+----------------------+----------------------+----------------------+----------------------+----------------------+
| Category             | Operation            | Information          | Success              | Count                |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| MUTEX                | CREATE               | mutex_name = C000000 | True                 | 1                    |
|                      |                      | 0844EE6C40648470D345 |                      |                      |
|                      |                      | E7B65, initial_owner |                      |                      |
|                      |                      |  = 0                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0x414, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0x414, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0x414, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0x414, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0x414, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0x414, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0x414, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0x414, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0x414, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0x414, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0x414, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0x414, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\pr | False                | 1                    |
|                      |                      | ogram files\windows  |                      |                      |
|                      |                      | defender\mpcmdrun.ex |                      |                      |
|                      |                      | e, os_pid = 0xde0, d |                      |                      |
|                      |                      | esired_access = PROC |                      |                      |
|                      |                      | ESS_QUERY_INFORMATIO |                      |                      |
|                      |                      | N                    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | False                | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| SYS                  | GET_INFO             | type = SYSTEM_PROCES | True                 | 1                    |
|                      |                      | S_INFORMATION        |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m Idle Process, os_p |                      |                      |
|                      |                      | id = 0x0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = Syste | False                | 1                    |
|                      |                      | m, os_pid = 0x4, des |                      |                      |
|                      |                      | ired_access = PROCES |                      |                      |
|                      |                      | S_QUERY_INFORMATION  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\smss. |                      |                      |
|                      |                      | exe, os_pid = 0x108, |                      |                      |
|                      |                      |  desired_access = PR |                      |                      |
|                      |                      | OCESS_QUERY_INFORMAT |                      |                      |
|                      |                      | ION                  |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x150 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winin |                      |                      |
|                      |                      | it.exe, os_pid = 0x1 |                      |                      |
|                      |                      | 8c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\csrss |                      |                      |
|                      |                      | .exe, os_pid = 0x194 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\winlo |                      |                      |
|                      |                      | gon.exe, os_pid = 0x |                      |                      |
|                      |                      | 1c4, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\servi |                      |                      |
|                      |                      | ces.exe, os_pid = 0x |                      |                      |
|                      |                      | 1dc, desired_access  |                      |                      |
|                      |                      | = PROCESS_QUERY_INFO |                      |                      |
|                      |                      | RMATION              |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\lsass |                      |                      |
|                      |                      | .exe, os_pid = 0x1e4 |                      |                      |
|                      |                      | , desired_access = P |                      |                      |
|                      |                      | ROCESS_QUERY_INFORMA |                      |                      |
|                      |                      | TION                 |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 3c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 5c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\dwm.e |                      |                      |
|                      |                      | xe, os_pid = 0x2e4,  |                      |                      |
|                      |                      | desired_access = PRO |                      |                      |
|                      |                      | CESS_QUERY_INFORMATI |                      |                      |
|                      |                      | ON                   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 20, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 34, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 68, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x3 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 74, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\spool |                      |                      |
|                      |                      | sv.exe, os_pid = 0x2 |                      |                      |
|                      |                      | 30, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x4 |                      |                      |
|                      |                      | 1c, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 50, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\sihos |                      |                      |
|                      |                      | t.exe, os_pid = 0x70 |                      |                      |
|                      |                      | 0, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\taskh |                      |                      |
|                      |                      | ostw.exe, os_pid = 0 |                      |                      |
|                      |                      | x728, desired_access |                      |                      |
|                      |                      |  = PROCESS_QUERY_INF |                      |                      |
|                      |                      | ORMATION             |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\explorer.exe,  |                      |                      |
|                      |                      | os_pid = 0x7cc, desi |                      |                      |
|                      |                      | red_access = PROCESS |                      |                      |
|                      |                      | _QUERY_INFORMATION   |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\runti |                      |                      |
|                      |                      | mebroker.exe, os_pid |                      |                      |
|                      |                      |  = 0x4b0, desired_ac |                      |                      |
|                      |                      | cess = PROCESS_QUERY |                      |                      |
|                      |                      | _INFORMATION         |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\she |                      |                      |
|                      |                      | llexperiencehost_cw5 |                      |                      |
|                      |                      | n1h2txyewy\shellexpe |                      |                      |
|                      |                      | riencehost.exe, os_p |                      |                      |
|                      |                      | id = 0x910, desired_ |                      |                      |
|                      |                      | access = PROCESS_QUE |                      |                      |
|                      |                      | RY_INFORMATION       |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\systemapps\mic |                      |                      |
|                      |                      | rosoft.windows.corta |                      |                      |
|                      |                      | na_cw5n1h2txyewy\sea |                      |                      |
|                      |                      | rchui.exe, os_pid =  |                      |                      |
|                      |                      | 0xa10, desired_acces |                      |                      |
|                      |                      | s = PROCESS_QUERY_IN |                      |                      |
|                      |                      | FORMATION            |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0x5 |                      |                      |
|                      |                      | 90, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiadap.exe, os_pid  |                      |                      |
|                      |                      | = 0xb34, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\sppsv |                      |                      |
|                      |                      | c.exe, os_pid = 0x6a |                      |                      |
|                      |                      | c, desired_access =  |                      |                      |
|                      |                      | PROCESS_QUERY_INFORM |                      |                      |
|                      |                      | ATION                |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xba8, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\wbem\ |                      |                      |
|                      |                      | wmiprvse.exe, os_pid |                      |                      |
|                      |                      |  = 0xfc, desired_acc |                      |                      |
|                      |                      | ess = PROCESS_QUERY_ |                      |                      |
|                      |                      | INFORMATION          |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | False                | 1                    |
|                      |                      | ndows\system32\audio |                      |                      |
|                      |                      | dg.exe, os_pid = 0x3 |                      |                      |
|                      |                      | f8, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 2                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_QUERY_INFOR |                      |                      |
|                      |                      | MATION               |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN_TOKEN           | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\syswow64\svcho |                      |                      |
|                      |                      | st.exe, os_pid = 0xc |                      |                      |
|                      |                      | 54, desired_access = |                      |                      |
|                      |                      |  PROCESS_VM_OPERATIO |                      |                      |
|                      |                      | N, desired_access =  |                      |                      |
|                      |                      | PROCESS_VM_OPERATION |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| PROC                 | OPEN                 | process_name = c:\wi | True                 | 1                    |
|                      |                      | ndows\system32\backg |                      |                      |
|                      |                      | roundtaskhost.exe, o |                      |                      |
|                      |                      | s_pid = 0xdc0, desir |                      |                      |
|                      |                      | ed_access = PROCESS_ |                      |                      |
|                      |                      | QUERY_INFORMATION    |                      |                      |
+----------------------+----------------------+----------------------+----------------------+----------------------+