 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Desired Access: Query Value 10:27:55,4937837 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4938193 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Query Value 10:27:55,4938548 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4939047 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: Name 10:27:55,4940495 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Read 10:27:55,4941007 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS 10:27:55,4941339 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData SUCCESS Type: REG_EXPAND_SZ, Length: 60, Data: %USERPROFILE%\AppData\Roaming 10:27:55,4942408 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS 10:27:55,4943295 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,4944000 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4945552 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4947092 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Enumerate Sub Keys 10:27:55,4947694 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions SUCCESS Desired Access: Enumerate Sub Keys 10:27:55,4948752 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: Name 10:27:55,4950412 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4951188 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4951718 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions SUCCESS Index: 0, Name: {fbeb8a05-beee-4442-804e-409d6c4515e9} 10:27:55,4952171 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,4952611 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4952939 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4953439 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Query Value 10:27:55,4953975 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Desired Access: Query Value 10:27:55,4954552 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: Name 10:27:55,4955398 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4955873 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,4956323 NOTEPAD.EXE 2604 RegQueryValue HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask SUCCESS Type: REG_DWORD, Length: 4, Data: 32 10:27:55,4956764 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS 10:27:55,4957186 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions NO MORE ENTRIES Index: 1, Length: 288 10:27:55,4957592 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions SUCCESS 10:27:55,4958737 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4959684 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Desired Access: Read 10:27:55,4960432 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4960991 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756} SUCCESS Desired Access: Read 10:27:55,4961842 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS 10:27:55,4962636 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\Category SUCCESS Type: REG_DWORD, Length: 4, Data: 4 10:27:55,4964031 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\Name SUCCESS Type: REG_SZ, Length: 32, Data: Local Documents 10:27:55,4965110 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\ParentFolder NAME NOT FOUND Length: 90 10:27:55,4966278 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\Description NAME NOT FOUND Length: 144 10:27:55,4967092 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\RelativePath SUCCESS Type: REG_SZ, Length: 20, Data: Documents 10:27:55,4968234 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\ParsingName BUFFER OVERFLOW Length: 144 10:27:55,4969224 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\ParsingName SUCCESS Type: REG_SZ, Length: 176, Data: shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{d3162b92-9365-467a-956b-92703aca08af} 10:27:55,4971556 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\InfoTip NAME NOT FOUND Length: 144 10:27:55,4973140 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\LocalizedName SUCCESS Type: REG_EXPAND_SZ, Length: 84, Data: @%SystemRoot%\system32\shell32.dll,-21770 10:27:55,4974017 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\Icon SUCCESS Type: REG_EXPAND_SZ, Length: 80, Data: %SystemRoot%\system32\imageres.dll,-112 10:27:55,4975455 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\Security NAME NOT FOUND Length: 144 10:27:55,4976211 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\StreamResource NAME NOT FOUND Length: 144 10:27:55,4976810 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\StreamResourceType NAME NOT FOUND Length: 144 10:27:55,4977573 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\LocalRedirectOnly NAME NOT FOUND Length: 16 10:27:55,4979126 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\Roamable NAME NOT FOUND Length: 16 10:27:55,4981011 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PreCreate SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4981775 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\Stream NAME NOT FOUND Length: 16 10:27:55,4983028 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PublishExpandedPath NAME NOT FOUND Length: 16 10:27:55,4984873 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\DefinitionFlags NAME NOT FOUND Length: 16 10:27:55,4986663 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\Attributes SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,4988364 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\FolderTypeID NAME NOT FOUND Length: 90 10:27:55,4990420 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\InitFolderHandler NAME NOT FOUND Length: 90 10:27:55,4991861 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4993194 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag SUCCESS Desired Access: Read 10:27:55,4993823 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756} SUCCESS 10:27:55,4994992 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4995371 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Desired Access: Query Value 10:27:55,4995928 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,4996326 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Query Value 10:27:55,4996740 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,4997171 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: Name 10:27:55,4997820 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Read 10:27:55,4998358 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS 10:27:55,4998807 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:55,5000181 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5000597 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Desired Access: Read 10:27:55,5001120 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:55,5001555 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{F42EE2D3-909F-4907-8871-4C22FC0BF756} SUCCESS Type: REG_EXPAND_SZ, Length: 26, Data: D:\Documents 10:27:55,5002428 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS 10:27:55,5005028 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,5005532 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5005884 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5006599 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Enumerate Sub Keys 10:27:55,5007158 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions SUCCESS Desired Access: Enumerate Sub Keys 10:27:55,5007915 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: Name 10:27:55,5008514 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5009151 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,5009731 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions SUCCESS Index: 0, Name: {fbeb8a05-beee-4442-804e-409d6c4515e9} 10:27:55,5011008 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,5012511 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5012857 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5013280 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Query Value 10:27:55,5014150 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Desired Access: Query Value 10:27:55,5014793 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: Name 10:27:55,5015220 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5015705 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,5016200 NOTEPAD.EXE 2604 RegQueryValue HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask SUCCESS Type: REG_DWORD, Length: 4, Data: 32 10:27:55,5016760 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS 10:27:55,5018903 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions NO MORE ENTRIES Index: 1, Length: 288 10:27:55,5019566 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions SUCCESS 10:27:55,5022540 NOTEPAD.EXE 2604 CreateFile D:\Documents\desktop.ini SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,5024016 NOTEPAD.EXE 2604 QueryStandardInformationFile D:\Documents\desktop.ini SUCCESS AllocationSize: 400, EndOfFile: 398, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,5024449 NOTEPAD.EXE 2604 ReadFile D:\Documents\desktop.ini SUCCESS Offset: 0, Length: 398, Priority: Normal 10:27:55,5025533 NOTEPAD.EXE 2604 QueryBasicInformationFile D:\Documents\desktop.ini SUCCESS CreationTime: 18/06/2014 23:01:36, LastAccessTime: 09/08/2023 10:27:55, LastWriteTime: 17/08/2020 17:46:36, ChangeTime: 17/08/2020 17:46:36, FileAttributes: HSA 10:27:55,5025910 NOTEPAD.EXE 2604 CloseFile D:\Documents\desktop.ini SUCCESS 10:27:55,5027151 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5027841 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Desired Access: Read 10:27:55,5028370 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5028713 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D} SUCCESS Desired Access: Read 10:27:55,5029139 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS 10:27:55,5029477 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\Category SUCCESS Type: REG_DWORD, Length: 4, Data: 4 10:27:55,5029849 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\Name SUCCESS Type: REG_SZ, Length: 24, Data: Local Music 10:27:55,5030228 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\ParentFolder NAME NOT FOUND Length: 90 10:27:55,5030580 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\Description NAME NOT FOUND Length: 144 10:27:55,5030911 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\RelativePath SUCCESS Type: REG_SZ, Length: 12, Data: Music 10:27:55,5031280 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\ParsingName BUFFER OVERFLOW Length: 144 10:27:55,5031663 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\ParsingName SUCCESS Type: REG_SZ, Length: 176, Data: shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de} 10:27:55,5032147 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\InfoTip SUCCESS Type: REG_EXPAND_SZ, Length: 84, Data: @%SystemRoot%\system32\shell32.dll,-12689 10:27:55,5032522 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\LocalizedName SUCCESS Type: REG_EXPAND_SZ, Length: 84, Data: @%SystemRoot%\system32\shell32.dll,-21790 10:27:55,5032867 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\Icon SUCCESS Type: REG_EXPAND_SZ, Length: 80, Data: %SystemRoot%\system32\imageres.dll,-108 10:27:55,5034545 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\Security NAME NOT FOUND Length: 144 10:27:55,5034962 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\StreamResource NAME NOT FOUND Length: 144 10:27:55,5035324 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\StreamResourceType NAME NOT FOUND Length: 144 10:27:55,5035657 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\LocalRedirectOnly NAME NOT FOUND Length: 16 10:27:55,5036117 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\Roamable NAME NOT FOUND Length: 16 10:27:55,5036785 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PreCreate SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,5037237 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\Stream NAME NOT FOUND Length: 16 10:27:55,5038267 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PublishExpandedPath NAME NOT FOUND Length: 16 10:27:55,5038670 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\DefinitionFlags NAME NOT FOUND Length: 16 10:27:55,5039013 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\Attributes SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,5039435 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\FolderTypeID NAME NOT FOUND Length: 90 10:27:55,5039759 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\InitFolderHandler NAME NOT FOUND Length: 90 10:27:55,5040357 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5040888 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag SUCCESS Desired Access: Read 10:27:55,5041509 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d} SUCCESS 10:27:55,5042711 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5043872 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Desired Access: Query Value 10:27:55,5045350 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5046821 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Query Value 10:27:55,5047812 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,5049067 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: Name 10:27:55,5050054 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Read 10:27:55,5050637 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS 10:27:55,5051088 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:55,5051687 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5052695 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Desired Access: Read 10:27:55,5053498 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:55,5054156 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{A0C69A99-21C8-4671-8703-7934162FCF1D} SUCCESS Type: REG_EXPAND_SZ, Length: 18, Data: D:\Music 10:27:55,5055787 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS 10:27:55,5059527 NOTEPAD.EXE 2604 CreateFile D:\Music\desktop.ini SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,5061232 NOTEPAD.EXE 2604 QueryStandardInformationFile D:\Music\desktop.ini SUCCESS AllocationSize: 504, EndOfFile: 500, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,5061940 NOTEPAD.EXE 2604 ReadFile D:\Music\desktop.ini SUCCESS Offset: 0, Length: 500, Priority: Normal 10:27:55,5063256 NOTEPAD.EXE 2604 QueryBasicInformationFile D:\Music\desktop.ini SUCCESS CreationTime: 18/06/2014 23:01:38, LastAccessTime: 09/08/2023 10:27:55, LastWriteTime: 17/08/2020 17:46:36, ChangeTime: 17/08/2020 17:46:36, FileAttributes: HSA 10:27:55,5063653 NOTEPAD.EXE 2604 CloseFile D:\Music\desktop.ini SUCCESS 10:27:55,5065734 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5066395 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Desired Access: Read 10:27:55,5068267 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5069209 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639} SUCCESS Desired Access: Read 10:27:55,5070229 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS 10:27:55,5071221 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\Category SUCCESS Type: REG_DWORD, Length: 4, Data: 4 10:27:55,5074650 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\Name SUCCESS Type: REG_SZ, Length: 30, Data: Local Pictures 10:27:55,5075863 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\ParentFolder NAME NOT FOUND Length: 90 10:27:55,5076888 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\Description NAME NOT FOUND Length: 144 10:27:55,5078637 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\RelativePath SUCCESS Type: REG_SZ, Length: 18, Data: Pictures 10:27:55,5079913 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\ParsingName BUFFER OVERFLOW Length: 144 10:27:55,5081123 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\ParsingName SUCCESS Type: REG_SZ, Length: 176, Data: shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{24ad3ad4-a569-4530-98e1-ab02f9417aa8} 10:27:55,5082183 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\InfoTip SUCCESS Type: REG_EXPAND_SZ, Length: 84, Data: @%SystemRoot%\system32\shell32.dll,-12688 10:27:55,5083072 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\LocalizedName SUCCESS Type: REG_EXPAND_SZ, Length: 84, Data: @%SystemRoot%\system32\shell32.dll,-21779 10:27:55,5084212 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\Icon SUCCESS Type: REG_EXPAND_SZ, Length: 80, Data: %SystemRoot%\system32\imageres.dll,-113 10:27:55,5085504 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\Security NAME NOT FOUND Length: 144 10:27:55,5085962 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\StreamResource NAME NOT FOUND Length: 144 10:27:55,5086443 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\StreamResourceType NAME NOT FOUND Length: 144 10:27:55,5086977 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\LocalRedirectOnly NAME NOT FOUND Length: 16 10:27:55,5087478 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\Roamable NAME NOT FOUND Length: 16 10:27:55,5087866 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PreCreate SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,5088239 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\Stream NAME NOT FOUND Length: 16 10:27:55,5089193 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PublishExpandedPath NAME NOT FOUND Length: 16 10:27:55,5090392 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\DefinitionFlags NAME NOT FOUND Length: 16 10:27:55,5091232 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\Attributes SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,5091752 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\FolderTypeID NAME NOT FOUND Length: 90 10:27:55,5092271 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\InitFolderHandler NAME NOT FOUND Length: 90 10:27:55,5092761 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5093219 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag SUCCESS Desired Access: Read 10:27:55,5093858 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639} SUCCESS 10:27:55,5095316 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5095771 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Desired Access: Query Value 10:27:55,5096288 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5096680 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Query Value 10:27:55,5097060 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,5097620 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: Name 10:27:55,5098648 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Read 10:27:55,5099765 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS 10:27:55,5100792 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:55,5101276 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5101625 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Desired Access: Read 10:27:55,5102249 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:55,5102973 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{0DDD015D-B06C-45D5-8C4C-F59713854639} SUCCESS Type: REG_EXPAND_SZ, Length: 24, Data: D:\Pictures 10:27:55,5103751 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS 10:27:55,5106850 NOTEPAD.EXE 2604 CreateFile D:\Pictures\desktop.ini SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,5108220 NOTEPAD.EXE 2604 QueryStandardInformationFile D:\Pictures\desktop.ini SUCCESS AllocationSize: 504, EndOfFile: 500, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,5108837 NOTEPAD.EXE 2604 ReadFile D:\Pictures\desktop.ini SUCCESS Offset: 0, Length: 500, Priority: Normal 10:27:55,5110154 NOTEPAD.EXE 2604 QueryBasicInformationFile D:\Pictures\desktop.ini SUCCESS CreationTime: 18/06/2014 23:01:37, LastAccessTime: 09/08/2023 10:27:55, LastWriteTime: 17/08/2020 17:46:36, ChangeTime: 17/08/2020 17:46:36, FileAttributes: HSA 10:27:55,5110631 NOTEPAD.EXE 2604 CloseFile D:\Pictures\desktop.ini SUCCESS 10:27:55,5111937 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5112324 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Desired Access: Read 10:27:55,5112897 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5113671 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95} SUCCESS Desired Access: Read 10:27:55,5114166 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS 10:27:55,5114598 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\Category SUCCESS Type: REG_DWORD, Length: 4, Data: 4 10:27:55,5114979 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\Name SUCCESS Type: REG_SZ, Length: 26, Data: Local Videos 10:27:55,5115639 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\ParentFolder NAME NOT FOUND Length: 90 10:27:55,5116092 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\Description NAME NOT FOUND Length: 144 10:27:55,5116476 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\RelativePath SUCCESS Type: REG_SZ, Length: 14, Data: Videos 10:27:55,5117057 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\ParsingName BUFFER OVERFLOW Length: 144 10:27:55,5117547 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\ParsingName SUCCESS Type: REG_SZ, Length: 176, Data: shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a} 10:27:55,5117929 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\InfoTip SUCCESS Type: REG_EXPAND_SZ, Length: 84, Data: @%SystemRoot%\system32\shell32.dll,-12690 10:27:55,5118312 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\LocalizedName SUCCESS Type: REG_EXPAND_SZ, Length: 84, Data: @%SystemRoot%\system32\shell32.dll,-21791 10:27:55,5118665 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\Icon SUCCESS Type: REG_EXPAND_SZ, Length: 80, Data: %SystemRoot%\system32\imageres.dll,-189 10:27:55,5119047 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\Security NAME NOT FOUND Length: 144 10:27:55,5119371 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\StreamResource NAME NOT FOUND Length: 144 10:27:55,5119717 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\StreamResourceType NAME NOT FOUND Length: 144 10:27:55,5120196 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\LocalRedirectOnly NAME NOT FOUND Length: 16 10:27:55,5120699 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\Roamable NAME NOT FOUND Length: 16 10:27:55,5121098 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PreCreate SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,5121517 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\Stream NAME NOT FOUND Length: 16 10:27:55,5121835 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PublishExpandedPath NAME NOT FOUND Length: 16 10:27:55,5122153 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\DefinitionFlags NAME NOT FOUND Length: 16 10:27:55,5122519 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\Attributes SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,5122887 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\FolderTypeID NAME NOT FOUND Length: 90 10:27:55,5123213 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\InitFolderHandler NAME NOT FOUND Length: 90 10:27:55,5123636 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5124002 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag SUCCESS Desired Access: Read 10:27:55,5124488 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95} SUCCESS 10:27:55,5125221 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5125604 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Desired Access: Query Value 10:27:55,5126276 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5126797 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Query Value 10:27:55,5127261 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,5127704 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: Name 10:27:55,5128353 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Read 10:27:55,5128898 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS 10:27:55,5129343 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:55,5129810 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5130270 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Desired Access: Read 10:27:55,5130764 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:55,5131116 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{35286A68-3C57-41A1-BBB1-0EAE73D76C95} NAME NOT FOUND Length: 142 10:27:55,5131768 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5132149 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Desired Access: Read 10:27:55,5132685 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5133041 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173} SUCCESS Desired Access: Read 10:27:55,5133600 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS 10:27:55,5134164 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category SUCCESS Type: REG_DWORD, Length: 4, Data: 2 10:27:55,5134557 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name SUCCESS Type: REG_SZ, Length: 16, Data: Profile 10:27:55,5135251 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder NAME NOT FOUND Length: 90 10:27:55,5135784 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description NAME NOT FOUND Length: 144 10:27:55,5136149 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath NAME NOT FOUND Length: 144 10:27:55,5136494 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName NAME NOT FOUND Length: 144 10:27:55,5136903 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip NAME NOT FOUND Length: 144 10:27:55,5137227 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName NAME NOT FOUND Length: 144 10:27:55,5137561 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon NAME NOT FOUND Length: 144 10:27:55,5137896 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security NAME NOT FOUND Length: 144 10:27:55,5138226 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource NAME NOT FOUND Length: 144 10:27:55,5138684 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType NAME NOT FOUND Length: 144 10:27:55,5139015 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly NAME NOT FOUND Length: 16 10:27:55,5139387 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable NAME NOT FOUND Length: 16 10:27:55,5139694 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate NAME NOT FOUND Length: 16 10:27:55,5140026 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream NAME NOT FOUND Length: 16 10:27:55,5140410 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath NAME NOT FOUND Length: 16 10:27:55,5141079 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\DefinitionFlags NAME NOT FOUND Length: 16 10:27:55,5141422 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes NAME NOT FOUND Length: 16 10:27:55,5141875 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID NAME NOT FOUND Length: 90 10:27:55,5142206 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler NAME NOT FOUND Length: 90 10:27:55,5142600 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5142992 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag NAME NOT FOUND Desired Access: Read 10:27:55,5143411 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,5144612 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173} SUCCESS Query: Name 10:27:55,5145276 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag NAME NOT FOUND Desired Access: Read 10:27:55,5145847 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173} SUCCESS 10:27:55,5152908 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\profapi.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,5154065 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Windows\System32\profapi.dll SUCCESS CreationTime: 13/07/2023 09:42:58, LastAccessTime: 09/08/2023 10:27:54, LastWriteTime: 13/07/2023 09:42:58, ChangeTime: 09/08/2023 10:10:46, FileAttributes: A 10:27:55,5154593 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\profapi.dll SUCCESS 10:27:55,5158630 NOTEPAD.EXE 2604 CreateFile C:\Windows\System32\profapi.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,5160370 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\profapi.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE 10:27:55,5161678 NOTEPAD.EXE 2604 CreateFileMapping C:\Windows\System32\profapi.dll SUCCESS SyncType: SyncTypeOther 10:27:55,5169079 NOTEPAD.EXE 2604 Load Image C:\Windows\System32\profapi.dll SUCCESS Image Base: 0x7ffb631d0000, Image Size: 0x25000 10:27:55,5171665 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32\profapi.dll SUCCESS 10:27:55,5174503 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5174969 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-467048075-196725563-1868618205-1001 SUCCESS Desired Access: Read 10:27:55,5175660 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-467048075-196725563-1868618205-1001\ProfileImagePath BUFFER OVERFLOW Length: 12 10:27:55,5176063 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-467048075-196725563-1868618205-1001\ProfileImagePath SUCCESS Type: REG_EXPAND_SZ, Length: 42, Data: C:\Users\Angelo Braz 10:27:55,5176520 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-467048075-196725563-1868618205-1001 SUCCESS 10:27:55,5177157 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS 10:27:55,5178136 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,5178951 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5179316 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5179757 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Enumerate Sub Keys 10:27:55,5180283 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions SUCCESS Desired Access: Enumerate Sub Keys 10:27:55,5180847 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: Name 10:27:55,5181292 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5181746 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,5182189 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions SUCCESS Index: 0, Name: {fbeb8a05-beee-4442-804e-409d6c4515e9} 10:27:55,5182643 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,5183115 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5183469 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5183839 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Query Value 10:27:55,5184334 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Desired Access: Query Value 10:27:55,5184908 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: Name 10:27:55,5185398 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5185921 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,5186425 NOTEPAD.EXE 2604 RegQueryValue HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask SUCCESS Type: REG_DWORD, Length: 4, Data: 32 10:27:55,5186927 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS 10:27:55,5187349 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions NO MORE ENTRIES Index: 1, Length: 288 10:27:55,5187787 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions SUCCESS 10:27:55,5192330 NOTEPAD.EXE 2604 CreateFile C:\Users\Angelo Braz\Videos\desktop.ini SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,5194028 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Users\Angelo Braz\Videos\desktop.ini SUCCESS AllocationSize: 504, EndOfFile: 504, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,5194611 NOTEPAD.EXE 2604 ReadFile C:\Users\Angelo Braz\Videos\desktop.ini SUCCESS Offset: 0, Length: 504, Priority: Normal 10:27:55,5195998 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Users\Angelo Braz\Videos\desktop.ini SUCCESS CreationTime: 30/07/2015 01:50:05, LastAccessTime: 09/08/2023 10:27:55, LastWriteTime: 17/08/2020 17:46:36, ChangeTime: 17/08/2020 17:46:36, FileAttributes: HSA 10:27:55,5196498 NOTEPAD.EXE 2604 CloseFile C:\Users\Angelo Braz\Videos\desktop.ini SUCCESS 10:27:55,5198035 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5198434 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Desired Access: Read 10:27:55,5198941 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5199315 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4} SUCCESS Desired Access: Read 10:27:55,5199913 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS 10:27:55,5200460 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\Category SUCCESS Type: REG_DWORD, Length: 4, Data: 4 10:27:55,5200864 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\Name SUCCESS Type: REG_SZ, Length: 32, Data: Local Downloads 10:27:55,5201271 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\ParentFolder NAME NOT FOUND Length: 90 10:27:55,5201614 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\Description NAME NOT FOUND Length: 144 10:27:55,5201933 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\RelativePath SUCCESS Type: REG_SZ, Length: 20, Data: Downloads 10:27:55,5202305 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\ParsingName BUFFER OVERFLOW Length: 144 10:27:55,5202625 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\ParsingName SUCCESS Type: REG_SZ, Length: 176, Data: shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{088e3905-0323-4b02-9826-5d99428e115f} 10:27:55,5203092 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\InfoTip NAME NOT FOUND Length: 144 10:27:55,5203441 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\LocalizedName SUCCESS Type: REG_EXPAND_SZ, Length: 84, Data: @%SystemRoot%\system32\shell32.dll,-21798 10:27:55,5203822 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\Icon SUCCESS Type: REG_EXPAND_SZ, Length: 80, Data: %SystemRoot%\system32\imageres.dll,-184 10:27:55,5204201 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\Security NAME NOT FOUND Length: 144 10:27:55,5204621 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\StreamResource NAME NOT FOUND Length: 144 10:27:55,5205075 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\StreamResourceType NAME NOT FOUND Length: 144 10:27:55,5205430 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\LocalRedirectOnly NAME NOT FOUND Length: 16 10:27:55,5205811 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\Roamable NAME NOT FOUND Length: 16 10:27:55,5206262 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PreCreate SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,5206588 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\Stream NAME NOT FOUND Length: 16 10:27:55,5207154 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PublishExpandedPath NAME NOT FOUND Length: 16 10:27:55,5207729 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\DefinitionFlags NAME NOT FOUND Length: 16 10:27:55,5208048 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\Attributes SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,5208410 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\FolderTypeID NAME NOT FOUND Length: 90 10:27:55,5208802 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\InitFolderHandler NAME NOT FOUND Length: 90 10:27:55,5209519 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5210296 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag SUCCESS Desired Access: Read 10:27:55,5210920 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4} SUCCESS 10:27:55,5211730 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5212096 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Desired Access: Query Value 10:27:55,5212540 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5212882 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Query Value 10:27:55,5213255 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,5213694 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: Name 10:27:55,5214426 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Read 10:27:55,5215173 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS 10:27:55,5215626 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:55,5216231 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5216661 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Desired Access: Read 10:27:55,5217136 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:55,5217517 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4} SUCCESS Type: REG_EXPAND_SZ, Length: 26, Data: D:\Downloads 10:27:55,5218286 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS 10:27:55,5219129 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,5219564 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5219886 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5220357 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Enumerate Sub Keys 10:27:55,5220887 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions SUCCESS Desired Access: Enumerate Sub Keys 10:27:55,5221510 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: Name 10:27:55,5221923 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5222402 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,5222882 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions SUCCESS Index: 0, Name: {fbeb8a05-beee-4442-804e-409d6c4515e9} 10:27:55,5223337 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,5223826 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5224489 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5224899 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Query Value 10:27:55,5225601 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Desired Access: Query Value 10:27:55,5226146 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: Name 10:27:55,5226629 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5227164 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,5227605 NOTEPAD.EXE 2604 RegQueryValue HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask SUCCESS Type: REG_DWORD, Length: 4, Data: 32 10:27:55,5229739 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS 10:27:55,5230628 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions NO MORE ENTRIES Index: 1, Length: 288 10:27:55,5231188 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions SUCCESS 10:27:55,5234453 NOTEPAD.EXE 2604 CreateFile D:\Downloads\desktop.ini SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,5235977 NOTEPAD.EXE 2604 QueryStandardInformationFile D:\Downloads\desktop.ini SUCCESS AllocationSize: 4.096, EndOfFile: 978, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,5236573 NOTEPAD.EXE 2604 ReadFile D:\Downloads\desktop.ini SUCCESS Offset: 0, Length: 978, Priority: Normal 10:27:55,5238547 NOTEPAD.EXE 2604 QueryBasicInformationFile D:\Downloads\desktop.ini SUCCESS CreationTime: 18/06/2014 23:01:37, LastAccessTime: 09/08/2023 10:27:55, LastWriteTime: 17/08/2020 17:46:36, ChangeTime: 17/08/2020 17:46:36, FileAttributes: HSA 10:27:55,5238934 NOTEPAD.EXE 2604 CloseFile D:\Downloads\desktop.ini SUCCESS 10:27:55,5240212 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5241089 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Desired Access: Read 10:27:55,5242026 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5242832 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6} SUCCESS Desired Access: Read 10:27:55,5243494 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS 10:27:55,5244265 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\Category SUCCESS Type: REG_DWORD, Length: 4, Data: 4 10:27:55,5245331 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\Name SUCCESS Type: REG_SZ, Length: 18, Data: OneDrive 10:27:55,5245911 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\ParentFolder SUCCESS Type: REG_SZ, Length: 78, Data: {5E6C858F-0E22-4760-9AFE-EA3317B67173} 10:27:55,5246388 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\Description NAME NOT FOUND Length: 144 10:27:55,5247254 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\RelativePath SUCCESS Type: REG_SZ, Length: 18, Data: OneDrive 10:27:55,5247682 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\ParsingName SUCCESS Type: REG_SZ, Length: 94, Data: shell:::{018D5C66-4533-4307-9B53-224DE2ED1FE6} 10:27:55,5248094 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\InfoTip NAME NOT FOUND Length: 144 10:27:55,5248471 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\LocalizedName SUCCESS Type: REG_EXPAND_SZ, Length: 98, Data: @%SystemRoot%\System32\SettingSyncCore.dll,-1024 10:27:55,5248852 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\Icon SUCCESS Type: REG_EXPAND_SZ, Length: 82, Data: %SystemRoot%\system32\imageres.dll,-1040 10:27:55,5249235 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\Security NAME NOT FOUND Length: 144 10:27:55,5249572 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\StreamResource NAME NOT FOUND Length: 144 10:27:55,5249999 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\StreamResourceType NAME NOT FOUND Length: 144 10:27:55,5250445 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\LocalRedirectOnly SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,5250831 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\Roamable NAME NOT FOUND Length: 16 10:27:55,5251195 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\PreCreate NAME NOT FOUND Length: 16 10:27:55,5251511 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\Stream NAME NOT FOUND Length: 16 10:27:55,5251821 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\PublishExpandedPath NAME NOT FOUND Length: 16 10:27:55,5252176 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\DefinitionFlags SUCCESS Type: REG_DWORD, Length: 4, Data: 64 10:27:55,5252607 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\Attributes SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,5253216 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\FolderTypeID NAME NOT FOUND Length: 90 10:27:55,5253701 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\InitFolderHandler NAME NOT FOUND Length: 90 10:27:55,5254090 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5254575 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\PropertyBag NAME NOT FOUND Desired Access: Read 10:27:55,5255047 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,5255470 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6} SUCCESS Query: Name 10:27:55,5256038 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\PropertyBag NAME NOT FOUND Desired Access: Read 10:27:55,5256609 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6} SUCCESS 10:27:55,5257383 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5257849 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Desired Access: Query Value 10:27:55,5258332 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5258667 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Query Value 10:27:55,5259041 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,5259406 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS Query: Name 10:27:55,5260008 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders NAME NOT FOUND Desired Access: Read 10:27:55,5260558 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 SUCCESS 10:27:55,5261027 NOTEPAD.EXE 2604 RegOpenKey HKCU SUCCESS Desired Access: Read 10:27:55,5261546 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5261957 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Desired Access: Read 10:27:55,5262442 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:27:55,5263037 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6} NAME NOT FOUND Length: 142 10:27:55,5264026 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5264511 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-467048075-196725563-1868618205-1001 SUCCESS Desired Access: Read 10:27:55,5265093 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-467048075-196725563-1868618205-1001\ProfileImagePath BUFFER OVERFLOW Length: 12 10:27:55,5265470 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-467048075-196725563-1868618205-1001\ProfileImagePath SUCCESS Type: REG_EXPAND_SZ, Length: 42, Data: C:\Users\Angelo Braz 10:27:55,5265898 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-467048075-196725563-1868618205-1001 SUCCESS 10:27:55,5266402 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS 10:27:55,5267436 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,5267945 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5268581 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5269166 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Enumerate Sub Keys 10:27:55,5269772 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions SUCCESS Desired Access: Enumerate Sub Keys 10:27:55,5270493 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: Name 10:27:55,5270957 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5271627 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,5272143 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions SUCCESS Index: 0, Name: {fbeb8a05-beee-4442-804e-409d6c4515e9} 10:27:55,5272773 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 10:27:55,5273363 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5273954 NOTEPAD.EXE 2604 RegQueryKey HKCU\Software\Classes SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5274339 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Query Value 10:27:55,5275161 NOTEPAD.EXE 2604 RegOpenKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Desired Access: Query Value 10:27:55,5275749 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: Name 10:27:55,5276173 NOTEPAD.EXE 2604 RegQueryKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5276778 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} NAME NOT FOUND Desired Access: Maximum Allowed 10:27:55,5277242 NOTEPAD.EXE 2604 RegQueryValue HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask SUCCESS Type: REG_DWORD, Length: 4, Data: 32 10:27:55,5277711 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} SUCCESS 10:27:55,5278117 NOTEPAD.EXE 2604 RegEnumKey HKCR\Drive\shellex\FolderExtensions NO MORE ENTRIES Index: 1, Length: 288 10:27:55,5278605 NOTEPAD.EXE 2604 RegCloseKey HKCR\Drive\shellex\FolderExtensions SUCCESS 10:27:55,5284203 NOTEPAD.EXE 2604 CreateFile C:\Users\Angelo Braz\OneDrive\desktop.ini SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:27:55,5285814 NOTEPAD.EXE 2604 QueryStandardInformationFile C:\Users\Angelo Braz\OneDrive\desktop.ini SUCCESS AllocationSize: 104, EndOfFile: 102, NumberOfLinks: 1, DeletePending: False, Directory: False 10:27:55,5286352 NOTEPAD.EXE 2604 ReadFile C:\Users\Angelo Braz\OneDrive\desktop.ini SUCCESS Offset: 0, Length: 102, Priority: Normal 10:27:55,5287286 NOTEPAD.EXE 2604 QueryBasicInformationFile C:\Users\Angelo Braz\OneDrive\desktop.ini SUCCESS CreationTime: 22/11/2018 12:47:09, LastAccessTime: 09/08/2023 10:27:55, LastWriteTime: 17/08/2020 17:58:48, ChangeTime: 17/08/2020 17:58:53, FileAttributes: HS 0x180000 10:27:55,5287787 NOTEPAD.EXE 2604 CloseFile C:\Users\Angelo Braz\OneDrive\desktop.ini SUCCESS 10:27:55,5289989 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5290415 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-467048075-196725563-1868618205-1001 SUCCESS Desired Access: Read 10:27:55,5292020 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-467048075-196725563-1868618205-1001\ProfileImagePath BUFFER OVERFLOW Length: 12 10:27:55,5292459 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-467048075-196725563-1868618205-1001\ProfileImagePath SUCCESS Type: REG_EXPAND_SZ, Length: 42, Data: C:\Users\Angelo Braz 10:27:55,5292942 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-467048075-196725563-1868618205-1001 SUCCESS 10:27:55,5295145 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5295883 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Desired Access: Read 10:27:55,5296542 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5297043 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7} SUCCESS Desired Access: Read 10:27:55,5298389 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions SUCCESS 10:27:55,5298835 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\Category SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,5299261 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\Name SUCCESS Type: REG_SZ, Length: 34, Data: MyComputerFolder 10:27:55,5299629 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\ParentFolder NAME NOT FOUND Length: 90 10:27:55,5299973 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\Description NAME NOT FOUND Length: 144 10:27:55,5300569 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\RelativePath NAME NOT FOUND Length: 144 10:27:55,5301017 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\ParsingName SUCCESS Type: REG_SZ, Length: 82, Data: ::{20D04FE0-3AEA-1069-A2D8-08002B30309D} 10:27:55,5301442 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\InfoTip NAME NOT FOUND Length: 144 10:27:55,5301807 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\LocalizedName NAME NOT FOUND Length: 144 10:27:55,5302197 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\Icon NAME NOT FOUND Length: 144 10:27:55,5302598 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\Security NAME NOT FOUND Length: 144 10:27:55,5302939 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\StreamResource NAME NOT FOUND Length: 144 10:27:55,5303247 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\StreamResourceType NAME NOT FOUND Length: 144 10:27:55,5303572 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\LocalRedirectOnly NAME NOT FOUND Length: 16 10:27:55,5304150 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\Roamable NAME NOT FOUND Length: 16 10:27:55,5304536 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\PreCreate NAME NOT FOUND Length: 16 10:27:55,5305059 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\Stream NAME NOT FOUND Length: 16 10:27:55,5305488 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\PublishExpandedPath NAME NOT FOUND Length: 16 10:27:55,5305831 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\DefinitionFlags NAME NOT FOUND Length: 16 10:27:55,5306169 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\Attributes NAME NOT FOUND Length: 16 10:27:55,5306554 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\FolderTypeID NAME NOT FOUND Length: 90 10:27:55,5307054 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\InitFolderHandler NAME NOT FOUND Length: 90 10:27:55,5307641 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7} SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5308050 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\PropertyBag NAME NOT FOUND Desired Access: Read 10:27:55,5308458 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7} BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,5308886 NOTEPAD.EXE 2604 RegQueryKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7} SUCCESS Query: Name 10:27:55,5309620 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\PropertyBag NAME NOT FOUND Desired Access: Read 10:27:55,5310211 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7} SUCCESS 10:27:55,5312500 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5313411 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Desired Access: Read 10:27:55,5313971 NOTEPAD.EXE 2604 RegQueryKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5314399 NOTEPAD.EXE 2604 RegOpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\ SUCCESS Desired Access: Read 10:27:55,5314880 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume SUCCESS 10:27:55,5315252 NOTEPAD.EXE 2604 RegQueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000}\Generation SUCCESS Type: REG_DWORD, Length: 4, Data: 1 10:27:55,5315775 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{70b2a5bd-0000-0000-0000-501f00000000} SUCCESS 10:27:55,5316794 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5317188 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\IdListAliasTranslations NAME NOT FOUND Desired Access: Read 10:27:55,5317618 NOTEPAD.EXE 2604 RegQueryKey HKLM BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,5317980 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: Name 10:27:55,5318470 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Microsoft\Windows\CurrentVersion\Explorer\IdListAliasTranslations NAME NOT FOUND Desired Access: Read 10:27:55,5319057 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: HandleTags, HandleTags: 0x0 10:27:55,5319474 NOTEPAD.EXE 2604 RegOpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\IdListAliasTranslations NAME NOT FOUND Desired Access: Read 10:27:55,5319871 NOTEPAD.EXE 2604 RegQueryKey HKCU BUFFER TOO SMALL Query: Name, Length: 0 10:27:55,5320309 NOTEPAD.EXE 2604 RegQueryKey HKCU SUCCESS Query: Name 10:27:55,5320885 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Windows\CurrentVersion\Explorer\IdListAliasTranslations NAME NOT FOUND Desired Access: Read 10:28:01,8221200 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 BUFFER TOO SMALL Length: 0 10:28:01,8222864 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\418A073AA3BC8075 SUCCESS Type: REG_BINARY, Length: 364, Data: 01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00 10:28:01,8369579 NOTEPAD.EXE 2604 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 10:28:01,8370151 NOTEPAD.EXE 2604 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE SUCCESS Desired Access: Query Value 10:28:01,8370812 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE NAME NOT FOUND Length: 16 10:28:01,8371723 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE SUCCESS 10:28:01,8497460 NOTEPAD.EXE 2604 CreateFile C:\Users\Angelo SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 10:28:01,8498196 NOTEPAD.EXE 2604 QueryNetworkOpenInformationFile C:\Users\Angelo SUCCESS CreationTime: 13/10/2018 12:25:41, LastAccessTime: 09/08/2023 10:27:55, LastWriteTime: 13/10/2018 12:25:54, ChangeTime: 17/08/2020 17:33:43, AllocationSize: 4096, EndOfFile: 660, FileAttributes: A 10:28:01,8498578 NOTEPAD.EXE 2604 CloseFile C:\Users\Angelo SUCCESS 10:28:01,8506740 NOTEPAD.EXE 2604 Thread Exit SUCCESS Thread ID: 2612, User Time: 0.0000000, Kernel Time: 0.0000000 10:28:01,8507671 NOTEPAD.EXE 2604 Thread Exit SUCCESS Thread ID: 2936, User Time: 0.0000000, Kernel Time: 0.0000000 10:28:01,8510644 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main SUCCESS 10:28:01,8511028 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main SUCCESS 10:28:01,8511352 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Security SUCCESS 10:28:01,8511656 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Security SUCCESS 10:28:01,8512076 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS 10:28:01,8512409 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS 10:28:01,8512526 NOTEPAD.EXE 2604 Thread Exit SUCCESS Thread ID: 9248, User Time: 0.0000000, Kernel Time: 0.0000000 10:28:01,8512732 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS 10:28:01,8513421 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS 10:28:01,8513674 NOTEPAD.EXE 2604 Thread Exit SUCCESS Thread ID: 2760, User Time: 0.0000000, Kernel Time: 0.0000000 10:28:01,8514003 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS 10:28:01,8514342 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl SUCCESS 10:28:01,8524718 NOTEPAD.EXE 2604 ReadFile C:\Windows\System32\efswrt.dll SUCCESS Offset: 484.352, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:28:01,8530149 NOTEPAD.EXE 2604 ReadFile C:\Windows\System32\efswrt.dll SUCCESS Offset: 484.352, Length: 24.576, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:28:01,8535779 NOTEPAD.EXE 2604 ReadFile C:\Windows\System32\efswrt.dll SUCCESS Offset: 525.312, Length: 24.576, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:28:01,8540271 NOTEPAD.EXE 2604 ReadFile C:\Windows\System32\efswrt.dll SUCCESS Offset: 13.312, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:28:01,8545497 NOTEPAD.EXE 2604 ReadFile C:\Windows\System32\efswrt.dll SUCCESS Offset: 13.312, Length: 32.768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:28:01,8551681 NOTEPAD.EXE 2604 ReadFile C:\Windows\System32\efswrt.dll SUCCESS Offset: 590.848, Length: 16.384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 10:28:01,8568622 NOTEPAD.EXE 2604 CloseFile C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e SUCCESS 10:28:01,8572695 NOTEPAD.EXE 2604 RegCloseKey HKCU\Software\Classes\Local Settings\Software\Microsoft SUCCESS 10:28:01,8573204 NOTEPAD.EXE 2604 RegCloseKey HKCU\Software\Classes\Local Settings SUCCESS 10:28:01,8573650 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Ole SUCCESS 10:28:01,8574016 NOTEPAD.EXE 2604 RegCloseKey HKLM SUCCESS 10:28:01,8574538 NOTEPAD.EXE 2604 RegCloseKey HKCU\Software\Classes SUCCESS 10:28:01,8575172 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId SUCCESS 10:28:01,8575657 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\WindowsRuntime SUCCESS 10:28:01,8576876 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize SUCCESS Desired Access: Read 10:28:01,8577440 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles NAME NOT FOUND Length: 20 10:28:01,8577809 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize SUCCESS 10:28:01,8578148 NOTEPAD.EXE 2604 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize SUCCESS Desired Access: Read 10:28:01,8578550 NOTEPAD.EXE 2604 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck NAME NOT FOUND Length: 20 10:28:01,8579559 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize SUCCESS 10:28:01,8581486 NOTEPAD.EXE 2604 CloseFile C:\Windows\Fonts\StaticCache.dat SUCCESS 10:28:01,8585445 NOTEPAD.EXE 2604 Thread Exit SUCCESS Thread ID: 1028, User Time: 0.0312500, Kernel Time: 0.3906250 10:28:01,8617199 NOTEPAD.EXE 2604 Thread Exit SUCCESS Thread ID: 2932, User Time: 0.0000000, Kernel Time: 0.0000000 10:28:01,8620686 NOTEPAD.EXE 2604 Thread Exit SUCCESS Thread ID: 2764, User Time: 0.0000000, Kernel Time: 0.0000000 10:28:01,8693794 NOTEPAD.EXE 2604 Process Exit SUCCESS Exit Status: 0, User Time: 0.0312500 seconds, Kernel Time: 0.3906250 seconds, Private Bytes: 3.551.232, Peak Private Bytes: 3.678.208, Working Set: 20.283.392, Peak Working Set: 20.541.440 10:28:01,8696232 NOTEPAD.EXE 2604 RegOpenKey HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-467048075-196725563-1868618205-1001 SUCCESS Desired Access: All Access 10:28:01,8696757 NOTEPAD.EXE 2604 RegQueryValue HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-467048075-196725563-1868618205-1001\\Device\HarddiskVolume2\Windows\System32\notepad.exe SUCCESS Type: REG_BINARY, Length: 24, Data: 27 7C 1F 4E C5 CA D9 01 00 00 00 00 00 00 00 00 10:28:01,8697175 NOTEPAD.EXE 2604 RegSetValue HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-467048075-196725563-1868618205-1001\\Device\HarddiskVolume2\Windows\System32\notepad.exe SUCCESS Type: REG_BINARY, Length: 24, Data: 08 43 18 52 C5 CA D9 01 00 00 00 00 00 00 00 00 10:28:01,8698155 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-467048075-196725563-1868618205-1001 SUCCESS 10:28:01,8699584 NOTEPAD.EXE 2604 CloseFile C:\Windows\System32 SUCCESS 10:28:01,8701607 NOTEPAD.EXE 2604 CloseFile C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e SUCCESS 10:28:01,8702765 NOTEPAD.EXE 2604 RegCloseKey HKLM SUCCESS 10:28:01,8703034 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions SUCCESS 10:28:01,8703929 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options SUCCESS 10:28:01,8704371 NOTEPAD.EXE 2604 CloseFile C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackpt-BR_19041.64.213.0_neutral__8wekyb3d8bbwe\Windows\System32\pt-BR\notepad.exe.mui SUCCESS 10:28:01,8706120 NOTEPAD.EXE 2604 RegCloseKey HKCU\Software\Classes SUCCESS 10:28:01,8707342 NOTEPAD.EXE 2604 CloseFile C:\Windows\SystemResources\notepad.exe.mun SUCCESS 10:28:01,8709716 NOTEPAD.EXE 2604 RegCloseKey HKCU SUCCESS 10:28:01,8710406 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS 10:28:01,8711047 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SUCCESS 10:28:01,8711325 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\Nls\Sorting\Ids SUCCESS 10:28:01,8711605 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\NetworkProvider\ProviderOrder SUCCESS 10:28:01,8712313 NOTEPAD.EXE 2604 RegCloseKey HKLM\System\CurrentControlSet\Control\NetworkProvider\HwOrder SUCCESS 10:28:01,8712857 NOTEPAD.EXE 2604 RegCloseKey HKCU\Software\Classes SUCCESS 10:28:01,8713309 NOTEPAD.EXE 2604 CloseFile C:\Windows\Registration\R000000000015.clb SUCCESS 10:28:01,8715347 NOTEPAD.EXE 2604 RegCloseKey HKCU\Software\Classes SUCCESS 10:28:01,8716991 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag SUCCESS 10:28:01,8717520 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag SUCCESS 10:28:01,8717915 NOTEPAD.EXE 2604 RegCloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts SUCCESS 10:28:01,8718153 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag SUCCESS 10:28:01,8718506 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag SUCCESS 10:28:01,8718734 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag SUCCESS 10:28:01,8719029 NOTEPAD.EXE 2604 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag SUCCESS