3012f472...58b4

Monitored Processes

Process Overview

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0x300	Analysis Target	High (Elevated)	eqbnr.exe	"C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe"	-
#2	0xc80	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe" /f	#1
#4	0x778	Injection	Medium	sihost.exe	sihost.exe	#1
#5	0x7ac	Injection	Medium	taskhostw.exe	taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}	#1
#6	0x814	Injection	Medium	runtimebroker.exe	C:\Windows\System32\RuntimeBroker.exe -Embedding	#1
#7	0x9a0	Injection	Low	shellexperiencehost.exe	"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca	#1
#8	0xd08	Child Process	High (Elevated)	reg.exe	REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe" /f	#2
#9	0xb7c	Injection	Low	searchui.exe	"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca	#1
#10	0xa1c	Injection	Low	backgroundtaskhost.exe	"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca	#1
#11	0xc4c	Injection	Medium	svchost.exe	C:\Windows\system32\svchost.exe -k UnistackSvcGroup	#1
#12	0x5dc	Autostart	Medium	eqbnr.exe	"C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe"	-
#13	0x478	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe" /f	#12
#15	0x7cc	Injection	Medium	sihost.exe	sihost.exe	#12
#16	0x7ec	Injection	Medium	taskhostw.exe	taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}	#12
#17	0x560	Child Process	Medium	reg.exe	REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe" /f	#13
#18	0x818	Injection	Medium	runtimebroker.exe	C:\Windows\System32\RuntimeBroker.exe -Embedding	#12
#19	0x97c	Injection	Low	shellexperiencehost.exe	"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca	#12
#20	0xb0c	Injection	Low	searchui.exe	"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca	#12

Behavior Information - Grouped by Category

Process #1: eqbnr.exe

270

Information	Value
ID	#1
File Name	c:\users\ciihmnxmn6ps\desktop\eqbnr.exe
Command Line	"C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe"
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor	Start Time: 00:00:53, Reason: Analysis Target
Unmonitor	End Time: 00:01:28, Reason: Self Terminated
Monitor Duration	00:00:35

OS Process Information

Information	Value
PID	0x300
Parent PID	0x508 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 630 0x 5C0 0x C3C 0x C44 0x C5C 0x C60 0x C64

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x0000006640540000	0x6640540000	0x664055ffff	Private Memory	rw	-
pagefile_0x0000006640540000	0x6640540000	0x664054ffff	Pagefile Backed Memory	rw	-
private_0x0000006640550000	0x6640550000	0x6640556fff	Private Memory	rw	-
pagefile_0x0000006640560000	0x6640560000	0x6640573fff	Pagefile Backed Memory	r	-
private_0x0000006640580000	0x6640580000	0x664067ffff	Private Memory	rw	-
pagefile_0x0000006640680000	0x6640680000	0x6640683fff	Pagefile Backed Memory	r	-
pagefile_0x0000006640690000	0x6640690000	0x6640690fff	Pagefile Backed Memory	r	-
private_0x00000066406a0000	0x66406a0000	0x66406a1fff	Private Memory	rw	-
locale.nls	0x66406b0000	0x664076dfff	Memory Mapped File	r	-
private_0x0000006640770000	0x6640770000	0x6640776fff	Private Memory	rw	-
private_0x0000006640780000	0x6640780000	0x6640780fff	Private Memory	rw	-
private_0x0000006640790000	0x6640790000	0x6640790fff	Private Memory	rw	-
pagefile_0x00000066407a0000	0x66407a0000	0x66407a0fff	Pagefile Backed Memory	rw	-
private_0x00000066407b0000	0x66407b0000	0x66407bffff	Private Memory	rw	-
pagefile_0x00000066407c0000	0x66407c0000	0x66407c0fff	Pagefile Backed Memory	r	-
private_0x00000066407c0000	0x66407c0000	0x66407cffff	Private Memory	rw	-
pagefile_0x00000066407c0000	0x66407c0000	0x66407c7fff	Pagefile Backed Memory	rw	-
pagefile_0x00000066407d0000	0x66407d0000	0x66407d0fff	Pagefile Backed Memory	r	-
private_0x00000066407e0000	0x66407e0000	0x66407effff	Private Memory	rw	-
private_0x00000066407f0000	0x66407f0000	0x66408effff	Private Memory	rw	-
private_0x00000066408f0000	0x66408f0000	0x66409effff	Private Memory	rw	-
pagefile_0x00000066409f0000	0x66409f0000	0x6640b77fff	Pagefile Backed Memory	r	-
pagefile_0x0000006640b80000	0x6640b80000	0x6640d00fff	Pagefile Backed Memory	r	-
pagefile_0x0000006640d10000	0x6640d10000	0x664210ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x6642110000	0x6642446fff	Memory Mapped File	r	-
rpcss.dll	0x6642450000	0x6642525fff	Memory Mapped File	r	-
oleaut32.dll	0x6642450000	0x664250cfff	Memory Mapped File	r	-
cversions.2.db	0x6642450000	0x6642453fff	Memory Mapped File	r	-
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db	0x6642460000	0x66424a2fff	Memory Mapped File	r	-
cversions.2.db	0x66424b0000	0x66424b3fff	Memory Mapped File	r	-
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db	0x66424c0000	0x664254afff	Memory Mapped File	r	-
propsys.dll.mui	0x6642550000	0x6642560fff	Memory Mapped File	r	-
cversions.1.db	0x6642570000	0x6642573fff	Memory Mapped File	r	-
pagefile_0x0000006642570000	0x6642570000	0x6642570fff	Pagefile Backed Memory	rw	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db	0x6642580000	0x6642592fff	Memory Mapped File	r	-
pagefile_0x00000066425a0000	0x66425a0000	0x66425a0fff	Pagefile Backed Memory	rw	-
private_0x00000066425b0000	0x66425b0000	0x66426affff	Private Memory	rw	-
private_0x00000066426b0000	0x66426b0000	0x66427affff	Private Memory	rw	-
private_0x00000066427b0000	0x66427b0000	0x66428affff	Private Memory	rw	-
private_0x00000066428b0000	0x66428b0000	0x66429affff	Private Memory	rw	-
private_0x00000066429b0000	0x66429b0000	0x6642aaffff	Private Memory	rw	-
private_0x0000006642ab0000	0x6642ab0000	0x6642ac5fff	Private Memory	rw	-
private_0x00007ff7af1ec000	0x7ff7af1ec000	0x7ff7af1edfff	Private Memory	rw	-
private_0x00007ff7af1ee000	0x7ff7af1ee000	0x7ff7af1effff	Private Memory	rw	-
pagefile_0x00007ff7af1f0000	0x7ff7af1f0000	0x7ff7af2effff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7af2f0000	0x7ff7af2f0000	0x7ff7af312fff	Pagefile Backed Memory	r	-
private_0x00007ff7af314000	0x7ff7af314000	0x7ff7af315fff	Private Memory	rw	-
private_0x00007ff7af316000	0x7ff7af316000	0x7ff7af317fff	Private Memory	rw	-
private_0x00007ff7af318000	0x7ff7af318000	0x7ff7af319fff	Private Memory	rw	-
private_0x00007ff7af31a000	0x7ff7af31a000	0x7ff7af31bfff	Private Memory	rw	-
private_0x00007ff7af31c000	0x7ff7af31c000	0x7ff7af31cfff	Private Memory	rw	-
private_0x00007ff7af31e000	0x7ff7af31e000	0x7ff7af31ffff	Private Memory	rw	-
eqbnr.exe	0x7ff7afc80000	0x7ff7afcb4fff	Memory Mapped File	rwx	... Region Actions Download Dump
urlmon.dll	0x7ff8e0a60000	0x7ff8e0bf6fff	Memory Mapped File	rwx	-
iertutil.dll	0x7ff8e3c30000	0x7ff8e3fa5fff	Memory Mapped File	rwx	-
propsys.dll	0x7ff8e79b0000	0x7ff8e7b32fff	Memory Mapped File	rwx	-
apphelp.dll	0x7ff8e9500000	0x7ff8e9577fff	Memory Mapped File	rwx	-
uxtheme.dll	0x7ff8e9680000	0x7ff8e9715fff	Memory Mapped File	rwx	-
rsaenh.dll	0x7ff8ea270000	0x7ff8ea2a2fff	Memory Mapped File	rwx	-
cryptsp.dll	0x7ff8ea620000	0x7ff8ea636fff	Memory Mapped File	rwx	-
cryptbase.dll	0x7ff8ea790000	0x7ff8ea79afff	Memory Mapped File	rwx	-
sspicli.dll	0x7ff8ea9d0000	0x7ff8ea9fbfff	Memory Mapped File	rwx	-
bcrypt.dll	0x7ff8eabd0000	0x7ff8eabf7fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x7ff8eac00000	0x7ff8eac6afff	Memory Mapped File	rwx	-
powrprof.dll	0x7ff8eadd0000	0x7ff8eae19fff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x7ff8eae20000	0x7ff8eae2efff	Memory Mapped File	rwx	-
profapi.dll	0x7ff8eae30000	0x7ff8eae42fff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x7ff8eaf60000	0x7ff8eafa3fff	Memory Mapped File	rwx	-
windows.storage.dll	0x7ff8eb180000	0x7ff8eb7a7fff	Memory Mapped File	rwx	-
shcore.dll	0x7ff8eb7b0000	0x7ff8eb862fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ff8eb870000	0x7ff8eba4cfff	Memory Mapped File	rwx	-
oleaut32.dll	0x7ff8ebb30000	0x7ff8ebbedfff	Memory Mapped File	rwx	-
user32.dll	0x7ff8ebdc0000	0x7ff8ebf0dfff	Memory Mapped File	rwx	-
msctf.dll	0x7ff8ec0c0000	0x7ff8ec21bfff	Memory Mapped File	rwx	-
sechost.dll	0x7ff8ec240000	0x7ff8ec29afff	Memory Mapped File	rwx	-
ole32.dll	0x7ff8ec300000	0x7ff8ec440fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ff8ec450000	0x7ff8ec575fff	Memory Mapped File	rwx	-
shell32.dll	0x7ff8ec580000	0x7ff8edaa4fff	Memory Mapped File	rwx	-
clbcatq.dll	0x7ff8edb10000	0x7ff8edbb4fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ff8edbc0000	0x7ff8edd44fff	Memory Mapped File	rwx	-
combase.dll	0x7ff8edd60000	0x7ff8edfdbfff	Memory Mapped File	rwx	-
shlwapi.dll	0x7ff8edfe0000	0x7ff8ee030fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ff8ee0b0000	0x7ff8ee14cfff	Memory Mapped File	rwx	-
imm32.dll	0x7ff8ee150000	0x7ff8ee185fff	Memory Mapped File	rwx	-
advapi32.dll	0x7ff8ee190000	0x7ff8ee235fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ff8ee2d0000	0x7ff8ee37cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ff8ee380000	0x7ff8ee541fff	Memory Mapped File	rwx	-

Host Behavior

File (5)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\users\Public\sys	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Delete	-	-	1	Fn

Process (84)

Operation	Process	Additional Information	Count	Logfile
Create	C:\Windows\System32\cmd.exe	show_window = SW_HIDE	1	Fn
Open	System	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\sihost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\taskhostw.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\runtimebroker.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\msbuild\uni likely.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\internet explorer\turkey occasional lessons.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\windows mail\drainage.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\microsoft office\recommendation_shade_reply.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\internet explorer\victims-language-conversations.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\windows portable devices\maui_observation.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\windows nt\keyboardsrecallsp.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\common files\interactions_miles_validity.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\google\incoming tracked holds.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\windows journal\tremendouskurtcreek.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\google\output sufficient.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\windows photo viewer\solomon.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\windows portable devices\comparing mad.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\windows multimedia platform\solo.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\internet explorer\layer-resolutions-situations.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\msbuild\ultram_counters.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\internet explorer\water readings.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\microsoft office 15\colin.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\backgroundtaskhost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\msbuild\father euro.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\microsoft.net\cohen.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\dllhost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\rundll32.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\cmd.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\sihost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\taskhostw.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\runtimebroker.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\msbuild\uni likely.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\internet explorer\turkey occasional lessons.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\windows mail\drainage.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\microsoft office\recommendation_shade_reply.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\internet explorer\victims-language-conversations.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\windows portable devices\maui_observation.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\windows nt\keyboardsrecallsp.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\common files\interactions_miles_validity.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\google\incoming tracked holds.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\windows journal\tremendouskurtcreek.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\google\output sufficient.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\windows photo viewer\solomon.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\windows portable devices\comparing mad.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\windows multimedia platform\solo.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\internet explorer\layer-resolutions-situations.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\msbuild\ultram_counters.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\internet explorer\water readings.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\microsoft office 15\colin.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\backgroundtaskhost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\msbuild\father euro.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files (x86)\microsoft.net\cohen.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\dllhost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\cmd.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn

Thread (7)

Operation	Process	Additional Information	Count	Logfile
Create	c:\windows\system32\sihost.exe	proc_address = 0x7ff7afc819a0, proc_parameter = 140701782769664, flags = THREAD_RUNS_IMMEDIATELY	1	Fn
Create	c:\windows\system32\taskhostw.exe	proc_address = 0x7ff7afc819a0, proc_parameter = 140701782769664, flags = THREAD_RUNS_IMMEDIATELY	1	Fn
Create	c:\windows\system32\runtimebroker.exe	proc_address = 0x7ff7afc819a0, proc_parameter = 140701782769664, flags = THREAD_RUNS_IMMEDIATELY	1	Fn
Create	c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe	proc_address = 0x7ff7afc819a0, proc_parameter = 140701782769664, flags = THREAD_RUNS_IMMEDIATELY	1	Fn
Create	c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe	proc_address = 0x7ff7afc819a0, proc_parameter = 140701782769664, flags = THREAD_RUNS_IMMEDIATELY	1	Fn
Create	c:\windows\system32\backgroundtaskhost.exe	proc_address = 0x7ff7afc819a0, proc_parameter = 140701782769664, flags = THREAD_RUNS_IMMEDIATELY	1	Fn
Create	c:\windows\system32\svchost.exe	proc_address = 0x7ff7afc819a0, proc_parameter = 140701782769664, flags = THREAD_RUNS_IMMEDIATELY	1	Fn

Memory (34)

Operation	Process	Additional Information	Count	Logfile
Allocate	c:\windows\system32\sihost.exe	address = 0x7ff7afc80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\windows\system32\taskhostw.exe	address = 0x7ff7afc80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\windows\system32\runtimebroker.exe	address = 0x7ff7afc80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe	address = 0x7ff7afc80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe	address = 0x7ff7afc80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files\msbuild\uni likely.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files (x86)\internet explorer\turkey occasional lessons.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files\windows mail\drainage.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files\microsoft office\recommendation_shade_reply.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files (x86)\internet explorer\victims-language-conversations.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files\windows portable devices\maui_observation.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files (x86)\windows nt\keyboardsrecallsp.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files\common files\interactions_miles_validity.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files (x86)\google\incoming tracked holds.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files\windows journal\tremendouskurtcreek.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files (x86)\google\output sufficient.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files\windows photo viewer\solomon.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files\windows portable devices\comparing mad.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files (x86)\windows multimedia platform\solo.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files (x86)\internet explorer\layer-resolutions-situations.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files (x86)\msbuild\ultram_counters.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files\internet explorer\water readings.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files\microsoft office 15\colin.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\windows\system32\backgroundtaskhost.exe	address = 0x7ff7afc80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files (x86)\msbuild\father euro.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\program files (x86)\microsoft.net\cohen.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\windows\system32\svchost.exe	address = 0x7ff7afc80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Write	c:\windows\system32\sihost.exe	address = 0x7ff7afc80000, size = 217088	1	Fn Data
Write	c:\windows\system32\taskhostw.exe	address = 0x7ff7afc80000, size = 217088	1	Fn Data
Write	c:\windows\system32\runtimebroker.exe	address = 0x7ff7afc80000, size = 217088	1	Fn Data
Write	c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe	address = 0x7ff7afc80000, size = 217088	1	Fn Data
Write	c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe	address = 0x7ff7afc80000, size = 217088	1	Fn Data
Write	c:\windows\system32\backgroundtaskhost.exe	address = 0x7ff7afc80000, size = 217088	1	Fn Data
Write	c:\windows\system32\svchost.exe	address = 0x7ff7afc80000, size = 217088	1	Fn Data

Module (55)

Operation	Module	Additional Information	Count	Logfile
Load	api-ms-win-core-synch-l1-2-0	base_address = 0x7ff8eb870000	2	Fn
Load	api-ms-win-core-fibers-l1-1-1	base_address = 0x7ff8eb870000	2	Fn
Load	advapi32	base_address = 0x7ff8ee190000	1	Fn
Load	api-ms-win-core-localization-l1-2-1	base_address = 0x7ff8eb870000	1	Fn
Load	kernel32.dll	base_address = 0x7ff8ee2d0000	1	Fn
Load	api-ms-win-appmodel-runtime-l1-1-1	base_address = 0x7ff8eae20000	1	Fn
Get Handle	c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	base_address = 0x7ff7afc80000	29	Fn
Get Handle	mscoree.dll	-	1	Fn
Get Filename	-	process_name = c:\users\ciihmnxmn6ps\desktop\eqbnr.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe, size = 260	3	Fn
Get Filename	-	process_name = c:\users\ciihmnxmn6ps\desktop\eqbnr.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe, size = 320	1	Fn
Get Filename	-	process_name = c:\users\ciihmnxmn6ps\desktop\eqbnr.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe, size = 100	1	Fn
Get Address	c:\windows\system32\kernelbase.dll	function = InitializeCriticalSectionEx, address_out = 0x7ff8eb8c3900	2	Fn
Get Address	c:\windows\system32\kernelbase.dll	function = FlsAlloc, address_out = 0x7ff8eb8d4580	2	Fn
Get Address	c:\windows\system32\kernelbase.dll	function = FlsSetValue, address_out = 0x7ff8eb8c2900	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = EventRegister, address_out = 0x7ff8ee3b8ff0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = EventSetInformation, address_out = 0x7ff8ee38e180	1	Fn
Get Address	c:\windows\system32\kernelbase.dll	function = FlsGetValue, address_out = 0x7ff8eb8b8e40	1	Fn
Get Address	c:\windows\system32\kernelbase.dll	function = LCMapStringEx, address_out = 0x7ff8eb88a930	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsWow64Process, address_out = 0x7ff8ee2ee960	1	Fn
Get Address	c:\windows\system32\kernel.appcore.dll	function = GetCurrentPackageId, address_out = 0x7ff8eae22310	1	Fn

User (1)

Operation	Additional Information	Success	Count	Logfile
Lookup Privilege	privilege = SeDebugPrivilege, luid = 20		1	Fn

System (34)

Operation	Additional Information	Count	Logfile
Sleep	duration = 5000 milliseconds (5.000 seconds)	2	Fn
Sleep	duration = 300 milliseconds (0.300 seconds)	29	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	2	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data

Process #2: cmd.exe

Information	Value
ID	#2
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe" /f
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor	Start Time: 00:01:09, Reason: Child Process
Unmonitor	End Time: 00:01:14, Reason: Self Terminated
Monitor Duration	00:00:05

OS Process Information

Information	Value
PID	0xc80
Parent PID	0x300 (c:\users\ciihmnxmn6ps\desktop\eqbnr.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x C84 0x D00

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x00000096f3030000	0x96f3030000	0x96f304ffff	Private Memory	rw	-
pagefile_0x00000096f3030000	0x96f3030000	0x96f303ffff	Pagefile Backed Memory	rw	-
private_0x00000096f3040000	0x96f3040000	0x96f3046fff	Private Memory	rw	-
pagefile_0x00000096f3050000	0x96f3050000	0x96f3063fff	Pagefile Backed Memory	r	-
private_0x00000096f3070000	0x96f3070000	0x96f316ffff	Private Memory	rw	-
pagefile_0x00000096f3170000	0x96f3170000	0x96f3173fff	Pagefile Backed Memory	r	-
pagefile_0x00000096f3180000	0x96f3180000	0x96f3180fff	Pagefile Backed Memory	r	-
private_0x00000096f3190000	0x96f3190000	0x96f3191fff	Private Memory	rw	-
private_0x00000096f31a0000	0x96f31a0000	0x96f31a6fff	Private Memory	rw	-
private_0x00000096f3220000	0x96f3220000	0x96f331ffff	Private Memory	rw	-
locale.nls	0x96f3320000	0x96f33ddfff	Memory Mapped File	r	-
private_0x00000096f33e0000	0x96f33e0000	0x96f34dffff	Private Memory	rw	-
private_0x00000096f3630000	0x96f3630000	0x96f363ffff	Private Memory	rw	-
sortdefault.nls	0x96f3640000	0x96f3976fff	Memory Mapped File	r	-
pagefile_0x00007df5ff490000	0x7df5ff490000	0x7ff5ff48ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff786100000	0x7ff786100000	0x7ff7861fffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff786200000	0x7ff786200000	0x7ff786222fff	Pagefile Backed Memory	r	-
private_0x00007ff78622a000	0x7ff78622a000	0x7ff78622afff	Private Memory	rw	-
private_0x00007ff78622c000	0x7ff78622c000	0x7ff78622dfff	Private Memory	rw	-
private_0x00007ff78622e000	0x7ff78622e000	0x7ff78622ffff	Private Memory	rw	-
cmd.exe	0x7ff7863d0000	0x7ff786428fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ff8eb870000	0x7ff8eba4cfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ff8ee0b0000	0x7ff8ee14cfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ff8ee2d0000	0x7ff8ee37cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ff8ee380000	0x7ff8ee541fff	Memory Mapped File	rwx	-

Host Behavior

File (10)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Users\CIiHmnxMn6Ps\Desktop	type = file_attributes	2	Fn
Open	STD_OUTPUT_HANDLE	-	5	Fn
Open	STD_INPUT_HANDLE	-	3	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\system32\reg.exe	os_pid = 0xd08, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\cmd.exe	base_address = 0x7ff7863d0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x7ff8ee2d0000	2	Fn
Get Filename	-	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x7ff8ee2ed550	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileExW, address_out = 0x7ff8ee2f25e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x7ff8ee2f1f90	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x7ff8eb8c3a10	1	Fn

Environment (19)

Operation	Additional Information	Count	Logfile
Get Environment String	-	7	Fn Data
Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop	1	Fn
Set Environment String	name = COPYCMD	1	Fn
Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Set Environment String	name = =ExitCodeAscii	1	Fn

Process #4: sihost.exe

15696

Information	Value
ID	#4
File Name	c:\windows\system32\sihost.exe
Command Line	sihost.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:10, Reason: Injection
Unmonitor	End Time: 00:01:42, Reason: Self Terminated
Monitor Duration	00:00:32

OS Process Information

Information	Value
PID	0x778
Parent PID	0x330 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BA8 0x 8A8 0x 850 0x 2BC 0x 44C 0x 410 0x 7FC 0x 7F0 0x 7EC 0x 7E4 0x 79C 0x 798 0x 794 0x 77C 0x CB8 0x CD0 0x D48 0x D4C 0x EE8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x000000d7077e0000	0xd7077e0000	0xd7077effff	Pagefile Backed Memory	rw	-
private_0x000000d7077f0000	0xd7077f0000	0xd7077f6fff	Private Memory	rw	-
pagefile_0x000000d707800000	0xd707800000	0xd707813fff	Pagefile Backed Memory	r	-
private_0x000000d707820000	0xd707820000	0xd70789ffff	Private Memory	rw	-
pagefile_0x000000d7078a0000	0xd7078a0000	0xd7078a3fff	Pagefile Backed Memory	r	-
private_0x000000d7078b0000	0xd7078b0000	0xd7078b1fff	Private Memory	rw	-
private_0x000000d7078c0000	0xd7078c0000	0xd7078c6fff	Private Memory	rw	-
private_0x000000d7078d0000	0xd7078d0000	0xd7078d0fff	Private Memory	rw	-
private_0x000000d7078e0000	0xd7078e0000	0xd7078e0fff	Private Memory	rw	-
pagefile_0x000000d7078f0000	0xd7078f0000	0xd7078f0fff	Pagefile Backed Memory	r	-
pagefile_0x000000d707900000	0xd707900000	0xd707900fff	Pagefile Backed Memory	r	-
private_0x000000d707910000	0xd707910000	0xd707a0ffff	Private Memory	rw	-
locale.nls	0xd707a10000	0xd707acdfff	Memory Mapped File	r	-
private_0x000000d707ad0000	0xd707ad0000	0xd707b4ffff	Private Memory	rw	-
pagefile_0x000000d707b50000	0xd707b50000	0xd707b79fff	Pagefile Backed Memory	rw	-
private_0x000000d707b80000	0xd707b80000	0xd707b80fff	Private Memory	rw	-
private_0x000000d707b90000	0xd707b90000	0xd707b92fff	Private Memory	rw	-
private_0x000000d707ba0000	0xd707ba0000	0xd707baffff	Private Memory	rw	-
pagefile_0x000000d707bb0000	0xd707bb0000	0xd707d37fff	Pagefile Backed Memory	r	-
pagefile_0x000000d707d40000	0xd707d40000	0xd707ec0fff	Pagefile Backed Memory	r	-
pagefile_0x000000d707ed0000	0xd707ed0000	0xd7092cffff	Pagefile Backed Memory	r	-
private_0x000000d7092d0000	0xd7092d0000	0xd7093cffff	Private Memory	rw	-
sortdefault.nls	0xd7093d0000	0xd709706fff	Memory Mapped File	r	-
private_0x000000d709710000	0xd709710000	0xd70978ffff	Private Memory	rw	-
private_0x000000d709790000	0xd709790000	0xd70980ffff	Private Memory	rw	-
private_0x000000d709810000	0xd709810000	0xd70988ffff	Private Memory	rw	-
private_0x000000d709890000	0xd709890000	0xd70990ffff	Private Memory	rw	-
private_0x000000d709910000	0xd709910000	0xd70998ffff	Private Memory	rw	-
private_0x000000d709990000	0xd709990000	0xd709a0ffff	Private Memory	rw	-
private_0x000000d709a70000	0xd709a70000	0xd709a7ffff	Private Memory	rw	-
private_0x000000d709a80000	0xd709a80000	0xd709b7ffff	Private Memory	rw	-
private_0x000000d709b80000	0xd709b80000	0xd70a37ffff	Private Memory	-	-
private_0x000000d70a380000	0xd70a380000	0xd70a3fffff	Private Memory	rw	-
private_0x000000d70a400000	0xd70a400000	0xd70a47ffff	Private Memory	rw	-
private_0x000000d70a480000	0xd70a480000	0xd70a4fffff	Private Memory	rw	-
private_0x000000d70a500000	0xd70a500000	0xd70a57ffff	Private Memory	rw	-
kernelbase.dll.mui	0xd70a580000	0xd70a65efff	Memory Mapped File	r	-
private_0x000000d70a660000	0xd70a660000	0xd70a6dffff	Private Memory	rw	-
private_0x000000d70a6e0000	0xd70a6e0000	0xd70a75ffff	Private Memory	rw	-
private_0x000000d70a760000	0xd70a760000	0xd70a7dffff	Private Memory	rw	-
private_0x000000d70a7e0000	0xd70a7e0000	0xd70a85ffff	Private Memory	rw	-
private_0x000000d70a860000	0xd70a860000	0xd70a95ffff	Private Memory	rw	-
private_0x000000d70a960000	0xd70a960000	0xd70a9dffff	Private Memory	rw	-
private_0x000000d70a9e0000	0xd70a9e0000	0xd70aa5ffff	Private Memory	rw	-
private_0x000000d70aa60000	0xd70aa60000	0xd70ab54fff	Private Memory	rw	-
pagefile_0x00007df5ffcf0000	0x7df5ffcf0000	0x7ff5ffceffff	Pagefile Backed Memory	-	-
private_0x00007ff6f2f48000	0x7ff6f2f48000	0x7ff6f2f49fff	Private Memory	rw	-
private_0x00007ff6f2f4a000	0x7ff6f2f4a000	0x7ff6f2f4bfff	Private Memory	rw	-
private_0x00007ff6f2f4c000	0x7ff6f2f4c000	0x7ff6f2f4dfff	Private Memory	rw	-
private_0x00007ff6f2f4e000	0x7ff6f2f4e000	0x7ff6f2f4ffff	Private Memory	rw	-
private_0x00007ff6f2f50000	0x7ff6f2f50000	0x7ff6f2f51fff	Private Memory	rw	-
private_0x00007ff6f2f52000	0x7ff6f2f52000	0x7ff6f2f53fff	Private Memory	rw	-
private_0x00007ff6f2f54000	0x7ff6f2f54000	0x7ff6f2f55fff	Private Memory	rw	-
private_0x00007ff6f2f56000	0x7ff6f2f56000	0x7ff6f2f57fff	Private Memory	rw	-
private_0x00007ff6f2f58000	0x7ff6f2f58000	0x7ff6f2f59fff	Private Memory	rw	-
private_0x00007ff6f2f5a000	0x7ff6f2f5a000	0x7ff6f2f5bfff	Private Memory	rw	-
private_0x00007ff6f2f5c000	0x7ff6f2f5c000	0x7ff6f2f5dfff	Private Memory	rw	-
private_0x00007ff6f2f5e000	0x7ff6f2f5e000	0x7ff6f2f5ffff	Private Memory	rw	-
pagefile_0x00007ff6f2f60000	0x7ff6f2f60000	0x7ff6f305ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff6f3060000	0x7ff6f3060000	0x7ff6f3082fff	Pagefile Backed Memory	r	-
private_0x00007ff6f3083000	0x7ff6f3083000	0x7ff6f3084fff	Private Memory	rw	-
private_0x00007ff6f3085000	0x7ff6f3085000	0x7ff6f3086fff	Private Memory	rw	-
private_0x00007ff6f3087000	0x7ff6f3087000	0x7ff6f3088fff	Private Memory	rw	-
private_0x00007ff6f3089000	0x7ff6f3089000	0x7ff6f308afff	Private Memory	rw	-
private_0x00007ff6f308b000	0x7ff6f308b000	0x7ff6f308cfff	Private Memory	rw	-
private_0x00007ff6f308d000	0x7ff6f308d000	0x7ff6f308efff	Private Memory	rw	-
private_0x00007ff6f308f000	0x7ff6f308f000	0x7ff6f308ffff	Private Memory	rw	-
sihost.exe	0x7ff6f3d00000	0x7ff6f3d15fff	Memory Mapped File	rwx	-
private_0x00007ff7afc80000	0x7ff7afc80000	0x7ff7afcb4fff	Private Memory	rwx	-
staterepository.core.dll	0x7ff8dc6e0000	0x7ff8dc778fff	Memory Mapped File	rwx	-
windows.staterepository.dll	0x7ff8dc780000	0x7ff8dca11fff	Memory Mapped File	rwx	-
licensemanagerapi.dll	0x7ff8deea0000	0x7ff8deeabfff	Memory Mapped File	rwx	-
twinui.appcore.dll	0x7ff8deeb0000	0x7ff8df0bcfff	Memory Mapped File	rwx	-
execmodelproxy.dll	0x7ff8df190000	0x7ff8df1a4fff	Memory Mapped File	rwx	-
sharehost.dll	0x7ff8df220000	0x7ff8df2c4fff	Memory Mapped File	rwx	-
ondemandbrokerclient.dll	0x7ff8df2d0000	0x7ff8df2e0fff	Memory Mapped File	rwx	-
appcontracts.dll	0x7ff8df2f0000	0x7ff8df39bfff	Memory Mapped File	rwx	-
notificationplatformcomponent.dll	0x7ff8df3a0000	0x7ff8df3acfff	Memory Mapped File	rwx	-
execmodelclient.dll	0x7ff8df3b0000	0x7ff8df3f2fff	Memory Mapped File	rwx	-
wpportinglibrary.dll	0x7ff8df410000	0x7ff8df418fff	Memory Mapped File	rwx	-
modernexecserver.dll	0x7ff8df420000	0x7ff8df4f7fff	Memory Mapped File	rwx	-
appointmentactivation.dll	0x7ff8df500000	0x7ff8df521fff	Memory Mapped File	rwx	-
activationmanager.dll	0x7ff8df530000	0x7ff8df58dfff	Memory Mapped File	rwx	-
edputil.dll	0x7ff8df590000	0x7ff8df5befff	Memory Mapped File	rwx	-
actxprxy.dll	0x7ff8df640000	0x7ff8dfaa9fff	Memory Mapped File	rwx	-
coreuicomponents.dll	0x7ff8dfab0000	0x7ff8dfd10fff	Memory Mapped File	rwx	-
userdatatypehelperutil.dll	0x7ff8e1050000	0x7ff8e1060fff	Memory Mapped File	rwx	-
dsclient.dll	0x7ff8e1650000	0x7ff8e165bfff	Memory Mapped File	rwx	-
clipboardserver.dll	0x7ff8e1660000	0x7ff8e168ffff	Memory Mapped File	rwx	-
windows.shell.servicehostbuilder.dll	0x7ff8e16c0000	0x7ff8e16d1fff	Memory Mapped File	rwx	-
desktopshellext.dll	0x7ff8e16e0000	0x7ff8e16f6fff	Memory Mapped File	rwx	-
iertutil.dll	0x7ff8e3c30000	0x7ff8e3fa5fff	Memory Mapped File	rwx	-
msvcp110_win.dll	0x7ff8e60a0000	0x7ff8e6131fff	Memory Mapped File	rwx	-
policymanager.dll	0x7ff8e6140000	0x7ff8e6178fff	Memory Mapped File	rwx	-
xmllite.dll	0x7ff8e6330000	0x7ff8e6365fff	Memory Mapped File	rwx	-
wintypes.dll	0x7ff8e7430000	0x7ff8e7560fff	Memory Mapped File	rwx	-
usermgrproxy.dll	0x7ff8e7570000	0x7ff8e75adfff	Memory Mapped File	rwx	-
propsys.dll	0x7ff8e79b0000	0x7ff8e7b32fff	Memory Mapped File	rwx	-
mmdevapi.dll	0x7ff8e7b40000	0x7ff8e7bb1fff	Memory Mapped File	rwx	-
usermgrcli.dll	0x7ff8e7d10000	0x7ff8e7d1ffff	Memory Mapped File	rwx	-
winnsi.dll	0x7ff8e8460000	0x7ff8e846afff	Memory Mapped File	rwx	-
iphlpapi.dll	0x7ff8e8480000	0x7ff8e84b7fff	Memory Mapped File	rwx	-
dwmapi.dll	0x7ff8e8fb0000	0x7ff8e8fd1fff	Memory Mapped File	rwx	-
coremessaging.dll	0x7ff8e9060000	0x7ff8e9127fff	Memory Mapped File	rwx	-
uxtheme.dll	0x7ff8e9680000	0x7ff8e9715fff	Memory Mapped File	rwx	-
devobj.dll	0x7ff8e9720000	0x7ff8e9746fff	Memory Mapped File	rwx	-
twinapi.appcore.dll	0x7ff8e9860000	0x7ff8e994dfff	Memory Mapped File	rwx	-
rmclient.dll	0x7ff8e99e0000	0x7ff8e9a07fff	Memory Mapped File	rwx	-
mpr.dll	0x7ff8e9fe0000	0x7ff8e9ffbfff	Memory Mapped File	rwx	-
netutils.dll	0x7ff8ea000000	0x7ff8ea00bfff	Memory Mapped File	rwx	-
ntmarta.dll	0x7ff8ea0f0000	0x7ff8ea121fff	Memory Mapped File	rwx	-
rsaenh.dll	0x7ff8ea270000	0x7ff8ea2a2fff	Memory Mapped File	rwx	-
userenv.dll	0x7ff8ea360000	0x7ff8ea37efff	Memory Mapped File	rwx	-
cryptsp.dll	0x7ff8ea620000	0x7ff8ea636fff	Memory Mapped File	rwx	-
cryptbase.dll	0x7ff8ea790000	0x7ff8ea79afff	Memory Mapped File	rwx	-
sspicli.dll	0x7ff8ea9d0000	0x7ff8ea9fbfff	Memory Mapped File	rwx	-
bcrypt.dll	0x7ff8eabd0000	0x7ff8eabf7fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x7ff8eac00000	0x7ff8eac6afff	Memory Mapped File	rwx	-
msasn1.dll	0x7ff8eadb0000	0x7ff8eadc0fff	Memory Mapped File	rwx	-
powrprof.dll	0x7ff8eadd0000	0x7ff8eae19fff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x7ff8eae20000	0x7ff8eae2efff	Memory Mapped File	rwx	-
profapi.dll	0x7ff8eae30000	0x7ff8eae42fff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x7ff8eaf60000	0x7ff8eafa3fff	Memory Mapped File	rwx	-
crypt32.dll	0x7ff8eafb0000	0x7ff8eb170fff	Memory Mapped File	rwx	-
windows.storage.dll	0x7ff8eb180000	0x7ff8eb7a7fff	Memory Mapped File	rwx	-
shcore.dll	0x7ff8eb7b0000	0x7ff8eb862fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ff8eb870000	0x7ff8eba4cfff	Memory Mapped File	rwx	-
oleaut32.dll	0x7ff8ebb30000	0x7ff8ebbedfff	Memory Mapped File	rwx	-
user32.dll	0x7ff8ebdc0000	0x7ff8ebf0dfff	Memory Mapped File	rwx	-
msctf.dll	0x7ff8ec0c0000	0x7ff8ec21bfff	Memory Mapped File	rwx	-
sechost.dll	0x7ff8ec240000	0x7ff8ec29afff	Memory Mapped File	rwx	-
ole32.dll	0x7ff8ec300000	0x7ff8ec440fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ff8ec450000	0x7ff8ec575fff	Memory Mapped File	rwx	-
shell32.dll	0x7ff8ec580000	0x7ff8edaa4fff	Memory Mapped File	rwx	-
clbcatq.dll	0x7ff8edb10000	0x7ff8edbb4fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ff8edbc0000	0x7ff8edd44fff	Memory Mapped File	rwx	-
combase.dll	0x7ff8edd60000	0x7ff8edfdbfff	Memory Mapped File	rwx	-
shlwapi.dll	0x7ff8edfe0000	0x7ff8ee030fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ff8ee0b0000	0x7ff8ee14cfff	Memory Mapped File	rwx	-
imm32.dll	0x7ff8ee150000	0x7ff8ee185fff	Memory Mapped File	rwx	-
advapi32.dll	0x7ff8ee190000	0x7ff8ee235fff	Memory Mapped File	rwx	-
nsi.dll	0x7ff8ee250000	0x7ff8ee257fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ff8ee2d0000	0x7ff8ee37cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ff8ee380000	0x7ff8ee541fff	Memory Mapped File	rwx	-

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Success	Count	Logfile
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x630	address = 0x7ff7afc80000, size = 217088		1	Fn Data
Create Remote Thread	#1: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x630	address = 0x7ff7afc819a0		1	Fn

Created Files

Filename	File Size	Hash Values	Actions
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_427a1946-e0ff-4097-8c9e-ca2c1e22780b	0.33 KB	MD5: 0fb11bbaf1381417d4a3a03ab40a4134 SHA1: 177f8843d0a6551e48a5dbfb65514b3ed60e90c8 SHA256: 45d1ce6c8ba220b7b427dc1323a63a6e46a736de3b070c69e1edecffa46a6108 SSDeep: 6:Jg4YrUkU3XvTIAVUWbJfDHS1TsiTcYPL1nsSpkr3OIOo6UCGzRg:Jg493XvT9ZfDy3TcWLpdpu6UCT	... File Actions Show Properties Download
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_427a1946-e0ff-4097-8c9e-ca2c1e22780b	0.61 KB	MD5: d32a0dacf2917f71ba3e546ee784f9bc SHA1: dc26270f525e75950b2fb6f3c84ef3740930ad55 SHA256: 6e112bd9698f8de4d2daeb005e2bc61d48ee1c1b0b3e2c50ed5bf863ce9a78e9 SSDeep: 6:ao4zO6zBzIDWcDOnyYTkVDBbha08pfJe2GHy5wZzkaSuExMeCk4t5dBPn305Arnn:5F62CcD+QNp2YgaYxMzvE5ArqIjia/	... File Actions Show Properties Download
C:\ProgramData\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt	0.79 KB	MD5: e8662acb66fe73bfe17c84b6a59b8ea9 SHA1: 35701496614f055d203711e472cd32d68dff0182 SHA256: d8968c39ec81424c2dbf94586acf9a088fa19b6d3d5be8a9267f767b323d42bf SSDeep: 24:iVezHysv9F2Ob/87gPsoU3gMqvKHHLb1+y3RhXYmQ4C4sn:xzSsv9FjxFiH0iFQ4C4s	... File Actions Show Properties Download
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_427a1946-e0ff-4097-8c9e-ca2c1e22780b	0.05 KB	MD5: 93a5aadeec082ffc1bca5aa27af70f52 SHA1: 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 SHA256: a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 SSDeep: 3:/lE7L6N:+L6N	... File Actions Show Properties Download
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE	1.41 KB	MD5: b61da09e1f984bff6f156e6c9ff53496 SHA1: 92a562de6895495acced33f184f8dcb2747b93e0 SHA256: 6b82482cd944dcc65d0aa6bf1cf59acbb1d2bea4da860e8a044278a3909ad38e SSDeep: 24:LFr5CN8s3sMFJLqcyfvjbhYI96MUqNXzqN4uty0jAtlH9QCPxlntDXGRyLTT4k2u:xrW8s31LqbXjmA6dj80jAf9QeftjLLTx	... File Actions Show Properties Download
C:\users\Public\PUBLIC	0.27 KB	MD5: 32810676bb5f052d37abfb65002c2655 SHA1: 0558945868c61634f434b65933d5a331326ca1c1 SHA256: a1946498860473c62b24d15cd8b44abea199bfea4d98139591d26b0c9bb200af SSDeep: 6:mtNCno5xC+mv02EoHBPcK076xWAFuk5ts5cYuc2dDJwaM+o:YpE+mctoXeKWAI9cYuFo	... File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c7c24.timestamp	0.33 KB	MD5: a8ec9a3f63baf5c8d13581399b1f5aa6 SHA1: 8600aae9305a82b4d49776fb471e0d0bc873cefb SHA256: 490d1a8356a79d310ac09f25d71c3bebab9d862a46c2b0cb2a81f3efecd685df SSDeep: 6:BkPFHy+nQBfFPTzzJAfeb/aD20GL2uc+uZxsVGyO8:GSTPvz4ebO2lVc/x/yO8	... File Actions Show Properties Download
C:\ProgramData\Microsoft\MF\Pending.GRL	14.89 KB	MD5: 13523d6f8db35a631bab14153930369d SHA1: de3a82af630ed22773c6ff8f76cf66e330d5009c SHA256: bde53bb3e9a12159169044a948fcc725dfb9c8939ad5a81aee3d312689d47061 SSDeep: 384:lPiE7+XljmfsNGHAKnqq2dXcS+HMT5awuZY531qLC:leyfspKGqSk05wGu2	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst	9.61 KB	MD5: b9d189e9f8a8a54bb7e4ec72c6e89a88 SHA1: ad68d60450fbc0fb1bc98df323c2c960feb3a761 SHA256: bddfcd3f654faa1ea4466dde71e49f2c75c94b56a435995cd5dfdcc4cca494ed SSDeep: 192:RhztsaGmMrP4gwUr38VABwwveyVLiYagB4mDjWG2X2wpffGNsKwcCADQ:jztDMUk3wqeg3WXpHSumQ	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt17.lst	0.80 KB	MD5: 13ac2c4b0f65a07b6db190e15514e5e9 SHA1: 8bb595a5810612f468dafff089bd88a3dbe7318c SHA256: ce49f582380da9e105dbf178d360eda305a5df21f5d6a6ca4b2ef9e53eaa4e99 SSDeep: 24:wkJ3RYf+5A3sVTkHfcvurTVx8dAidZo9uq6Bi:5RYf+5RJvuHz6i	... File Actions Show Properties Download
C:\ProgramData\Microsoft\MF\Active.GRL	14.89 KB	MD5: 2fa2cf70bfa4de7c25da6154083b7d64 SHA1: 7aaee4f3018a469c44d11a6e9ad49f3c6f057e85 SHA256: 6c2c552f65e69d480c73255370c260647e176bdbd49dc10bf0d6611826fe68db SSDeep: 384:LOtAofV48F5v9hEuQbALoXx43NjWVYJq/MjvuXW:LOtRfV48zvLpUXx4NjzJ8MR	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt17.lst	147.11 KB	MD5: ad1ac716b66feaad11ffe68ca4d74647 SHA1: 053e9be1ca9b3d3237750760c41e1c0ed0cbc1d6 SHA256: 179d237fc6161b192a5c1de791e1e549e81ce764d6cd9f0e38f5386fd1fa1aa4 SSDeep: 3072:RQz9bQvW1nKLUxX3Sz1uWMuRPvsHqFVjnP+GbgoL3mFeBboetPZ0yYlTY9:RE9bQve3nSzbMmPvsH6VTP+GbgA3nddd	... File Actions Show Properties Download
C:\ProgramData\Microsoft\MF\Pending.GRL	15.17 KB	MD5: 150bd5e3733d5ce57b3bf21c01c7bb6f SHA1: 72b7006416072d411b46297e9251a380f67eb311 SHA256: 9f1b43a357f811f66635f0f7dbe2d6d9ef01fe28b4138fc9da8ed6663ee66cf8 SSDeep: 384:tO8Ft0OWVcCUYOEobee9LaySa8KdmtQ4BgSykHcI:M8v0FcJJ9P9LaySa8K4CXqn	... File Actions Show Properties Download
C:\ProgramData\USOShared\Logs\UpdateUx.001.etl	4.56 KB	MD5: c287d03c8d8c8832d9b58a4db8b8a827 SHA1: 72826a033b5561c998b07a4e5dc47deca98d8bda SHA256: 372a0c92cce989b2f83f3ee863f59ef78f81478db1c15cc40cfea7c40db74566 SSDeep: 96:FDWl6dDqlXvxwjspX2NvmB/Tq8G8JSgeVI0ecaSvY5N5K5sfR8n:la6ohdB/Tq8GyPJca3b6	... File Actions Show Properties Download
C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c7c24.timestamp	0.61 KB	MD5: 34e92143fe78c28047cef3d54db00df0 SHA1: a800c4c2bbd73d6910c7e2a77d45aed2fd72c20a SHA256: 8311450449617522b92b053edd9c28d51b67450b26991b8cfbde94a740d31034 SSDeep: 12:slFioG6IN2VeCkGQ3MzvO8hgmaRWrD7GlQBYPqUG4v:sKoGmkSzWVtwjaUYy6v	... File Actions Show Properties Download
C:\ProgramData\USOShared\Logs\UpdateUx.001.etl	4.28 KB	MD5: 7c1b98c2df02fce46c0deb44b693d8e8 SHA1: 5f247fc97701bbe9337485544af07d9026b44d4c SHA256: 163ec889f1df72fe5809402e98cb7f5c5ec8b3393f880bfa188eada50629e2a4 SSDeep: 96:dCmQUPw1+nCU0RdZ0sUlR5FbEivmDbCk6H3b9:gmQIw15UEnBUvJvEbCDH3b9	... File Actions Show Properties Download
C:\ProgramData\Microsoft\MF\Active.GRL	15.17 KB	MD5: aefec3651e447396cb8f9c2813550a36 SHA1: 3a5084d0ccd143c9d88e10dae50e83e394b71a65 SHA256: 1e133bf4690eada0ce8f55d157db039a042a1115015a70e44b0feeb11bcc1cd8 SSDeep: 384:kAkvx4VZdungDFjlQ7+9rHcOY41+bb1HuIWc0jjnG:svx4VDGGVx8Hug92cwjG	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst	9.89 KB	MD5: 179145fdf2d708d335f10fad83c8ce09 SHA1: b69cf08ac6ce153b23fc8b975fcaa177a609350e SHA256: 510b1dc59fb0d3ef51b54cff655e0f27af50cf652ed402b1ff164b800389cee2 SSDeep: 192:FIIH3tlzVwpdNyhcmb9xCsZF9IScix8zVYVf+msgocDG03W9cAgCuVq:FII9b4dYhNbcolTocD73xo	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst	88.86 KB	MD5: e07dfdbf56dd843366dcd8e2dbd4b88d SHA1: 065b0859df527b825b1d052b9771609582c6e0e3 SHA256: 5b14d65b05ed16e54be508b8797cdf2ca4b1eb45a44cc45ed55dfdf01d86c644 SSDeep: 1536:EVHbeUW4ld9qEqrcVg4NYoVpVxiVxGnrCfdY/p6pdqpPVY/YpkGu3ZXS4L2hGoxs:oeIcDrcVzOojDnufdY/p0CVoEhSS4ihO	... File Actions Show Properties Download
c:\programdata\adobe\arm\reader_17.012.20098\acrordrdcupd1800920044_incr.msp	10.00 MB	MD5: deeff3532e41e0bc196eaad1d44907d8 SHA1: c5d260dbdbefa7fc4c60e15e1ebfd37e40e7834f SHA256: 39362bb48e26b3d316703a6b3e5b7258ac2036dba179ca27fc7fdb4af3971ff9 SSDeep: 196608:dEt+dAxgq0cW1iDlobVOtm8LvMj2YxWCqoM4ffR/uRVr8E7ejFul:a+djcW6qOYIkqTCqSIGS	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst	88.58 KB	MD5: a631917ae6baf6e17dbd8d8f3446a211 SHA1: 1c3319d140625f537be5eb874df7753abf3cf67c SHA256: 8c62a81d84593ecb830dff54fb410e707a5a6afc9140fd1b42a30153f4939497 SSDeep: 1536:4Fi+ZvzvgVCq5/w2e2w6eFLoxUOzCuEBySqXq/XUmYNlgleu5Zl:09zosq5PexFkxXCuUliq8yXl	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt17.lst	147.39 KB	MD5: d44e76fba566fb06658e62742b772c8e SHA1: d98d18c986e0c24eae492f0911e56598f42a4ed5 SHA256: c2eba90103a67cde5f0e928459990a2b99e5e9b427327622b6f17ffb31e639e0 SSDeep: 3072:bpXwtZr2Yhh+vwF+ONrdufm+m/xkFwu3wcOe6cvGgCoIPMul+r3HARQrjh:bpAt8Y7vFbWfPm/xk7OqwNk9rQWrjh	... File Actions Show Properties Download

Host Behavior

File (3791)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\users\Public\sys	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN	1	Fn
Create	C:\users\Public\sys	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN	1	Fn
Create	C:\users\Public\PUBLIC	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\users\Public\PUBLIC	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	5	Fn
Create	C:\Boot\BCD	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\BCD.LOG	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\BCD.LOG1	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\BCD.LOG2	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	41	Fn
Create	C:\Boot\bg-BG\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\BOOTSTAT.DAT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\cs-CZ\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\da-DK\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\de-DE\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\el-GR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\en-GB\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\es-ES\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\es-MX\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\et-EE\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\fi-FI\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\chs_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\cht_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\jpn_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\kor_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\malgunn_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\malgun_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\meiryon_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\meiryo_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\msjhn_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\msjh_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\msyhn_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\msyh_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\segmono_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\segoen_slboot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\segoe_slboot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\wgl4_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\fr-CA\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\fr-FR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\hr-HR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\hu-HU\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\it-IT\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\ja-JP\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\ko-KR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\lt-LT\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\lv-LV\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\nb-NO\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\nl-NL\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\pl-PL\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\pt-BR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\pt-PT\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\qps-ploc\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Resources\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Boot\Resources\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\ro-RO\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\ru-RU\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\sk-SK\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\sl-SI\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\sr-Latn-CS\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\sr-Latn-RS\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\sv-SE\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\tr-TR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\uk-UA\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\zh-CN\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\zh-HK\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\zh-TW\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\bootmgr	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\BOOTNXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\BOOTSECT.BAK	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Config.Msi\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Documents and Settings\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\hiberfil.sys	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\pagefile.sys	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\PerfLogs\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	4	Fn
Create	C:\Program Files\Common Files\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	5	Fn
Create	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	13	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\i641033.hash	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeUpdateSchedule.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	44	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\da-DK\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\de-DE\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\el-GR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-GB\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\join.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\split.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\es-ES\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\es-MX\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\et-EE\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	11	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\he-IL\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\it-IT\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\th-TH\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\zh-HK\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\MSInfo\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\OFFICE16\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Source Engine\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Blue_Gradient.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Cave_Drawings.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Connectivity.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Dotted_Lines.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Genko_1.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Genko_2.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Graph.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\grid_(cm).wmf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\grid_(inch).wmf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Memo.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Monet.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Month_Calendar.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Music.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Notebook.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Pine_Lumber.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Pretty_Peacock.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Psychedelic.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Roses.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Sand_Paper.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Seyes.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Shorthand.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Small_News.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Soft Blue.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Stars.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Stucco.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Tanspecks.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Tiki.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\To_Do_List.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\White_Chocolate.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Wrinkled_Paper.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\TextConv\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Triedit\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\VC\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\VGX\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\VSTO\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\Services\verisign.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\Services\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	5	Fn
Create	C:\Program Files\Common Files\System\ado\adojavas.inc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\adovbs.inc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\System\ado\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado20.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado21.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado25.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado26.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado27.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado28.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado60.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msadomd28.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msador28.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msadox28.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\msadc\adcjavas.inc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\msadc\adcvbs.inc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\msadc\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Internet Explorer\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	4	Fn
Create	C:\Program Files\Internet Explorer\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Internet Explorer\images\bing.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Internet Explorer\images\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Internet Explorer\SIGNUP\install.ins	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Internet Explorer\SIGNUP\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Java\jre1.8.0_131\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	3	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	4	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\dtplugin\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\plugin2\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\server\classes.jsa	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\server\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\COPYRIGHT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\accessibility.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	11	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\amd64\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\applet\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\calendars.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\charsets.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\classlist	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\cmm\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\content-types.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\currency.data	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_de.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ko.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_sv.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_HK.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_TW.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11-lic.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\jfxrt.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\flavormap.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.bfc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\hijrah-config-umalqura.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveDrop32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\javafx.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\javaws.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jce.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jfr\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jvm.hprof.txt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\logging.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.access	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.password.template	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\management\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\meta-index	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\net.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\psfont.properties.ja	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\resources.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\rt.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\java.security	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\local_policy.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\trusted.libraries	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\sound.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\tzdb.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\tzmappings	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\LICENSE	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\README.txt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\release	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\Welcome.html	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\AppXManifest.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	3	Fn
Create	C:\Program Files\Microsoft Office\Office16\OSPP.HTM	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\Office16\SLERROR.XML	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\Office16\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	8	Fn
Create	C:\Program Files\Microsoft Office\root\client\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	3	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00004_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00011_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00021_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00037_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00038_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00040_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00052_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00057_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00090_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00092_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00103_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00120_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00126_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00129_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00130_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00135_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00139_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00142_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00154_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00157_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00158_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00160_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00161_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00163_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00164_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00165_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00167_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00169_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00170_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00171_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00172_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00174_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00175_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00176_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00010_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00015_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00790_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00853_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00914_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00932_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00965_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01039_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01044_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01060_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01084_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01173_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01174_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01184_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01216_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01218_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01251_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01545_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN02122_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN02559_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN02724_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN03500_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04108_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04117_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04134_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04174_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04191_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04195_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04196_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04206_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04225_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04235_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04267_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04269_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04323_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04326_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04332_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04355_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04369_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04384_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04385_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BABY_01.MID	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD00116_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD00141_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD00146_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD00155_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD00160_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD00173_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD05119_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD06102_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD06200_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD07761_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD07804_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD07831_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD08758_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD08773_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD08808_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD08868_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD09031_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD09194_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD09662_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD09664_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD10890_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD10972_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19563_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19582_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19695_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19827_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19828_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19986_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19988_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD20013_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00008_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00012_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00045_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00098_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00105_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00122_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00130_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00148_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00152_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00194_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00195_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00234_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00242_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00247_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00248_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00252_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00254_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00261_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00262_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00265_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00267_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00269_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00270_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00273_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00274_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00296_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00390_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00392_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00524_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00525_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00526_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00648_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00921_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00923_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00932_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00985_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BOAT.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BOATINST.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00076_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00078_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00092_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00100_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00135_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00136_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00145_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00174_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00184_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00186_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00200_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00224_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00438_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00439_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00440_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00441_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00442_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00443_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00444_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00445_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00453_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01080_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01603_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01634_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01635_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01636_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01638_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01639_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CARBN_01.MID	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CG1606.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CLASSIC1.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CLASSIC2.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CLIP.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CMNTY_01.MID	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CRANE.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CRANINST.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CUP.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CUPINST.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00117_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00121_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00234_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00255_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00256_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00261_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00297_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00372_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00405_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00407_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00413_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00414_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00419_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00437_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00448_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00449_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00687_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00705_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01015_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01039_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01138_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01139_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01140_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01143_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01145_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01146_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01151_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01152_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01157_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01160_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01162_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01163_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01166_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01167_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01168_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01169_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01170_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01171_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01172_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01173_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01176_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01178_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01179_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01180_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01181_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01182_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01183_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01186_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01366_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01434_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01585_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01586_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01628_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01629_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01630_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01631_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01761_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01772_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01793_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\EAST_01.MID	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\ED00010_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\ED00019_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\ED00172_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\ED00184_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\EN00006_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\EN00202_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143743.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143744.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143745.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143746.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143748.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143749.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143750.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143752.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143753.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143754.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143758.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB00516L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB00531L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB00673L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB00703L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB00760L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB00780L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB01741L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02039_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02055_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02073_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02074_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02077_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02082_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02085_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02097_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02106_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02116_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02134_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02187_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02198_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02201_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02214_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02218_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	4	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Flattener\CommonSequencingProperties.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Flattener\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Access.Access.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.accessmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.accessmuiset.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.groovemui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.lyncmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.outlookmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Project.Project.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.projectmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.publishermui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.visiomui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\QFE31927.msp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\QFE31928.msp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
For performance reasons, the remaining 98 entries are omitted. The remaining entries can be found in glog.xml.

Module (78)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x7ff8ee2d0000	1	Fn
Load	mpr.dll	base_address = 0x7ff8e9fe0000	1	Fn
Load	advapi32.dll	base_address = 0x7ff8ee190000	1	Fn
Load	ole32.dll	base_address = 0x7ff8ec300000	1	Fn
Load	Shell32.dll	base_address = 0x7ff8ec580000	1	Fn
Load	Iphlpapi.dll	base_address = 0x7ff8e8480000	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x7ff8ee2f2080	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x7ff8ee2e6060	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualFree, address_out = 0x7ff8ee2ebc10	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptExportKey, address_out = 0x7ff8ee1a7b50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteFileW, address_out = 0x7ff8ee2f57a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDriveTypeW, address_out = 0x7ff8ee2f58f0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCommandLineW, address_out = 0x7ff8ee2f0150	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStartupInfoW, address_out = 0x7ff8ee2eed80	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindNextFileW, address_out = 0x7ff8ee2f5880	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address_out = 0x7ff8ee2ebaf0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameA, address_out = 0x7ff8ee1bec40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExitProcess, address_out = 0x7ff8ee2eef50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Wow64RevertWow64FsRedirection, address_out = 0x7ff8ee3136a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateProcessA, address_out = 0x7ff8ee2ed5b0	1	Fn
Get Address	c:\windows\system32\iphlpapi.dll	function = GetIpNetTable, address_out = 0x7ff8e849f0b0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExW, address_out = 0x7ff8ee2eaa30	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Wow64DisableWow64FsRedirection, address_out = 0x7ff8ee313690	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemDefaultLangID, address_out = 0x7ff8ee2f2ba0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameW, address_out = 0x7ff8ee1ada40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x7ff8ee2f5a90	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x7ff8ee1a7dd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x7ff8ee2f5510	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegSetValueExW, address_out = 0x7ff8ee1a7850	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x7ff8ee1a72e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileA, address_out = 0x7ff8ee30e430	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFileAttributesW, address_out = 0x7ff8ee2f5b00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WinExec, address_out = 0x7ff8ee311e60	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDeriveKey, address_out = 0x7ff8ee1c07a0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptGenKey, address_out = 0x7ff8ee1acab0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Sleep, address_out = 0x7ff8ee2e8f00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x7ff8ee2e6580	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteW, address_out = 0x7ff8ec6cabc0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSize, address_out = 0x7ff8ee2f5950	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x7ff8ee2eb810	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindClose, address_out = 0x7ff8ee2f57c0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x7ff8ee2f56e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x7ff8ee2f0c70	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteA, address_out = 0x7ff8ec787de0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x7ff8ee2ee6d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameW, address_out = 0x7ff8ee2eeca0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x7ff8ee2f5760	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSizeEx, address_out = 0x7ff8ee2f5960	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x7ff8ee2f5b80	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLogicalDrives, address_out = 0x7ff8ee2e66d0	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetEnumResourceW, address_out = 0x7ff8e9fe27d0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7ff8ee1a6cb0	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetCloseEnum, address_out = 0x7ff8e9fe2e20	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryW, address_out = 0x7ff8ee2f2940	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFileAttributesA, address_out = 0x7ff8ee2f5af0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x7ff8ee1a7d70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointer, address_out = 0x7ff8ee2f5b20	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTickCount, address_out = 0x7ff8ee2e60a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesW, address_out = 0x7ff8ee2f5930	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindFirstFileW, address_out = 0x7ff8ee2f5840	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7ff8ee1a89e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MoveFileExW, address_out = 0x7ff8ee2f3010	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetOpenEnumW, address_out = 0x7ff8e9fe2f20	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitialize, address_out = 0x7ff8ec313870	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDecrypt, address_out = 0x7ff8ee1a9140	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptImportKey, address_out = 0x7ff8ee1a7b40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointerEx, address_out = 0x7ff8ee2f5b30	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileW, address_out = 0x7ff8ee2f5d70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibrary, address_out = 0x7ff8ee2eeb90	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateProcessW, address_out = 0x7ff8ee2edee0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateDirectoryW, address_out = 0x7ff8ee2f5740	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateThread, address_out = 0x7ff8ee2ebc20	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDestroyKey, address_out = 0x7ff8ee1a86b0	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstance, address_out = 0x7ff8edde7000	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileW, address_out = 0x7ff8ee2f5770	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesA, address_out = 0x7ff8ee2f5900	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptEncrypt, address_out = 0x7ff8ee1ad7e0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegDeleteValueW, address_out = 0x7ff8ee1a90b0	1	Fn

System (7)

Operation	Additional Information	Count	Logfile
Sleep	duration = 5000 milliseconds (5.000 seconds)	1	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Info	type = Operating System	2	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	3	Fn

Process #5: taskhostw.exe

Information	Value
ID	#5
File Name	c:\windows\system32\taskhostw.exe
Command Line	taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:11, Reason: Injection
Unmonitor	End Time: 00:01:42, Reason: Self Terminated
Monitor Duration	00:00:31

OS Process Information

Information	Value
PID	0x7ac
Parent PID	0x330 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B2C 0x BD0 0x AC4 0x ABC 0x A10 0x 9DC 0x 9C8 0x 9C4 0x 7B8 0x 7B0 0x CC4 0x CE4 0x F20

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x00000013be5e0000	0x13be5e0000	0x13be5effff	Pagefile Backed Memory	rw	-
private_0x00000013be5f0000	0x13be5f0000	0x13be5f6fff	Private Memory	rw	-
pagefile_0x00000013be600000	0x13be600000	0x13be613fff	Pagefile Backed Memory	r	-
private_0x00000013be620000	0x13be620000	0x13be69ffff	Private Memory	rw	-
pagefile_0x00000013be6a0000	0x13be6a0000	0x13be6a3fff	Pagefile Backed Memory	r	-
pagefile_0x00000013be6b0000	0x13be6b0000	0x13be6b0fff	Pagefile Backed Memory	r	-
private_0x00000013be6c0000	0x13be6c0000	0x13be6c1fff	Private Memory	rw	-
private_0x00000013be6d0000	0x13be6d0000	0x13be6d6fff	Private Memory	rw	-
taskhostw.exe.mui	0x13be6e0000	0x13be6e0fff	Memory Mapped File	r	-
private_0x00000013be6f0000	0x13be6f0000	0x13be7effff	Private Memory	rw	-
locale.nls	0x13be7f0000	0x13be8adfff	Memory Mapped File	r	-
pagefile_0x00000013be8b0000	0x13be8b0000	0x13be8bffff	Pagefile Backed Memory	rw	-
webcachev01.dat	0x13be8c0000	0x13be8cffff	Memory Mapped File	r	-
webcachev01.dat	0x13be8d0000	0x13be8dffff	Memory Mapped File	r	-
webcachev01.dat	0x13be8e0000	0x13be8effff	Memory Mapped File	r	-
webcachev01.dat	0x13be8f0000	0x13be8fffff	Memory Mapped File	r	-
webcachev01.dat	0x13be900000	0x13be90ffff	Memory Mapped File	r	-
webcachev01.dat	0x13be910000	0x13be91ffff	Memory Mapped File	r	-
webcachev01.dat	0x13be920000	0x13be92ffff	Memory Mapped File	r	-
private_0x00000013be930000	0x13be930000	0x13be9affff	Private Memory	rw	-
private_0x00000013be9b0000	0x13be9b0000	0x13be9b0fff	Private Memory	rw	-
private_0x00000013be9c0000	0x13be9c0000	0x13be9c0fff	Private Memory	rw	-
pagefile_0x00000013be9d0000	0x13be9d0000	0x13be9d3fff	Pagefile Backed Memory	r	-
private_0x00000013be9e0000	0x13be9e0000	0x13be9effff	Private Memory	rw	-
pagefile_0x00000013be9f0000	0x13be9f0000	0x13beaa7fff	Pagefile Backed Memory	r	-
pagefile_0x00000013beab0000	0x13beab0000	0x13beab0fff	Pagefile Backed Memory	r	-
pagefile_0x00000013beac0000	0x13beac0000	0x13beac0fff	Pagefile Backed Memory	r	-
msctfmonitor.dll.mui	0x13bead0000	0x13bead0fff	Memory Mapped File	r	-
pagefile_0x00000013beae0000	0x13beae0000	0x13beae0fff	Pagefile Backed Memory	rw	-
private_0x00000013beaf0000	0x13beaf0000	0x13beafffff	Private Memory	rw	-
pagefile_0x00000013beb00000	0x13beb00000	0x13bec87fff	Pagefile Backed Memory	r	-
pagefile_0x00000013bec90000	0x13bec90000	0x13bee10fff	Pagefile Backed Memory	r	-
pagefile_0x00000013bee20000	0x13bee20000	0x13c021ffff	Pagefile Backed Memory	r	-
private_0x00000013c0220000	0x13c0220000	0x13c029ffff	Private Memory	rw	-
winmm.dll.mui	0x13c02a0000	0x13c02a5fff	Memory Mapped File	r	-
private_0x00000013c02b0000	0x13c02b0000	0x13c02b0fff	Private Memory	rw	-
private_0x00000013c02c0000	0x13c02c0000	0x13c02c0fff	Private Memory	rw	-
private_0x00000013c02d0000	0x13c02d0000	0x13c02d7fff	Private Memory	rw	-
private_0x00000013c02e0000	0x13c02e0000	0x13c02e0fff	Private Memory	rw	-
private_0x00000013c02f0000	0x13c02f0000	0x13c02f0fff	Private Memory	rw	-
private_0x00000013c0300000	0x13c0300000	0x13c0303fff	Private Memory	rw	-
private_0x00000013c0310000	0x13c0310000	0x13c0311fff	Private Memory	rw	-
pagefile_0x00000013c0320000	0x13c0320000	0x13c0320fff	Pagefile Backed Memory	rw	-
pagefile_0x00000013c0330000	0x13c0330000	0x13c033ffff	Pagefile Backed Memory	rw	-
pagefile_0x00000013c0340000	0x13c0340000	0x13c034ffff	Pagefile Backed Memory	rw	-
pagefile_0x00000013c0350000	0x13c0350000	0x13c035ffff	Pagefile Backed Memory	rw	-
pagefile_0x00000013c0360000	0x13c0360000	0x13c036ffff	Pagefile Backed Memory	rw	-
pagefile_0x00000013c0370000	0x13c0370000	0x13c037ffff	Pagefile Backed Memory	rw	-
pagefile_0x00000013c0380000	0x13c0380000	0x13c038ffff	Pagefile Backed Memory	rw	-
private_0x00000013c0390000	0x13c0390000	0x13c0390fff	Private Memory	rw	-
sortdefault.nls	0x13c03a0000	0x13c06d6fff	Memory Mapped File	r	-
private_0x00000013c06e0000	0x13c06e0000	0x13c075ffff	Private Memory	rw	-
private_0x00000013c0760000	0x13c0760000	0x13c07dffff	Private Memory	rw	-
private_0x00000013c07e0000	0x13c07e0000	0x13c085ffff	Private Memory	rw	-
private_0x00000013c0860000	0x13c0860000	0x13c08dffff	Private Memory	rw	-
private_0x00000013c08e0000	0x13c08e0000	0x13c08e6fff	Private Memory	rw	-
private_0x00000013c08f0000	0x13c08f0000	0x13c09effff	Private Memory	rw	-
private_0x00000013c09f0000	0x13c09f0000	0x13c0a6ffff	Private Memory	rw	-
pagefile_0x00000013c0a70000	0x13c0a70000	0x13c0a7ffff	Pagefile Backed Memory	rw	-
pagefile_0x00000013c0a80000	0x13c0a80000	0x13c0a8ffff	Pagefile Backed Memory	rw	-
pagefile_0x00000013c0a90000	0x13c0a90000	0x13c0a9ffff	Pagefile Backed Memory	rw	-
pagefile_0x00000013c0aa0000	0x13c0aa0000	0x13c0aaffff	Pagefile Backed Memory	rw	-
pagefile_0x00000013c0ab0000	0x13c0ab0000	0x13c0abffff	Pagefile Backed Memory	rw	-
pagefile_0x00000013c0ac0000	0x13c0ac0000	0x13c0acffff	Pagefile Backed Memory	rw	-
private_0x00000013c0ad0000	0x13c0ad0000	0x13c1acffff	Private Memory	rw	-
private_0x00000013c1ad0000	0x13c1ad0000	0x13c1b5ffff	Private Memory	rw	-
private_0x00000013c1b60000	0x13c1b60000	0x13c5b5ffff	Private Memory	rw	-
private_0x00000013c5b60000	0x13c5b60000	0x13c9b5ffff	Private Memory	rw	-
private_0x00000013c9b60000	0x13c9b60000	0x13c9b67fff	Private Memory	rw	-
webcachev01.dat	0x13c9b70000	0x13c9b7ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9b80000	0x13c9b8ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9b90000	0x13c9b9ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9ba0000	0x13c9baffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9bb0000	0x13c9bbffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9bc0000	0x13c9bcffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9bd0000	0x13c9bdffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9be0000	0x13c9beffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9bf0000	0x13c9bfffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9c00000	0x13c9c0ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9c10000	0x13c9c1ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9c20000	0x13c9c2ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9c30000	0x13c9c3ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9c40000	0x13c9c4ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9c50000	0x13c9c5ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9c60000	0x13c9c6ffff	Memory Mapped File	r	-
private_0x00000013c9c70000	0x13c9c70000	0x13c9ceffff	Private Memory	rw	-
private_0x00000013c9cf0000	0x13c9cf0000	0x13c9cf7fff	Private Memory	rw	-
webcachev01.dat	0x13c9d00000	0x13c9d0ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9d10000	0x13c9d1ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9d20000	0x13c9d2ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9d30000	0x13c9d3ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9d40000	0x13c9d4ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9d50000	0x13c9d5ffff	Memory Mapped File	r	-
private_0x00000013c9d60000	0x13c9d60000	0x13c9d67fff	Private Memory	rw	-
webcachev01.dat	0x13c9d70000	0x13c9d7ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9d80000	0x13c9d8ffff	Memory Mapped File	r	-
pagefile_0x00000013c9d90000	0x13c9d90000	0x13c9d9ffff	Pagefile Backed Memory	rw	-
webcachev01.dat	0x13c9da0000	0x13c9daffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9db0000	0x13c9dbffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9dc0000	0x13c9dcffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9dd0000	0x13c9ddffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9de0000	0x13c9deffff	Memory Mapped File	r	-
private_0x00000013c9df0000	0x13c9df0000	0x13c9e6ffff	Private Memory	rw	-
webcachev01.dat	0x13c9e70000	0x13c9e7ffff	Memory Mapped File	r	-
pagefile_0x00000013c9e80000	0x13c9e80000	0x13c9e8ffff	Pagefile Backed Memory	rw	-
webcachev01.dat	0x13c9e90000	0x13c9e9ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9ea0000	0x13c9eaffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9eb0000	0x13c9ebffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9ec0000	0x13c9ecffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9ed0000	0x13c9edffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9ee0000	0x13c9eeffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9ef0000	0x13c9efffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9f00000	0x13c9f0ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9f20000	0x13c9f2ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9f30000	0x13c9f3ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9f40000	0x13c9f4ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9f50000	0x13c9f5ffff	Memory Mapped File	r	-
webcachev01.dat	0x13c9f60000	0x13c9f6ffff	Memory Mapped File	r	-
private_0x00000013c9f70000	0x13c9f70000	0x13c9f77fff	Private Memory	rw	-
private_0x00000013c9f80000	0x13c9f80000	0x13ca07ffff	Private Memory	rw	-
webcachev01.dat	0x13ca080000	0x13ca08ffff	Memory Mapped File	r	-
webcachev01.dat	0x13ca090000	0x13ca09ffff	Memory Mapped File	r	-
webcachev01.dat	0x13ca0a0000	0x13ca0affff	Memory Mapped File	r	-
webcachev01.dat	0x13ca0b0000	0x13ca0bffff	Memory Mapped File	r	-
webcachev01.dat	0x13ca0c0000	0x13ca0cffff	Memory Mapped File	r	-
webcachev01.dat	0x13ca0d0000	0x13ca0dffff	Memory Mapped File	r	-
webcachev01.dat	0x13ca0e0000	0x13ca0effff	Memory Mapped File	r	-
webcachev01.dat	0x13ca0f0000	0x13ca0fffff	Memory Mapped File	r	-
webcachev01.dat	0x13ca100000	0x13ca10ffff	Memory Mapped File	r	-
webcachev01.dat	0x13ca110000	0x13ca11ffff	Memory Mapped File	r	-
webcachev01.dat	0x13ca120000	0x13ca12ffff	Memory Mapped File	r	-
webcachev01.dat	0x13ca130000	0x13ca13ffff	Memory Mapped File	r	-
webcachev01.dat	0x13ca140000	0x13ca14ffff	Memory Mapped File	r	-
webcachev01.dat	0x13ca150000	0x13ca15ffff	Memory Mapped File	r	-
private_0x00000013ca160000	0x13ca160000	0x13ca167fff	Private Memory	rw	-
webcachev01.dat	0x13ca170000	0x13ca17ffff	Memory Mapped File	r	-
private_0x00000013ca180000	0x13ca180000	0x13ca187fff	Private Memory	rw	-
webcachev01.dat	0x13ca190000	0x13ca19ffff	Memory Mapped File	r	-
webcachev01.dat	0x13ca1a0000	0x13ca1affff	Memory Mapped File	r	-
webcachev01.dat	0x13ca1e0000	0x13ca1effff	Memory Mapped File	r	-
webcachev01.dat	0x13ca1f0000	0x13ca1fffff	Memory Mapped File	r	-
pagefile_0x00007df5ff9d0000	0x7df5ff9d0000	0x7ff5ff9cffff	Pagefile Backed Memory	-	-
private_0x00007ff7afc80000	0x7ff7afc80000	0x7ff7afcb4fff	Private Memory	rwx	-
private_0x00007ff7f6524000	0x7ff7f6524000	0x7ff7f6525fff	Private Memory	rw	-
private_0x00007ff7f6526000	0x7ff7f6526000	0x7ff7f6527fff	Private Memory	rw	-
private_0x00007ff7f6528000	0x7ff7f6528000	0x7ff7f6529fff	Private Memory	rw	-
private_0x00007ff7f652a000	0x7ff7f652a000	0x7ff7f652bfff	Private Memory	rw	-
private_0x00007ff7f652c000	0x7ff7f652c000	0x7ff7f652dfff	Private Memory	rw	-
private_0x00007ff7f652e000	0x7ff7f652e000	0x7ff7f652ffff	Private Memory	rw	-
For performance reasons, the remaining 56 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Success	Count	Logfile
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x630	address = 0x7ff7afc80000, size = 217088		1	Fn Data
Create Remote Thread	#1: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x630	address = 0x7ff7afc819a0		1	Fn

Host Behavior

File (3)

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\users\Public\sys	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN		3	Fn

Module (78)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x7ff8ee2d0000	1	Fn
Load	mpr.dll	base_address = 0x7ff8e9fe0000	1	Fn
Load	advapi32.dll	base_address = 0x7ff8ee190000	1	Fn
Load	ole32.dll	base_address = 0x7ff8ec300000	1	Fn
Load	Shell32.dll	base_address = 0x7ff8ec580000	1	Fn
Load	Iphlpapi.dll	base_address = 0x7ff8e8480000	1	Fn
Get Address	Unknown module name	function = LoadLibraryA, address_out = 0x7ff8ee2f2080	1	Fn
Get Address	Unknown module name	function = GetLastError, address_out = 0x7ff8ee2e6060	1	Fn
Get Address	Unknown module name	function = VirtualFree, address_out = 0x7ff8ee2ebc10	1	Fn
Get Address	Unknown module name	function = CryptExportKey, address_out = 0x7ff8ee1a7b50	1	Fn
Get Address	Unknown module name	function = DeleteFileW, address_out = 0x7ff8ee2f57a0	1	Fn
Get Address	Unknown module name	function = GetDriveTypeW, address_out = 0x7ff8ee2f58f0	1	Fn
Get Address	Unknown module name	function = GetCommandLineW, address_out = 0x7ff8ee2f0150	1	Fn
Get Address	Unknown module name	function = GetStartupInfoW, address_out = 0x7ff8ee2eed80	1	Fn
Get Address	Unknown module name	function = FindNextFileW, address_out = 0x7ff8ee2f5880	1	Fn
Get Address	Unknown module name	function = VirtualAlloc, address_out = 0x7ff8ee2ebaf0	1	Fn
Get Address	Unknown module name	function = GetUserNameA, address_out = 0x7ff8ee1bec40	1	Fn
Get Address	Unknown module name	function = ExitProcess, address_out = 0x7ff8ee2eef50	1	Fn
Get Address	Unknown module name	function = Wow64RevertWow64FsRedirection, address_out = 0x7ff8ee3136a0	1	Fn
Get Address	Unknown module name	function = CreateProcessA, address_out = 0x7ff8ee2ed5b0	1	Fn
Get Address	Unknown module name	function = GetIpNetTable, address_out = 0x7ff8e849f0b0	1	Fn
Get Address	Unknown module name	function = GetVersionExW, address_out = 0x7ff8ee2eaa30	1	Fn
Get Address	Unknown module name	function = Wow64DisableWow64FsRedirection, address_out = 0x7ff8ee313690	1	Fn
Get Address	Unknown module name	function = GetSystemDefaultLangID, address_out = 0x7ff8ee2f2ba0	1	Fn
Get Address	Unknown module name	function = GetUserNameW, address_out = 0x7ff8ee1ada40	1	Fn
Get Address	Unknown module name	function = ReadFile, address_out = 0x7ff8ee2f5a90	1	Fn
Get Address	Unknown module name	function = RegQueryValueExA, address_out = 0x7ff8ee1a7dd0	1	Fn
Get Address	Unknown module name	function = CloseHandle, address_out = 0x7ff8ee2f5510	1	Fn
Get Address	Unknown module name	function = RegSetValueExW, address_out = 0x7ff8ee1a7850	1	Fn
Get Address	Unknown module name	function = RegCloseKey, address_out = 0x7ff8ee1a72e0	1	Fn
Get Address	Unknown module name	function = CopyFileA, address_out = 0x7ff8ee30e430	1	Fn
Get Address	Unknown module name	function = SetFileAttributesW, address_out = 0x7ff8ee2f5b00	1	Fn
Get Address	Unknown module name	function = WinExec, address_out = 0x7ff8ee311e60	1	Fn
Get Address	Unknown module name	function = CryptDeriveKey, address_out = 0x7ff8ee1c07a0	1	Fn
Get Address	Unknown module name	function = CryptGenKey, address_out = 0x7ff8ee1acab0	1	Fn
Get Address	Unknown module name	function = Sleep, address_out = 0x7ff8ee2e8f00	1	Fn
Get Address	Unknown module name	function = GetCurrentProcess, address_out = 0x7ff8ee2e6580	1	Fn
Get Address	Unknown module name	function = ShellExecuteW, address_out = 0x7ff8ec6cabc0	1	Fn
Get Address	Unknown module name	function = GetFileSize, address_out = 0x7ff8ee2f5950	1	Fn
Get Address	Unknown module name	function = GlobalAlloc, address_out = 0x7ff8ee2eb810	1	Fn
Get Address	Unknown module name	function = FindClose, address_out = 0x7ff8ee2f57c0	1	Fn
Get Address	Unknown module name	function = WaitForMultipleObjects, address_out = 0x7ff8ee2f56e0	1	Fn
Get Address	Unknown module name	function = GetModuleFileNameA, address_out = 0x7ff8ee2f0c70	1	Fn
Get Address	Unknown module name	function = ShellExecuteA, address_out = 0x7ff8ec787de0	1	Fn
Get Address	Unknown module name	function = GetModuleHandleA, address_out = 0x7ff8ee2ee6d0	1	Fn
Get Address	Unknown module name	function = GetModuleFileNameW, address_out = 0x7ff8ee2eeca0	1	Fn
Get Address	Unknown module name	function = CreateFileA, address_out = 0x7ff8ee2f5760	1	Fn
Get Address	Unknown module name	function = GetFileSizeEx, address_out = 0x7ff8ee2f5960	1	Fn
Get Address	Unknown module name	function = WriteFile, address_out = 0x7ff8ee2f5b80	1	Fn
Get Address	Unknown module name	function = GetLogicalDrives, address_out = 0x7ff8ee2e66d0	1	Fn
Get Address	Unknown module name	function = WNetEnumResourceW, address_out = 0x7ff8e9fe27d0	1	Fn
Get Address	Unknown module name	function = RegOpenKeyExW, address_out = 0x7ff8ee1a6cb0	1	Fn
Get Address	Unknown module name	function = WNetCloseEnum, address_out = 0x7ff8e9fe2e20	1	Fn
Get Address	Unknown module name	function = GetWindowsDirectoryW, address_out = 0x7ff8ee2f2940	1	Fn
Get Address	Unknown module name	function = SetFileAttributesA, address_out = 0x7ff8ee2f5af0	1	Fn
Get Address	Unknown module name	function = RegOpenKeyExA, address_out = 0x7ff8ee1a7d70	1	Fn
Get Address	Unknown module name	function = SetFilePointer, address_out = 0x7ff8ee2f5b20	1	Fn
Get Address	Unknown module name	function = GetTickCount, address_out = 0x7ff8ee2e60a0	1	Fn
Get Address	Unknown module name	function = GetFileAttributesW, address_out = 0x7ff8ee2f5930	1	Fn
Get Address	Unknown module name	function = FindFirstFileW, address_out = 0x7ff8ee2f5840	1	Fn
Get Address	Unknown module name	function = CryptAcquireContextW, address_out = 0x7ff8ee1a89e0	1	Fn
Get Address	Unknown module name	function = MoveFileExW, address_out = 0x7ff8ee2f3010	1	Fn
Get Address	Unknown module name	function = WNetOpenEnumW, address_out = 0x7ff8e9fe2f20	1	Fn
Get Address	Unknown module name	function = CoInitialize, address_out = 0x7ff8ec313870	1	Fn
Get Address	Unknown module name	function = CryptDecrypt, address_out = 0x7ff8ee1a9140	1	Fn
Get Address	Unknown module name	function = CryptImportKey, address_out = 0x7ff8ee1a7b40	1	Fn
Get Address	Unknown module name	function = SetFilePointerEx, address_out = 0x7ff8ee2f5b30	1	Fn
Get Address	Unknown module name	function = CopyFileW, address_out = 0x7ff8ee2f5d70	1	Fn
Get Address	Unknown module name	function = FreeLibrary, address_out = 0x7ff8ee2eeb90	1	Fn
Get Address	Unknown module name	function = CreateProcessW, address_out = 0x7ff8ee2edee0	1	Fn
Get Address	Unknown module name	function = CreateDirectoryW, address_out = 0x7ff8ee2f5740	1	Fn
Get Address	Unknown module name	function = CreateThread, address_out = 0x7ff8ee2ebc20	1	Fn
Get Address	Unknown module name	function = CryptDestroyKey, address_out = 0x7ff8ee1a86b0	1	Fn
Get Address	Unknown module name	function = CoCreateInstance, address_out = 0x7ff8edde7000	1	Fn
Get Address	Unknown module name	function = CreateFileW, address_out = 0x7ff8ee2f5770	1	Fn
Get Address	Unknown module name	function = GetFileAttributesA, address_out = 0x7ff8ee2f5900	1	Fn
Get Address	Unknown module name	function = CryptEncrypt, address_out = 0x7ff8ee1ad7e0	1	Fn
Get Address	Unknown module name	function = RegDeleteValueW, address_out = 0x7ff8ee1a90b0	1	Fn

System (8)

Operation	Additional Information	Count	Logfile
Sleep	duration = 5000 milliseconds (5.000 seconds)	1	Fn
Sleep	duration = 9000 milliseconds (9.000 seconds)	3	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	3	Fn

Process #6: runtimebroker.exe

Information	Value
ID	#6
File Name	c:\windows\system32\runtimebroker.exe
Command Line	C:\Windows\System32\RuntimeBroker.exe -Embedding
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:11, Reason: Injection
Unmonitor	End Time: 00:01:42, Reason: Self Terminated
Monitor Duration	00:00:31

OS Process Information

Information	Value
PID	0x814
Parent PID	0x248 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x C74 0x BC4 0x BBC 0x A08 0x 868 0x 860 0x 85C 0x 824 0x 818 0x CE0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x000000a7239e0000	0xa7239e0000	0xa7239effff	Pagefile Backed Memory	rw	-
private_0x000000a7239f0000	0xa7239f0000	0xa7239f6fff	Private Memory	rw	-
pagefile_0x000000a723a00000	0xa723a00000	0xa723a13fff	Pagefile Backed Memory	r	-
private_0x000000a723a20000	0xa723a20000	0xa723a9ffff	Private Memory	rw	-
pagefile_0x000000a723aa0000	0xa723aa0000	0xa723aa3fff	Pagefile Backed Memory	r	-
pagefile_0x000000a723ab0000	0xa723ab0000	0xa723ab1fff	Pagefile Backed Memory	r	-
private_0x000000a723ac0000	0xa723ac0000	0xa723ac1fff	Private Memory	rw	-
locale.nls	0xa723ad0000	0xa723b8dfff	Memory Mapped File	r	-
private_0x000000a723b90000	0xa723b90000	0xa723c0ffff	Private Memory	rw	-
private_0x000000a723c10000	0xa723c10000	0xa723c10fff	Private Memory	rw	-
private_0x000000a723c20000	0xa723c20000	0xa723c20fff	Private Memory	rw	-
pagefile_0x000000a723c30000	0xa723c30000	0xa723c30fff	Pagefile Backed Memory	r	-
pagefile_0x000000a723c40000	0xa723c40000	0xa723c40fff	Pagefile Backed Memory	r	-
pagefile_0x000000a723c50000	0xa723c50000	0xa723c79fff	Pagefile Backed Memory	rw	-
private_0x000000a723c80000	0xa723c80000	0xa723c86fff	Private Memory	rw	-
pagefile_0x000000a723c90000	0xa723c90000	0xa723c92fff	Pagefile Backed Memory	r	-
pagefile_0x000000a723ca0000	0xa723ca0000	0xa723ca0fff	Pagefile Backed Memory	rw	-
pagefile_0x000000a723cb0000	0xa723cb0000	0xa723cb0fff	Pagefile Backed Memory	rw	-
private_0x000000a723cc0000	0xa723cc0000	0xa723cc6fff	Private Memory	rw	-
private_0x000000a723d00000	0xa723d00000	0xa723dfffff	Private Memory	rw	-
private_0x000000a723e00000	0xa723e00000	0xa723efffff	Private Memory	rw	-
private_0x000000a723f00000	0xa723f00000	0xa723f7ffff	Private Memory	rw	-
pagefile_0x000000a723f80000	0xa723f80000	0xa724107fff	Pagefile Backed Memory	r	-
pagefile_0x000000a724110000	0xa724110000	0xa724290fff	Pagefile Backed Memory	r	-
pagefile_0x000000a7242a0000	0xa7242a0000	0xa72569ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0xa7256a0000	0xa7259d6fff	Memory Mapped File	r	-
private_0x000000a7259e0000	0xa7259e0000	0xa725a5ffff	Private Memory	rw	-
private_0x000000a725a60000	0xa725a60000	0xa725adffff	Private Memory	rw	-
private_0x000000a725ae0000	0xa725ae0000	0xa725b5ffff	Private Memory	rw	-
private_0x000000a725b60000	0xa725b60000	0xa725bdffff	Private Memory	rw	-
private_0x000000a725c00000	0xa725c00000	0xa725cfffff	Private Memory	rw	-
private_0x000000a725d00000	0xa725d00000	0xa725d7ffff	Private Memory	rw	-
private_0x000000a725d80000	0xa725d80000	0xa725e7ffff	Private Memory	rw	-
private_0x000000a725e80000	0xa725e80000	0xa725efffff	Private Memory	rw	-
private_0x000000a725f00000	0xa725f00000	0xa725f7ffff	Private Memory	rw	-
pagefile_0x00007df5ffee0000	0x7df5ffee0000	0x7ff5ffedffff	Pagefile Backed Memory	-	-
ntoskrnl.exe	0x7ff70c8b0000	0x7ff70d101fff	Memory Mapped File	rwx	-
private_0x00007ff78dd78000	0x7ff78dd78000	0x7ff78dd79fff	Private Memory	rw	-
private_0x00007ff78dd7a000	0x7ff78dd7a000	0x7ff78dd7bfff	Private Memory	rw	-
private_0x00007ff78dd7c000	0x7ff78dd7c000	0x7ff78dd7dfff	Private Memory	rw	-
private_0x00007ff78dd7e000	0x7ff78dd7e000	0x7ff78dd7ffff	Private Memory	rw	-
pagefile_0x00007ff78dd80000	0x7ff78dd80000	0x7ff78de7ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff78de80000	0x7ff78de80000	0x7ff78dea2fff	Pagefile Backed Memory	r	-
private_0x00007ff78dea3000	0x7ff78dea3000	0x7ff78dea4fff	Private Memory	rw	-
private_0x00007ff78dea5000	0x7ff78dea5000	0x7ff78dea6fff	Private Memory	rw	-
private_0x00007ff78dea7000	0x7ff78dea7000	0x7ff78dea8fff	Private Memory	rw	-
private_0x00007ff78dea9000	0x7ff78dea9000	0x7ff78deaafff	Private Memory	rw	-
private_0x00007ff78deab000	0x7ff78deab000	0x7ff78deacfff	Private Memory	rw	-
private_0x00007ff78dead000	0x7ff78dead000	0x7ff78deadfff	Private Memory	rw	-
private_0x00007ff78deae000	0x7ff78deae000	0x7ff78deaffff	Private Memory	rw	-
runtimebroker.exe	0x7ff78e2e0000	0x7ff78e2f5fff	Memory Mapped File	rwx	-
private_0x00007ff7afc80000	0x7ff7afc80000	0x7ff7afcb4fff	Private Memory	rwx	-
windows.internal.shell.broker.dll	0x7ff8db9f0000	0x7ff8dba81fff	Memory Mapped File	rwx	-
tokenbroker.dll	0x7ff8deca0000	0x7ff8ded65fff	Memory Mapped File	rwx	-
execmodelclient.dll	0x7ff8df3b0000	0x7ff8df3f2fff	Memory Mapped File	rwx	-
actxprxy.dll	0x7ff8df640000	0x7ff8dfaa9fff	Memory Mapped File	rwx	-
idstore.dll	0x7ff8e3040000	0x7ff8e3066fff	Memory Mapped File	rwx	-
windows.ui.immersive.dll	0x7ff8e3a70000	0x7ff8e3c26fff	Memory Mapped File	rwx	-
mrmcorer.dll	0x7ff8e5050000	0x7ff8e515efff	Memory Mapped File	rwx	-
samlib.dll	0x7ff8e7400000	0x7ff8e741bfff	Memory Mapped File	rwx	-
wintypes.dll	0x7ff8e7430000	0x7ff8e7560fff	Memory Mapped File	rwx	-
samcli.dll	0x7ff8e76f0000	0x7ff8e7707fff	Memory Mapped File	rwx	-
propsys.dll	0x7ff8e79b0000	0x7ff8e7b32fff	Memory Mapped File	rwx	-
mmdevapi.dll	0x7ff8e7b40000	0x7ff8e7bb1fff	Memory Mapped File	rwx	-
wkscli.dll	0x7ff8e7cd0000	0x7ff8e7ce5fff	Memory Mapped File	rwx	-
winnsi.dll	0x7ff8e8460000	0x7ff8e846afff	Memory Mapped File	rwx	-
iphlpapi.dll	0x7ff8e8480000	0x7ff8e84b7fff	Memory Mapped File	rwx	-
wtsapi32.dll	0x7ff8e8ad0000	0x7ff8e8ae2fff	Memory Mapped File	rwx	-
sppc.dll	0x7ff8e8b60000	0x7ff8e8b84fff	Memory Mapped File	rwx	-
slc.dll	0x7ff8e8b90000	0x7ff8e8bb5fff	Memory Mapped File	rwx	-
coremessaging.dll	0x7ff8e9060000	0x7ff8e9127fff	Memory Mapped File	rwx	-
uxtheme.dll	0x7ff8e9680000	0x7ff8e9715fff	Memory Mapped File	rwx	-
devobj.dll	0x7ff8e9720000	0x7ff8e9746fff	Memory Mapped File	rwx	-
mpr.dll	0x7ff8e9fe0000	0x7ff8e9ffbfff	Memory Mapped File	rwx	-
netutils.dll	0x7ff8ea000000	0x7ff8ea00bfff	Memory Mapped File	rwx	-
rsaenh.dll	0x7ff8ea270000	0x7ff8ea2a2fff	Memory Mapped File	rwx	-
userenv.dll	0x7ff8ea360000	0x7ff8ea37efff	Memory Mapped File	rwx	-
cryptsp.dll	0x7ff8ea620000	0x7ff8ea636fff	Memory Mapped File	rwx	-
cryptbase.dll	0x7ff8ea790000	0x7ff8ea79afff	Memory Mapped File	rwx	-
sspicli.dll	0x7ff8ea9d0000	0x7ff8ea9fbfff	Memory Mapped File	rwx	-
bcrypt.dll	0x7ff8eabd0000	0x7ff8eabf7fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x7ff8eac00000	0x7ff8eac6afff	Memory Mapped File	rwx	-
sxs.dll	0x7ff8eac70000	0x7ff8ead07fff	Memory Mapped File	rwx	-
msasn1.dll	0x7ff8eadb0000	0x7ff8eadc0fff	Memory Mapped File	rwx	-
powrprof.dll	0x7ff8eadd0000	0x7ff8eae19fff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x7ff8eae20000	0x7ff8eae2efff	Memory Mapped File	rwx	-
profapi.dll	0x7ff8eae30000	0x7ff8eae42fff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x7ff8eaf60000	0x7ff8eafa3fff	Memory Mapped File	rwx	-
crypt32.dll	0x7ff8eafb0000	0x7ff8eb170fff	Memory Mapped File	rwx	-
windows.storage.dll	0x7ff8eb180000	0x7ff8eb7a7fff	Memory Mapped File	rwx	-
shcore.dll	0x7ff8eb7b0000	0x7ff8eb862fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ff8eb870000	0x7ff8eba4cfff	Memory Mapped File	rwx	-
oleaut32.dll	0x7ff8ebb30000	0x7ff8ebbedfff	Memory Mapped File	rwx	-
user32.dll	0x7ff8ebdc0000	0x7ff8ebf0dfff	Memory Mapped File	rwx	-
msctf.dll	0x7ff8ec0c0000	0x7ff8ec21bfff	Memory Mapped File	rwx	-
sechost.dll	0x7ff8ec240000	0x7ff8ec29afff	Memory Mapped File	rwx	-
ole32.dll	0x7ff8ec300000	0x7ff8ec440fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ff8ec450000	0x7ff8ec575fff	Memory Mapped File	rwx	-
shell32.dll	0x7ff8ec580000	0x7ff8edaa4fff	Memory Mapped File	rwx	-
clbcatq.dll	0x7ff8edb10000	0x7ff8edbb4fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ff8edbc0000	0x7ff8edd44fff	Memory Mapped File	rwx	-
combase.dll	0x7ff8edd60000	0x7ff8edfdbfff	Memory Mapped File	rwx	-
shlwapi.dll	0x7ff8edfe0000	0x7ff8ee030fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ff8ee0b0000	0x7ff8ee14cfff	Memory Mapped File	rwx	-
imm32.dll	0x7ff8ee150000	0x7ff8ee185fff	Memory Mapped File	rwx	-
advapi32.dll	0x7ff8ee190000	0x7ff8ee235fff	Memory Mapped File	rwx	-
nsi.dll	0x7ff8ee250000	0x7ff8ee257fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ff8ee2d0000	0x7ff8ee37cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ff8ee380000	0x7ff8ee541fff	Memory Mapped File	rwx	-

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Success	Count	Logfile
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x630	address = 0x7ff7afc80000, size = 217088		1	Fn Data
Create Remote Thread	#1: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x630	address = 0x7ff7afc819a0		1	Fn

Host Behavior

File (3)

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\users\Public\sys	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN		3	Fn

Module (78)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x7ff8ee2d0000	1	Fn
Load	mpr.dll	base_address = 0x7ff8e9fe0000	1	Fn
Load	advapi32.dll	base_address = 0x7ff8ee190000	1	Fn
Load	ole32.dll	base_address = 0x7ff8ec300000	1	Fn
Load	Shell32.dll	base_address = 0x7ff8ec580000	1	Fn
Load	Iphlpapi.dll	base_address = 0x7ff8e8480000	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x7ff8ee2f2080	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x7ff8ee2e6060	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualFree, address_out = 0x7ff8ee2ebc10	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptExportKey, address_out = 0x7ff8ee1a7b50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteFileW, address_out = 0x7ff8ee2f57a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDriveTypeW, address_out = 0x7ff8ee2f58f0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCommandLineW, address_out = 0x7ff8ee2f0150	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStartupInfoW, address_out = 0x7ff8ee2eed80	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindNextFileW, address_out = 0x7ff8ee2f5880	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address_out = 0x7ff8ee2ebaf0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameA, address_out = 0x7ff8ee1bec40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExitProcess, address_out = 0x7ff8ee2eef50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Wow64RevertWow64FsRedirection, address_out = 0x7ff8ee3136a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateProcessA, address_out = 0x7ff8ee2ed5b0	1	Fn
Get Address	c:\windows\system32\iphlpapi.dll	function = GetIpNetTable, address_out = 0x7ff8e849f0b0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExW, address_out = 0x7ff8ee2eaa30	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Wow64DisableWow64FsRedirection, address_out = 0x7ff8ee313690	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemDefaultLangID, address_out = 0x7ff8ee2f2ba0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameW, address_out = 0x7ff8ee1ada40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x7ff8ee2f5a90	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x7ff8ee1a7dd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x7ff8ee2f5510	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegSetValueExW, address_out = 0x7ff8ee1a7850	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x7ff8ee1a72e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileA, address_out = 0x7ff8ee30e430	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFileAttributesW, address_out = 0x7ff8ee2f5b00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WinExec, address_out = 0x7ff8ee311e60	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDeriveKey, address_out = 0x7ff8ee1c07a0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptGenKey, address_out = 0x7ff8ee1acab0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Sleep, address_out = 0x7ff8ee2e8f00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x7ff8ee2e6580	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteW, address_out = 0x7ff8ec6cabc0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSize, address_out = 0x7ff8ee2f5950	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x7ff8ee2eb810	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindClose, address_out = 0x7ff8ee2f57c0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x7ff8ee2f56e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x7ff8ee2f0c70	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteA, address_out = 0x7ff8ec787de0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x7ff8ee2ee6d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameW, address_out = 0x7ff8ee2eeca0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x7ff8ee2f5760	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSizeEx, address_out = 0x7ff8ee2f5960	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x7ff8ee2f5b80	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLogicalDrives, address_out = 0x7ff8ee2e66d0	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetEnumResourceW, address_out = 0x7ff8e9fe27d0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7ff8ee1a6cb0	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetCloseEnum, address_out = 0x7ff8e9fe2e20	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryW, address_out = 0x7ff8ee2f2940	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFileAttributesA, address_out = 0x7ff8ee2f5af0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x7ff8ee1a7d70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointer, address_out = 0x7ff8ee2f5b20	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTickCount, address_out = 0x7ff8ee2e60a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesW, address_out = 0x7ff8ee2f5930	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindFirstFileW, address_out = 0x7ff8ee2f5840	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7ff8ee1a89e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MoveFileExW, address_out = 0x7ff8ee2f3010	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetOpenEnumW, address_out = 0x7ff8e9fe2f20	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitialize, address_out = 0x7ff8ec313870	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDecrypt, address_out = 0x7ff8ee1a9140	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptImportKey, address_out = 0x7ff8ee1a7b40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointerEx, address_out = 0x7ff8ee2f5b30	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileW, address_out = 0x7ff8ee2f5d70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibrary, address_out = 0x7ff8ee2eeb90	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateProcessW, address_out = 0x7ff8ee2edee0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateDirectoryW, address_out = 0x7ff8ee2f5740	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateThread, address_out = 0x7ff8ee2ebc20	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDestroyKey, address_out = 0x7ff8ee1a86b0	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstance, address_out = 0x7ff8edde7000	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileW, address_out = 0x7ff8ee2f5770	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesA, address_out = 0x7ff8ee2f5900	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptEncrypt, address_out = 0x7ff8ee1ad7e0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegDeleteValueW, address_out = 0x7ff8ee1a90b0	1	Fn

System (8)

Operation	Additional Information	Count	Logfile
Sleep	duration = 5000 milliseconds (5.000 seconds)	1	Fn
Sleep	duration = 9000 milliseconds (9.000 seconds)	3	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	3	Fn

Process #7: shellexperiencehost.exe

Information	Value
ID	#7
File Name	c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
Command Line	"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
Initial Working Directory	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\
Monitor	Start Time: 00:01:12, Reason: Injection
Unmonitor	End Time: 00:01:36, Reason: Self Terminated
Monitor Duration	00:00:24
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x9a0
Parent PID	0x248 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Low
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BF0 0x 7CC 0x 7F4 0x AB8 0x AB4 0x AAC 0x AA8 0x AA4 0x AA0 0x A7C 0x A70 0x A68 0x A50 0x A44 0x A38 0x A30 0x A24 0x A20 0x A00 0x 9FC 0x 9F4 0x 9F0 0x 9EC 0x 9E8 0x 9E0 0x 9D0 0x 9CC 0x 9C0 0x 9BC 0x 9B8 0x 9B4 0x 9B0 0x 9A4 0x D04

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x0000001a8bef0000	0x1a8bef0000	0x1a8befffff	Pagefile Backed Memory	rw	-
private_0x0000001a8bf00000	0x1a8bf00000	0x1a8bf00fff	Private Memory	rw	-
pagefile_0x0000001a8bf10000	0x1a8bf10000	0x1a8bf23fff	Pagefile Backed Memory	r	-
private_0x0000001a8bf30000	0x1a8bf30000	0x1a8c02ffff	Private Memory	rw	-
pagefile_0x0000001a8c030000	0x1a8c030000	0x1a8c033fff	Pagefile Backed Memory	r	-
private_0x0000001a8c040000	0x1a8c040000	0x1a8c041fff	Private Memory	rw	-
private_0x0000001a8c050000	0x1a8c050000	0x1a8c050fff	Private Memory	rw	-
locale.nls	0x1a8c060000	0x1a8c11dfff	Memory Mapped File	r	-
pagefile_0x0000001a8c120000	0x1a8c120000	0x1a8c149fff	Pagefile Backed Memory	rw	-
pagefile_0x0000001a8c150000	0x1a8c150000	0x1a8c150fff	Pagefile Backed Memory	r	-
private_0x0000001a8c160000	0x1a8c160000	0x1a8c166fff	Private Memory	rw	-
pagefile_0x0000001a8c170000	0x1a8c170000	0x1a8c170fff	Pagefile Backed Memory	rw	-
pagefile_0x0000001a8c180000	0x1a8c180000	0x1a8c180fff	Pagefile Backed Memory	rw	-
pagefile_0x0000001a8c190000	0x1a8c190000	0x1a8c190fff	Pagefile Backed Memory	rw	-
private_0x0000001a8c1a0000	0x1a8c1a0000	0x1a8c1a0fff	Private Memory	rw	-
private_0x0000001a8c1b0000	0x1a8c1b0000	0x1a8c1b0fff	Private Memory	rw	-
2504515037.pri	0x1a8c1c0000	0x1a8c1cbfff	Memory Mapped File	r	-
pagefile_0x0000001a8c1d0000	0x1a8c1d0000	0x1a8c1d0fff	Pagefile Backed Memory	rw	-
resources.en-us.pri	0x1a8c1f0000	0x1a8c1fcfff	Memory Mapped File	r	-
private_0x0000001a8c200000	0x1a8c200000	0x1a8c2fffff	Private Memory	rw	-
private_0x0000001a8c300000	0x1a8c300000	0x1a8c3fffff	Private Memory	rw	-
private_0x0000001a8c400000	0x1a8c400000	0x1a8c4fffff	Private Memory	rw	-
private_0x0000001a8c500000	0x1a8c500000	0x1a8c506fff	Private Memory	rw	-
kernelbase.dll.mui	0x1a8c510000	0x1a8c5eefff	Memory Mapped File	r	-
pagefile_0x0000001a8c5f0000	0x1a8c5f0000	0x1a8c5f1fff	Pagefile Backed Memory	rw	-
private_0x0000001a8c600000	0x1a8c600000	0x1a8c6fffff	Private Memory	rw	-
pagefile_0x0000001a8c700000	0x1a8c700000	0x1a8c887fff	Pagefile Backed Memory	r	-
pagefile_0x0000001a8c890000	0x1a8c890000	0x1a8ca10fff	Pagefile Backed Memory	r	-
pagefile_0x0000001a8ca20000	0x1a8ca20000	0x1a8de1ffff	Pagefile Backed Memory	r	-
windows.ui.xaml.resources.dll	0x1a8de20000	0x1a8df56fff	Memory Mapped File	r	-
sortdefault.nls	0x1a8df60000	0x1a8e296fff	Memory Mapped File	r	-
private_0x0000001a8e2a0000	0x1a8e2a0000	0x1a8e39ffff	Private Memory	rw	-
private_0x0000001a8e3a0000	0x1a8e3a0000	0x1a8e49ffff	Private Memory	rw	-
private_0x0000001a8e4a0000	0x1a8e4a0000	0x1a8e59ffff	Private Memory	rw	-
pagefile_0x0000001a8e5a0000	0x1a8e5a0000	0x1a8e5affff	Pagefile Backed Memory	rw	-
pagefile_0x0000001a8e5b0000	0x1a8e5b0000	0x1a8e5bffff	Pagefile Backed Memory	rw	-
pagefile_0x0000001a8e5c0000	0x1a8e5c0000	0x1a8e5cffff	Pagefile Backed Memory	rw	-
windows.ui.xaml.dll.mui	0x1a8e5d0000	0x1a8e5d9fff	Memory Mapped File	r	-
tilecache_100_0_header.bin	0x1a8e5e0000	0x1a8e5e2fff	Memory Mapped File	rw	-
private_0x0000001a8e5f0000	0x1a8e5f0000	0x1a8e5f0fff	Private Memory	rw	-
private_0x0000001a8e600000	0x1a8e600000	0x1a8e606fff	Private Memory	rw	-
pagefile_0x0000001a8e610000	0x1a8e610000	0x1a8e613fff	Pagefile Backed Memory	rw	-
private_0x0000001a8e620000	0x1a8e620000	0x1a8e620fff	Private Memory	rw	-
private_0x0000001a8e630000	0x1a8e630000	0x1a8e636fff	Private Memory	rw	-
~fontcache-system.dat	0x1a8e640000	0x1a8e6b5fff	Memory Mapped File	r	-
pagefile_0x0000001a8e6c0000	0x1a8e6c0000	0x1a8e6f1fff	Pagefile Backed Memory	rw	-
private_0x0000001a8e700000	0x1a8e700000	0x1a8e7fffff	Private Memory	rw	-
private_0x0000001a8e800000	0x1a8e800000	0x1a8e8fffff	Private Memory	rw	-
private_0x0000001a8e900000	0x1a8e900000	0x1a8f0fffff	Private Memory	-	-
private_0x0000001a8f100000	0x1a8f100000	0x1a8f1fffff	Private Memory	rw	-
resources.pri	0x1a8f200000	0x1a8f2d3fff	Memory Mapped File	r	-
private_0x0000001a8f2e0000	0x1a8f2e0000	0x1a8f3dffff	Private Memory	rw	-
private_0x0000001a8f3e0000	0x1a8f3e0000	0x1a8f4dffff	Private Memory	rw	-
private_0x0000001a8f4e0000	0x1a8f4e0000	0x1a8f4e0fff	Private Memory	rw	-
pagefile_0x0000001a8f4f0000	0x1a8f4f0000	0x1a8f4f3fff	Pagefile Backed Memory	rw	-
private_0x0000001a8f500000	0x1a8f500000	0x1a8f5fffff	Private Memory	rw	-
private_0x0000001a8f600000	0x1a8f600000	0x1a8f6fffff	Private Memory	rw	-
private_0x0000001a8f700000	0x1a8f700000	0x1a8f7fffff	Private Memory	rw	-
private_0x0000001a8f800000	0x1a8f800000	0x1a8f8fffff	Private Memory	rw	-
private_0x0000001a8f900000	0x1a8f900000	0x1a8f9fffff	Private Memory	rw	-
private_0x0000001a8fa00000	0x1a8fa00000	0x1a8fafffff	Private Memory	rw	-
private_0x0000001a8fb00000	0x1a8fb00000	0x1a8fbfffff	Private Memory	rw	-
private_0x0000001a8fc00000	0x1a8fc00000	0x1a8fcfffff	Private Memory	rw	-
private_0x0000001a8fe00000	0x1a8fe00000	0x1a8fefffff	Private Memory	rw	-
private_0x0000001a90000000	0x1a90000000	0x1a900fffff	Private Memory	rw	-
private_0x0000001a90100000	0x1a90100000	0x1a901fffff	Private Memory	rw	-
private_0x0000001a90400000	0x1a90400000	0x1a904fffff	Private Memory	rw	-
private_0x0000001a90500000	0x1a90500000	0x1a905fffff	Private Memory	rw	-
private_0x0000001a90610000	0x1a90610000	0x1a90610fff	Private Memory	rw	-
private_0x0000001a90620000	0x1a90620000	0x1a90620fff	Private Memory	rw	-
private_0x0000001a90630000	0x1a90630000	0x1a90636fff	Private Memory	rw	-
private_0x0000001a90640000	0x1a90640000	0x1a906bffff	Private Memory	rw	-
pagefile_0x0000001a906c0000	0x1a906c0000	0x1a906c3fff	Pagefile Backed Memory	rw	-
private_0x0000001a906d0000	0x1a906d0000	0x1a906d0fff	Private Memory	rw	-
pagefile_0x0000001a906e0000	0x1a906e0000	0x1a906e3fff	Pagefile Backed Memory	rw	-
msxml6r.dll	0x1a906f0000	0x1a906f0fff	Memory Mapped File	r	-
private_0x0000001a90700000	0x1a90700000	0x1a907fffff	Private Memory	rw	-
~fontcache-fontface.dat	0x1a90800000	0x1a917fffff	Memory Mapped File	r	-
~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat	0x1a91800000	0x1a91ffffff	Memory Mapped File	r	-
segoeui.ttf	0x1a92000000	0x1a920defff	Memory Mapped File	r	-
private_0x0000001a92100000	0x1a92100000	0x1a921fffff	Private Memory	rw	-
private_0x0000001a92200000	0x1a92200000	0x1a922fffff	Private Memory	rw	-
private_0x0000001a92300000	0x1a92300000	0x1a923fffff	Private Memory	rw	-
tilecache_100_0_data.bin	0x1a92400000	0x1a924fffff	Memory Mapped File	rw	-
private_0x0000001a927b0000	0x1a927b0000	0x1a927b6fff	Private Memory	rw	-
private_0x0000001a92800000	0x1a92800000	0x1a928fffff	Private Memory	rw	-
private_0x0000001a92900000	0x1a92900000	0x1a929fffff	Private Memory	rw	-
private_0x0000001a92a00000	0x1a92a00000	0x1a92afffff	Private Memory	rw	-
private_0x0000001a92d00000	0x1a92d00000	0x1a92dfffff	Private Memory	rw	-
private_0x0000001a93100000	0x1a93100000	0x1a931fffff	Private Memory	rw	-
pagefile_0x0000001a93200000	0x1a93200000	0x1a934bffff	Pagefile Backed Memory	rw	-
private_0x0000001a934c0000	0x1a934c0000	0x1a935bffff	Private Memory	rw	-
private_0x0000001a936c0000	0x1a936c0000	0x1a937bffff	Private Memory	rw	-
private_0x0000001a938c0000	0x1a938c0000	0x1a939bffff	Private Memory	rw	-
private_0x0000001a93ac0000	0x1a93ac0000	0x1a93bbffff	Private Memory	rw	-
private_0x0000001a93bc0000	0x1a93bc0000	0x1a93cbffff	Private Memory	rw	-
private_0x0000001a93cc0000	0x1a93cc0000	0x1a93dbffff	Private Memory	rw	-
private_0x0000001a93dc0000	0x1a93dc0000	0x1a93ebffff	Private Memory	rw	-
private_0x0000001a93f00000	0x1a93f00000	0x1a93ffffff	Private Memory	rw	-
private_0x0000001a94100000	0x1a94100000	0x1a941fffff	Private Memory	rw	-
private_0x0000001a94200000	0x1a94200000	0x1a942fffff	Private Memory	rw	-
private_0x0000001a94300000	0x1a94300000	0x1a943fffff	Private Memory	rw	-
private_0x0000001a94560000	0x1a94560000	0x1a94566fff	Private Memory	rw	-
private_0x0000001a94600000	0x1a94600000	0x1a946fffff	Private Memory	rw	-
private_0x0000001a94700000	0x1a94700000	0x1a947fffff	Private Memory	rw	-
private_0x0000001a94800000	0x1a94800000	0x1a948fffff	Private Memory	rw	-
private_0x0000001a94900000	0x1a94900000	0x1a949fffff	Private Memory	rw	-
private_0x0000001a94a00000	0x1a94a00000	0x1a94afffff	Private Memory	rw	-
private_0x00007ff60020a000	0x7ff60020a000	0x7ff60020bfff	Private Memory	rw	-
private_0x00007ff60020c000	0x7ff60020c000	0x7ff60020dfff	Private Memory	rw	-
private_0x00007ff600210000	0x7ff600210000	0x7ff600211fff	Private Memory	rw	-
private_0x00007ff600212000	0x7ff600212000	0x7ff600213fff	Private Memory	rw	-
private_0x00007ff600216000	0x7ff600216000	0x7ff600217fff	Private Memory	rw	-
private_0x00007ff600218000	0x7ff600218000	0x7ff600219fff	Private Memory	rw	-
private_0x00007ff60021a000	0x7ff60021a000	0x7ff60021bfff	Private Memory	rw	-
private_0x00007ff60021c000	0x7ff60021c000	0x7ff60021dfff	Private Memory	rw	-
private_0x00007ff600220000	0x7ff600220000	0x7ff600221fff	Private Memory	rw	-
private_0x00007ff600224000	0x7ff600224000	0x7ff600225fff	Private Memory	rw	-
private_0x00007ff600228000	0x7ff600228000	0x7ff600229fff	Private Memory	rw	-
private_0x00007ff600230000	0x7ff600230000	0x7ff600231fff	Private Memory	rw	-
private_0x00007ff600236000	0x7ff600236000	0x7ff600237fff	Private Memory	rw	-
private_0x00007ff60023c000	0x7ff60023c000	0x7ff60023dfff	Private Memory	rw	-
private_0x00007ff60023e000	0x7ff60023e000	0x7ff60023ffff	Private Memory	rw	-
private_0x00007ff600244000	0x7ff600244000	0x7ff600245fff	Private Memory	rw	-
private_0x00007ff600246000	0x7ff600246000	0x7ff600247fff	Private Memory	rw	-
private_0x00007ff60024c000	0x7ff60024c000	0x7ff60024dfff	Private Memory	rw	-
private_0x00007ff60024e000	0x7ff60024e000	0x7ff60024ffff	Private Memory	rw	-
private_0x00007ff600250000	0x7ff600250000	0x7ff600251fff	Private Memory	rw	-
private_0x00007ff600252000	0x7ff600252000	0x7ff600253fff	Private Memory	rw	-
private_0x00007ff600254000	0x7ff600254000	0x7ff600255fff	Private Memory	rw	-
private_0x00007ff600256000	0x7ff600256000	0x7ff600257fff	Private Memory	rw	-
private_0x00007ff600258000	0x7ff600258000	0x7ff600259fff	Private Memory	rw	-
private_0x00007ff60025a000	0x7ff60025a000	0x7ff60025bfff	Private Memory	rw	-
private_0x00007ff60025c000	0x7ff60025c000	0x7ff60025dfff	Private Memory	rw	-
private_0x00007ff60025e000	0x7ff60025e000	0x7ff60025ffff	Private Memory	rw	-
pagefile_0x00007ff600260000	0x7ff600260000	0x7ff60035ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff600360000	0x7ff600360000	0x7ff600382fff	Pagefile Backed Memory	r	-
private_0x00007ff600383000	0x7ff600383000	0x7ff600384fff	Private Memory	rw	-
private_0x00007ff600385000	0x7ff600385000	0x7ff600386fff	Private Memory	rw	-
private_0x00007ff600387000	0x7ff600387000	0x7ff600388fff	Private Memory	rw	-
private_0x00007ff600389000	0x7ff600389000	0x7ff60038afff	Private Memory	rw	-
private_0x00007ff60038b000	0x7ff60038b000	0x7ff60038cfff	Private Memory	rw	-
private_0x00007ff60038d000	0x7ff60038d000	0x7ff60038efff	Private Memory	rw	-
private_0x00007ff60038f000	0x7ff60038f000	0x7ff60038ffff	Private Memory	rw	-
shellexperiencehost.exe	0x7ff600d40000	0x7ff600f2dfff	Memory Mapped File	rwx	-
private_0x00007ff7afc80000	0x7ff7afc80000	0x7ff7afcb4fff	Private Memory	rwx	-
personax.dll	0x7ff8daa00000	0x7ff8daa2afff	Memory Mapped File	rwx	-
rtmediaframe.dll	0x7ff8db970000	0x7ff8db9e5fff	Memory Mapped File	rwx	-
windows.graphics.dll	0x7ff8dba90000	0x7ff8dbae9fff	Memory Mapped File	rwx	-
For performance reasons, the remaining 71 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Success	Count	Logfile
Create Remote Thread	#1: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x630	address = 0x7ff7afc819a0		1	Fn

Process #8: reg.exe

Information	Value
ID	#8
File Name	c:\windows\system32\reg.exe
Command Line	REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe" /f
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor	Start Time: 00:01:13, Reason: Child Process
Unmonitor	End Time: 00:01:14, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0xd08
Parent PID	0xc80 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x D0C 0x D2C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000d4951d0000	0xd4951d0000	0xd4951effff	Private Memory	rw	-
pagefile_0x000000d4951d0000	0xd4951d0000	0xd4951dffff	Pagefile Backed Memory	rw	-
private_0x000000d4951e0000	0xd4951e0000	0xd4951e6fff	Private Memory	rw	-
pagefile_0x000000d4951f0000	0xd4951f0000	0xd495203fff	Pagefile Backed Memory	r	-
private_0x000000d495210000	0xd495210000	0xd49528ffff	Private Memory	rw	-
pagefile_0x000000d495290000	0xd495290000	0xd495293fff	Pagefile Backed Memory	r	-
pagefile_0x000000d4952a0000	0xd4952a0000	0xd4952a0fff	Pagefile Backed Memory	r	-
private_0x000000d4952b0000	0xd4952b0000	0xd4952b1fff	Private Memory	rw	-
private_0x000000d4952c0000	0xd4952c0000	0xd4952c6fff	Private Memory	rw	-
private_0x000000d495310000	0xd495310000	0xd49540ffff	Private Memory	rw	-
locale.nls	0xd495410000	0xd4954cdfff	Memory Mapped File	r	-
private_0x000000d4954d0000	0xd4954d0000	0xd49554ffff	Private Memory	rw	-
kernelbase.dll.mui	0xd495550000	0xd49562efff	Memory Mapped File	r	-
private_0x000000d4956f0000	0xd4956f0000	0xd4956fffff	Private Memory	rw	-
sortdefault.nls	0xd495700000	0xd495a36fff	Memory Mapped File	r	-
pagefile_0x00007df5ff9d0000	0x7df5ff9d0000	0x7ff5ff9cffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff6efa90000	0x7ff6efa90000	0x7ff6efb8ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff6efb90000	0x7ff6efb90000	0x7ff6efbb2fff	Pagefile Backed Memory	r	-
private_0x00007ff6efbb3000	0x7ff6efbb3000	0x7ff6efbb3fff	Private Memory	rw	-
private_0x00007ff6efbbc000	0x7ff6efbbc000	0x7ff6efbbdfff	Private Memory	rw	-
private_0x00007ff6efbbe000	0x7ff6efbbe000	0x7ff6efbbffff	Private Memory	rw	-
reg.exe	0x7ff6f06f0000	0x7ff6f0745fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ff8eb870000	0x7ff8eba4cfff	Memory Mapped File	rwx	-
sechost.dll	0x7ff8ec240000	0x7ff8ec29afff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ff8ec450000	0x7ff8ec575fff	Memory Mapped File	rwx	-
ws2_32.dll	0x7ff8ee040000	0x7ff8ee0a8fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ff8ee0b0000	0x7ff8ee14cfff	Memory Mapped File	rwx	-
advapi32.dll	0x7ff8ee190000	0x7ff8ee235fff	Memory Mapped File	rwx	-
nsi.dll	0x7ff8ee250000	0x7ff8ee257fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ff8ee2d0000	0x7ff8ee37cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ff8ee380000	0x7ff8ee541fff	Memory Mapped File	rwx	-

Host Behavior

File (6)

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	2	Fn
Open	STD_OUTPUT_HANDLE	-	3	Fn
Write	STD_OUTPUT_HANDLE	size = 39	1	Fn Data

Registry (4)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System	-	1	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	value_name = svchos	1	Fn
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	value_name = svchos, data = C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe, size = 80, type = REG_SZ	1	Fn

Module (1)

Operation	Module	Additional Information	Success	Count	Logfile
Get Handle	c:\windows\system32\reg.exe	base_address = 0x7ff6f06f0000		1	Fn

Process #9: searchui.exe

Information	Value
ID	#9
File Name	c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe
Command Line	"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
Initial Working Directory	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\
Monitor	Start Time: 00:01:13, Reason: Injection
Unmonitor	End Time: 00:01:43, Reason: Self Terminated
Monitor Duration	00:00:30
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xb7c
Parent PID	0x248 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Low
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B64 0x AD8 0x B4C 0x B34 0x AE4 0x B28 0x B30 0x B20 0x B3C 0x B38 0x AFC 0x B04 0x AF4 0x B08 0x B0C 0x B00 0x 388 0x BF4 0x BE4 0x BC8 0x BC0 0x BB8 0x BB4 0x BB0 0x BA4 0x BA0 0x B9C 0x B98 0x B94 0x B8C 0x B88 0x B84 0x B80 0x D24

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x000000053ee70000	0x53ee70000	0x53ee7ffff	Pagefile Backed Memory	rw	-
pagefile_0x000000053ee80000	0x53ee80000	0x53ee80fff	Pagefile Backed Memory	r	-
pagefile_0x000000053ee90000	0x53ee90000	0x53eea3fff	Pagefile Backed Memory	r	-
private_0x000000053eeb0000	0x53eeb0000	0x53efaffff	Private Memory	rw	-
pagefile_0x000000053efb0000	0x53efb0000	0x53efb3fff	Pagefile Backed Memory	r	-
private_0x000000053efc0000	0x53efc0000	0x53efc1fff	Private Memory	rw	-
private_0x000000053efd0000	0x53efd0000	0x53efd0fff	Private Memory	rw	-
locale.nls	0x53efe0000	0x53f09dfff	Memory Mapped File	r	-
private_0x000000053f0a0000	0x53f0a0000	0x53f0a0fff	Private Memory	rw	-
pagefile_0x000000053f0b0000	0x53f0b0000	0x53f0b0fff	Pagefile Backed Memory	rw	-
private_0x000000053f0c0000	0x53f0c0000	0x53f0c6fff	Private Memory	rw	-
pagefile_0x000000053f0d0000	0x53f0d0000	0x53f0f9fff	Pagefile Backed Memory	rw	-
private_0x000000053f100000	0x53f100000	0x53f1fffff	Private Memory	rw	-
private_0x000000053f200000	0x53f200000	0x53f2fffff	Private Memory	rw	-
pagefile_0x000000053f300000	0x53f300000	0x53f300fff	Pagefile Backed Memory	rw	-
pagefile_0x000000053f310000	0x53f310000	0x53f310fff	Pagefile Backed Memory	rw	-
private_0x000000053f320000	0x53f320000	0x53f320fff	Private Memory	rw	-
private_0x000000053f330000	0x53f330000	0x53f330fff	Private Memory	rw	-
cortana.search.winmd	0x53f340000	0x53f347fff	Memory Mapped File	rwx	-
counters.dat	0x53f350000	0x53f350fff	Memory Mapped File	r	-
private_0x000000053f360000	0x53f360000	0x53f366fff	Private Memory	rw	-
pagefile_0x000000053f370000	0x53f370000	0x53f370fff	Pagefile Backed Memory	rw	-
resources.pri	0x53f390000	0x53f3b0fff	Memory Mapped File	r	-
2495906576.pri	0x53f3c0000	0x53f3d3fff	Memory Mapped File	r	-
app.xbf	0x53f3e0000	0x53f3e0fff	Memory Mapped File	r	-
pagefile_0x000000053f3f0000	0x53f3f0000	0x53f3f0fff	Pagefile Backed Memory	rw	-
private_0x000000053f400000	0x53f400000	0x53f4fffff	Private Memory	rw	-
private_0x000000053f500000	0x53f500000	0x53f5fffff	Private Memory	rw	-
pagefile_0x000000053f600000	0x53f600000	0x53f787fff	Pagefile Backed Memory	r	-
pagefile_0x000000053f790000	0x53f790000	0x53f910fff	Pagefile Backed Memory	r	-
pagefile_0x000000053f920000	0x53f920000	0x540d1ffff	Pagefile Backed Memory	r	-
windows.ui.xaml.resources.dll	0x540d20000	0x540e56fff	Memory Mapped File	r	-
kernelbase.dll.mui	0x540e60000	0x540f3efff	Memory Mapped File	r	-
sortdefault.nls	0x540f40000	0x541276fff	Memory Mapped File	r	-
private_0x0000000541280000	0x541280000	0x54137ffff	Private Memory	rw	-
private_0x0000000541380000	0x541380000	0x54147ffff	Private Memory	rw	-
private_0x0000000541480000	0x541480000	0x54157ffff	Private Memory	rw	-
private_0x0000000541580000	0x541580000	0x54167ffff	Private Memory	rw	-
private_0x0000000541680000	0x541680000	0x54177ffff	Private Memory	rw	-
private_0x0000000541780000	0x541780000	0x54187ffff	Private Memory	rw	-
resources.en-us.pri	0x541880000	0x541895fff	Memory Mapped File	r	-
dictionary.xbf	0x5418a0000	0x5418a3fff	Memory Mapped File	r	-
reactivecat1themeresources.xbf	0x5418b0000	0x5418b4fff	Memory Mapped File	r	-
speechtextinputthemeresources.xbf	0x5418c0000	0x5418c1fff	Memory Mapped File	r	-
private_0x00000005418d0000	0x5418d0000	0x5418d6fff	Private Memory	rw	-
cortanawindow.xbf	0x5418e0000	0x5418e0fff	Memory Mapped File	r	-
chrome.xbf	0x5418f0000	0x5418f7fff	Memory Mapped File	r	-
private_0x0000000541900000	0x541900000	0x5419fffff	Private Memory	rw	-
private_0x0000000541b00000	0x541b00000	0x541bfffff	Private Memory	rw	-
private_0x0000000541c00000	0x541c00000	0x5423fffff	Private Memory	-	-
private_0x0000000542400000	0x542400000	0x5424fffff	Private Memory	rw	-
private_0x0000000542500000	0x542500000	0x5425fffff	Private Memory	rw	-
private_0x0000000542600000	0x542600000	0x5426fffff	Private Memory	rw	-
private_0x0000000542700000	0x542700000	0x5427fffff	Private Memory	rw	-
private_0x0000000542800000	0x542800000	0x5428fffff	Private Memory	rw	-
private_0x0000000542900000	0x542900000	0x5429fffff	Private Memory	rw	-
shell32.dll.mui	0x542b00000	0x542b60fff	Memory Mapped File	r	-
private_0x0000000542b80000	0x542b80000	0x542c7ffff	Private Memory	rw	-
msxml6r.dll	0x542c80000	0x542c80fff	Memory Mapped File	r	-
pagefile_0x0000000542c90000	0x542c90000	0x542d47fff	Pagefile Backed Memory	r	-
pagefile_0x0000000542d50000	0x542d50000	0x542d53fff	Pagefile Backed Memory	r	-
homeburgermenucontrol.xbf	0x542d60000	0x542d60fff	Memory Mapped File	r	-
greetingscontrol.xbf	0x542d70000	0x542d71fff	Memory Mapped File	r	-
hostedwebviewcontrol.xbf	0x542d80000	0x542d80fff	Memory Mapped File	r	-
private_0x0000000542d90000	0x542d90000	0x542d96fff	Private Memory	rw	-
speechtextinputcontrol.xbf	0x542da0000	0x542da1fff	Memory Mapped File	r	-
searchboxcontrol.xbf	0x542db0000	0x542db0fff	Memory Mapped File	r	-
windows.ui.xaml.dll.mui	0x542dc0000	0x542dc9fff	Memory Mapped File	r	-
private_0x0000000542dd0000	0x542dd0000	0x542dd0fff	Private Memory	rw	-
private_0x0000000542de0000	0x542de0000	0x542de0fff	Private Memory	rw	-
pagefile_0x0000000542df0000	0x542df0000	0x542df3fff	Pagefile Backed Memory	rw	-
private_0x0000000542e00000	0x542e00000	0x542efffff	Private Memory	rw	-
private_0x0000000542f00000	0x542f00000	0x542ffffff	Private Memory	rw	-
private_0x0000000543000000	0x543000000	0x5430fffff	Private Memory	rw	-
private_0x0000000543100000	0x543100000	0x5431fffff	Private Memory	rw	-
pagefile_0x0000000543200000	0x543200000	0x543200fff	Pagefile Backed Memory	rw	-
private_0x0000000543210000	0x543210000	0x543216fff	Private Memory	rw	-
~fontcache-system.dat	0x543220000	0x543295fff	Memory Mapped File	r	-
private_0x00000005432a0000	0x5432a0000	0x5432bffff	Private Memory	rw	-
private_0x00000005432c0000	0x5432c0000	0x5432c0fff	Private Memory	rw	-
private_0x00000005432d0000	0x5432d0000	0x5432d0fff	Private Memory	rw	-
pagefile_0x00000005432e0000	0x5432e0000	0x5432e0fff	Pagefile Backed Memory	rw	-
pagefile_0x00000005432f0000	0x5432f0000	0x5432f0fff	Pagefile Backed Memory	rw	-
private_0x0000000543300000	0x543300000	0x5433fffff	Private Memory	rw	-
private_0x0000000543400000	0x543400000	0x5434fffff	Private Memory	rw	-
~fontcache-fontface.dat	0x543500000	0x5444fffff	Memory Mapped File	r	-
segoeui.ttf	0x544500000	0x5445defff	Memory Mapped File	r	-
~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat	0x5445e0000	0x544ddffff	Memory Mapped File	r	-
private_0x0000000544de0000	0x544de0000	0xd44ddffff	Private Memory	rw	-
private_0x0000000d44de0000	0xd44de0000	0xd44de0fff	Private Memory	rw	-
pagefile_0x0000000d44df0000	0xd44df0000	0xd44dfffff	Pagefile Backed Memory	r	-
private_0x0000000d44e00000	0xd44e00000	0xd44efffff	Private Memory	rw	-
private_0x0000000d44f00000	0xd44f00000	0xd44ffffff	Private Memory	rw	-
private_0x0000000d45000000	0xd45000000	0xd4504ffff	Private Memory	rw	-
edgehtml.dll.mui	0xd45050000	0xd450affff	Memory Mapped File	r	-
pagefile_0x0000000d450b0000	0xd450b0000	0xd450bffff	Pagefile Backed Memory	r	-
private_0x0000000d450c0000	0xd450c0000	0xd450c6fff	Private Memory	rw	-
private_0x0000000d450d0000	0xd450d0000	0xd451cffff	Private Memory	rw	-
private_0x0000000d451d0000	0xd451d0000	0xd451effff	Private Memory	rw	-
windows.foundation.winmd	0xd451f0000	0xd451fefff	Memory Mapped File	rwx	-
private_0x0000000d45200000	0xd45200000	0xd452fffff	Private Memory	rw	-
private_0x0000000d45300000	0xd45300000	0xd453fffff	Private Memory	rw	-
private_0x0000000d45400000	0xd45400000	0xd454fffff	Private Memory	rw	-
private_0x0000000d45500000	0xd45500000	0xd455fffff	Private Memory	rw	-
private_0x0000000d45600000	0xd45600000	0xd456fffff	Private Memory	rw	-
private_0x0000000d45700000	0xd45700000	0xd457fffff	Private Memory	rw	-
private_0x0000000d45800000	0xd45800000	0xd458fffff	Private Memory	rw	-
private_0x0000000d45900000	0xd45900000	0xd459fffff	Private Memory	rw	-
private_0x0000000d45a00000	0xd45a00000	0xd45a1ffff	Private Memory	rw	-
private_0x0000000d45a20000	0xd45a20000	0xd45a6ffff	Private Memory	rw	-
private_0x0000000d45a70000	0xd45a70000	0xd45b6ffff	Private Memory	rw	-
private_0x0000000d45b70000	0xd45b70000	0xd45b8ffff	Private Memory	rw	-
private_0x0000000d45b90000	0xd45b90000	0xd45c8ffff	Private Memory	rw	-
private_0x0000000d45c90000	0xd45c90000	0xd45caffff	Private Memory	rw	-
private_0x0000000d45cb0000	0xd45cb0000	0xd45ccffff	Private Memory	rw	-
private_0x0000000d45cd0000	0xd45cd0000	0xd45ceffff	Private Memory	rw	-
cortana.internal.search.winmd	0xd45cf0000	0xd45d00fff	Memory Mapped File	rwx	-
private_0x0000000d45d10000	0xd45d10000	0xd45d2ffff	Private Memory	rw	-
windows.security.winmd	0xd45d30000	0xd45d4dfff	Memory Mapped File	rwx	-
private_0x0000000d45d50000	0xd45d50000	0xd45e4ffff	Private Memory	rw	-
private_0x0000000d45e50000	0xd45e50000	0xd45e6ffff	Private Memory	rw	-
windows.storage.winmd	0xd45e70000	0xd45e8afff	Memory Mapped File	rwx	-
private_0x0000000d45e90000	0xd45e90000	0xd45eaffff	Private Memory	rw	-
chakra.dll.mui	0xd45eb0000	0xd45eb9fff	Memory Mapped File	r	-
private_0x0000000d45ec0000	0xd45ec0000	0xd45edffff	Private Memory	rw	-
private_0x0000000d45ee0000	0xd45ee0000	0xd45efffff	Private Memory	rwx	-
private_0x0000000d45f00000	0xd45f00000	0xd45f1ffff	Private Memory	rw	-
private_0x0000000d45f20000	0xd45f20000	0xd45f3ffff	Private Memory	rwx	-
private_0x0000000d45f40000	0xd45f40000	0xd45f5ffff	Private Memory	rw	-
private_0x0000000d45f60000	0xd45f60000	0xd45f7ffff	Private Memory	rw	-
private_0x0000000d45f80000	0xd45f80000	0xd45f9ffff	Private Memory	rw	-
private_0x0000000d45fa0000	0xd45fa0000	0xd45fbffff	Private Memory	rw	-
private_0x0000000d45fe0000	0xd45fe0000	0xd45ffffff	Private Memory	rw	-
private_0x0000000d46000000	0xd46000000	0xd460fffff	Private Memory	rw	-
private_0x0000000d46100000	0xd46100000	0xd461fffff	Private Memory	rw	-
private_0x0000000d46200000	0xd46200000	0xd4621ffff	Private Memory	rw	-
private_0x0000000d46220000	0xd46220000	0xd4631ffff	Private Memory	rw	-
private_0x0000000d46320000	0xd46320000	0xd4633ffff	Private Memory	rw	-
private_0x0000000d46340000	0xd46340000	0xd4635ffff	Private Memory	rw	-
private_0x0000000d46360000	0xd46360000	0xd4637ffff	Private Memory	rw	-
private_0x0000000d46380000	0xd46380000	0xd4639ffff	Private Memory	rw	-
private_0x0000000d463a0000	0xd463a0000	0xd463bffff	Private Memory	rw	-
private_0x0000000d463c0000	0xd463c0000	0xd463dffff	Private Memory	rw	-
private_0x0000000d463e0000	0xd463e0000	0xd463fffff	Private Memory	rw	-
private_0x0000000d46400000	0xd46400000	0xd4641ffff	Private Memory	rw	-
private_0x0000000d46460000	0xd46460000	0xd4647ffff	Private Memory	rw	-
private_0x0000000d46480000	0xd46480000	0xd4649ffff	Private Memory	rw	-
private_0x0000000d464c0000	0xd464c0000	0xd464dffff	Private Memory	rw	-
private_0x0000000d464e0000	0xd464e0000	0xd464fffff	Private Memory	rw	-
For performance reasons, the remaining 232 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Success	Count	Logfile
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x630	address = 0x7ff7afc80000, size = 217088		1	Fn Data
Create Remote Thread	#1: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x630	address = 0x7ff7afc819a0		1	Fn

Process #10: backgroundtaskhost.exe

Information	Value
ID	#10
File Name	c:\windows\system32\backgroundtaskhost.exe
Command Line	"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
Initial Working Directory	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\
Monitor	Start Time: 00:01:19, Reason: Injection
Unmonitor	End Time: 00:01:42, Reason: Self Terminated
Monitor Duration	00:00:23
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xa1c
Parent PID	0x248 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Low
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 2EC 0x DD0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x0000002f11950000	0x2f11950000	0x2f1196ffff	Private Memory	rw	-
pagefile_0x0000002f11970000	0x2f11970000	0x2f11983fff	Pagefile Backed Memory	r	-
private_0x0000002f11990000	0x2f11990000	0x2f11a0ffff	Private Memory	rw	-
pagefile_0x0000002f11a10000	0x2f11a10000	0x2f11a13fff	Pagefile Backed Memory	r	-
private_0x0000002f11a20000	0x2f11a20000	0x2f11a21fff	Private Memory	rw	-
s-1-5-21-1462094071-1423818996-289466292-1000.pckgdep	0x2f11a30000	0x2f11a30fff	Memory Mapped File	r	-
pagefile_0x00007df5ff7e0000	0x7df5ff7e0000	0x7ff5ff7dffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff6551e0000	0x7ff6551e0000	0x7ff655202fff	Pagefile Backed Memory	r	-
private_0x00007ff65520d000	0x7ff65520d000	0x7ff65520efff	Private Memory	rw	-
private_0x00007ff65520f000	0x7ff65520f000	0x7ff65520ffff	Private Memory	rw	-
backgroundtaskhost.exe	0x7ff6560e0000	0x7ff6560e6fff	Memory Mapped File	rwx	-
private_0x00007ff7afc80000	0x7ff7afc80000	0x7ff7afcb4fff	Private Memory	rwx	-
ntdll.dll	0x7ff8ee380000	0x7ff8ee541fff	Memory Mapped File	rwx	-

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Success	Count	Logfile
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x630	address = 0x7ff7afc80000, size = 217088		1	Fn Data
Create Remote Thread	#1: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x630	address = 0x7ff7afc819a0		1	Fn

Process #11: svchost.exe

Information	Value
ID	#11
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:21, Reason: Injection
Unmonitor	End Time: 00:01:36, Reason: Self Terminated
Monitor Duration	00:00:15

OS Process Information

Information	Value
PID	0xc4c
Parent PID	0x1e8 (c:\windows\system32\services.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x C7C 0x C70 0x C50 0x DD4 0x DE4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x000000104d970000	0x104d970000	0x104d97ffff	Pagefile Backed Memory	rw	-
svchost.exe.mui	0x104d980000	0x104d980fff	Memory Mapped File	r	-
pagefile_0x000000104d990000	0x104d990000	0x104d9a3fff	Pagefile Backed Memory	r	-
private_0x000000104d9b0000	0x104d9b0000	0x104da2ffff	Private Memory	rw	-
pagefile_0x000000104da30000	0x104da30000	0x104da33fff	Pagefile Backed Memory	r	-
pagefile_0x000000104da40000	0x104da40000	0x104da40fff	Pagefile Backed Memory	r	-
private_0x000000104da50000	0x104da50000	0x104da51fff	Private Memory	rw	-
locale.nls	0x104da60000	0x104db1dfff	Memory Mapped File	r	-
private_0x000000104db20000	0x104db20000	0x104db9ffff	Private Memory	rw	-
private_0x000000104dba0000	0x104dba0000	0x104dba0fff	Private Memory	rw	-
private_0x000000104dbb0000	0x104dbb0000	0x104dbb0fff	Private Memory	rw	-
phoneutilres.dll	0x104dbc0000	0x104dbc0fff	Memory Mapped File	r	-
private_0x000000104dbd0000	0x104dbd0000	0x104dbd0fff	Private Memory	rw	-
pagefile_0x000000104dbe0000	0x104dbe0000	0x104dbe0fff	Pagefile Backed Memory	r	-
pagefile_0x000000104dbf0000	0x104dbf0000	0x104dbf0fff	Pagefile Backed Memory	r	-
private_0x000000104dc10000	0x104dc10000	0x104dc16fff	Private Memory	rw	-
private_0x000000104dc20000	0x104dc20000	0x104dc9ffff	Private Memory	rw	-
private_0x000000104dce0000	0x104dce0000	0x104dce6fff	Private Memory	rw	-
private_0x000000104dd00000	0x104dd00000	0x104ddfffff	Private Memory	rw	-
private_0x000000104de00000	0x104de00000	0x104defffff	Private Memory	rw	-
pagefile_0x000000104df00000	0x104df00000	0x104e087fff	Pagefile Backed Memory	r	-
pagefile_0x000000104e090000	0x104e090000	0x104e210fff	Pagefile Backed Memory	r	-
pagefile_0x000000104e220000	0x104e220000	0x104f61ffff	Pagefile Backed Memory	r	-
private_0x000000104f620000	0x104f620000	0x104f71ffff	Private Memory	rw	-
private_0x000000104f720000	0x104f720000	0x104f81ffff	Private Memory	rw	-
private_0x000000104f820000	0x104f820000	0x104f91ffff	Private Memory	rw	-
pagefile_0x00007df5ffc90000	0x7df5ffc90000	0x7ff5ffc8ffff	Pagefile Backed Memory	-	-
pagefile_0x00007ff673500000	0x7ff673500000	0x7ff6735fffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff673600000	0x7ff673600000	0x7ff673622fff	Pagefile Backed Memory	r	-
private_0x00007ff673625000	0x7ff673625000	0x7ff673626fff	Private Memory	rw	-
private_0x00007ff673627000	0x7ff673627000	0x7ff673628fff	Private Memory	rw	-
private_0x00007ff673629000	0x7ff673629000	0x7ff67362afff	Private Memory	rw	-
private_0x00007ff67362b000	0x7ff67362b000	0x7ff67362bfff	Private Memory	rw	-
private_0x00007ff67362c000	0x7ff67362c000	0x7ff67362dfff	Private Memory	rw	-
private_0x00007ff67362e000	0x7ff67362e000	0x7ff67362ffff	Private Memory	rw	-
svchost.exe	0x7ff673b40000	0x7ff673b4cfff	Memory Mapped File	rwx	-
private_0x00007ff7afc80000	0x7ff7afc80000	0x7ff7afcb4fff	Private Memory	rwx	-
userdatatimeutil.dll	0x7ff8d5010000	0x7ff8d5030fff	Memory Mapped File	rwx	-
userdatalanguageutil.dll	0x7ff8d5520000	0x7ff8d5530fff	Memory Mapped File	rwx	-
phoneutil.dll	0x7ff8d5540000	0x7ff8d5580fff	Memory Mapped File	rwx	-
pimstore.dll	0x7ff8d5590000	0x7ff8d5700fff	Memory Mapped File	rwx	-
syncutil.dll	0x7ff8d5710000	0x7ff8d5756fff	Memory Mapped File	rwx	-
accountaccessor.dll	0x7ff8d5770000	0x7ff8d57a5fff	Memory Mapped File	rwx	-
cemapi.dll	0x7ff8d57b0000	0x7ff8d57effff	Memory Mapped File	rwx	-
synccontroller.dll	0x7ff8d57f0000	0x7ff8d585bfff	Memory Mapped File	rwx	-
aphostservice.dll	0x7ff8d5860000	0x7ff8d58adfff	Memory Mapped File	rwx	-
userdataplatformhelperutil.dll	0x7ff8d5f20000	0x7ff8d5f35fff	Memory Mapped File	rwx	-
networkhelper.dll	0x7ff8d7680000	0x7ff8d7696fff	Memory Mapped File	rwx	-
aphostclient.dll	0x7ff8db590000	0x7ff8db59ffff	Memory Mapped File	rwx	-
vaultcli.dll	0x7ff8dcd60000	0x7ff8dcda7fff	Memory Mapped File	rwx	-
inproclogger.dll	0x7ff8df180000	0x7ff8df18cfff	Memory Mapped File	rwx	-
userdatatypehelperutil.dll	0x7ff8e1050000	0x7ff8e1060fff	Memory Mapped File	rwx	-
dsclient.dll	0x7ff8e1650000	0x7ff8e165bfff	Memory Mapped File	rwx	-
esent.dll	0x7ff8e1940000	0x7ff8e1c21fff	Memory Mapped File	rwx	-
mccspal.dll	0x7ff8e2fe0000	0x7ff8e2feafff	Memory Mapped File	rwx	-
iertutil.dll	0x7ff8e3c30000	0x7ff8e3fa5fff	Memory Mapped File	rwx	-
winhttp.dll	0x7ff8e5dd0000	0x7ff8e5ea5fff	Memory Mapped File	rwx	-
wintypes.dll	0x7ff8e7430000	0x7ff8e7560fff	Memory Mapped File	rwx	-
winnsi.dll	0x7ff8e8460000	0x7ff8e846afff	Memory Mapped File	rwx	-
iphlpapi.dll	0x7ff8e8480000	0x7ff8e84b7fff	Memory Mapped File	rwx	-
nlaapi.dll	0x7ff8e84e0000	0x7ff8e84f7fff	Memory Mapped File	rwx	-
mpr.dll	0x7ff8e9fe0000	0x7ff8e9ffbfff	Memory Mapped File	rwx	-
ntmarta.dll	0x7ff8ea0f0000	0x7ff8ea121fff	Memory Mapped File	rwx	-
ntlmshared.dll	0x7ff8ea550000	0x7ff8ea55afff	Memory Mapped File	rwx	-
msv1_0.dll	0x7ff8ea560000	0x7ff8ea5befff	Memory Mapped File	rwx	-
cryptsp.dll	0x7ff8ea620000	0x7ff8ea636fff	Memory Mapped File	rwx	-
cryptdll.dll	0x7ff8ea770000	0x7ff8ea783fff	Memory Mapped File	rwx	-
cryptbase.dll	0x7ff8ea790000	0x7ff8ea79afff	Memory Mapped File	rwx	-
sspicli.dll	0x7ff8ea9d0000	0x7ff8ea9fbfff	Memory Mapped File	rwx	-
bcrypt.dll	0x7ff8eabd0000	0x7ff8eabf7fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x7ff8eac00000	0x7ff8eac6afff	Memory Mapped File	rwx	-
powrprof.dll	0x7ff8eadd0000	0x7ff8eae19fff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x7ff8eae20000	0x7ff8eae2efff	Memory Mapped File	rwx	-
profapi.dll	0x7ff8eae30000	0x7ff8eae42fff	Memory Mapped File	rwx	-
windows.storage.dll	0x7ff8eb180000	0x7ff8eb7a7fff	Memory Mapped File	rwx	-
shcore.dll	0x7ff8eb7b0000	0x7ff8eb862fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ff8eb870000	0x7ff8eba4cfff	Memory Mapped File	rwx	-
oleaut32.dll	0x7ff8ebb30000	0x7ff8ebbedfff	Memory Mapped File	rwx	-
user32.dll	0x7ff8ebdc0000	0x7ff8ebf0dfff	Memory Mapped File	rwx	-
msctf.dll	0x7ff8ec0c0000	0x7ff8ec21bfff	Memory Mapped File	rwx	-
sechost.dll	0x7ff8ec240000	0x7ff8ec29afff	Memory Mapped File	rwx	-
ole32.dll	0x7ff8ec300000	0x7ff8ec440fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ff8ec450000	0x7ff8ec575fff	Memory Mapped File	rwx	-
shell32.dll	0x7ff8ec580000	0x7ff8edaa4fff	Memory Mapped File	rwx	-
clbcatq.dll	0x7ff8edb10000	0x7ff8edbb4fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ff8edbc0000	0x7ff8edd44fff	Memory Mapped File	rwx	-
combase.dll	0x7ff8edd60000	0x7ff8edfdbfff	Memory Mapped File	rwx	-
shlwapi.dll	0x7ff8edfe0000	0x7ff8ee030fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ff8ee0b0000	0x7ff8ee14cfff	Memory Mapped File	rwx	-
imm32.dll	0x7ff8ee150000	0x7ff8ee185fff	Memory Mapped File	rwx	-
advapi32.dll	0x7ff8ee190000	0x7ff8ee235fff	Memory Mapped File	rwx	-
nsi.dll	0x7ff8ee250000	0x7ff8ee257fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ff8ee2d0000	0x7ff8ee37cfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ff8ee380000	0x7ff8ee541fff	Memory Mapped File	rwx	-

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Success	Count	Logfile
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x630	address = 0x7ff7afc80000, size = 217088		1	Fn Data
Create Remote Thread	#1: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x630	address = 0x7ff7afc819a0		1	Fn

Host Behavior

File (1)

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\users\Public\sys	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN		1	Fn

Module (78)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x7ff8ee2d0000	1	Fn
Load	mpr.dll	base_address = 0x7ff8e9fe0000	1	Fn
Load	advapi32.dll	base_address = 0x7ff8ee190000	1	Fn
Load	ole32.dll	base_address = 0x7ff8ec300000	1	Fn
Load	Shell32.dll	base_address = 0x7ff8ec580000	1	Fn
Load	Iphlpapi.dll	base_address = 0x7ff8e8480000	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x7ff8ee2f2080	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x7ff8ee2e6060	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualFree, address_out = 0x7ff8ee2ebc10	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptExportKey, address_out = 0x7ff8ee1a7b50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteFileW, address_out = 0x7ff8ee2f57a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDriveTypeW, address_out = 0x7ff8ee2f58f0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCommandLineW, address_out = 0x7ff8ee2f0150	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStartupInfoW, address_out = 0x7ff8ee2eed80	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindNextFileW, address_out = 0x7ff8ee2f5880	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address_out = 0x7ff8ee2ebaf0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameA, address_out = 0x7ff8ee1bec40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExitProcess, address_out = 0x7ff8ee2eef50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Wow64RevertWow64FsRedirection, address_out = 0x7ff8ee3136a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateProcessA, address_out = 0x7ff8ee2ed5b0	1	Fn
Get Address	c:\windows\system32\iphlpapi.dll	function = GetIpNetTable, address_out = 0x7ff8e849f0b0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExW, address_out = 0x7ff8ee2eaa30	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Wow64DisableWow64FsRedirection, address_out = 0x7ff8ee313690	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemDefaultLangID, address_out = 0x7ff8ee2f2ba0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameW, address_out = 0x7ff8ee1ada40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x7ff8ee2f5a90	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x7ff8ee1a7dd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x7ff8ee2f5510	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegSetValueExW, address_out = 0x7ff8ee1a7850	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x7ff8ee1a72e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileA, address_out = 0x7ff8ee30e430	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFileAttributesW, address_out = 0x7ff8ee2f5b00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WinExec, address_out = 0x7ff8ee311e60	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDeriveKey, address_out = 0x7ff8ee1c07a0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptGenKey, address_out = 0x7ff8ee1acab0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Sleep, address_out = 0x7ff8ee2e8f00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x7ff8ee2e6580	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteW, address_out = 0x7ff8ec6cabc0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSize, address_out = 0x7ff8ee2f5950	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x7ff8ee2eb810	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindClose, address_out = 0x7ff8ee2f57c0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x7ff8ee2f56e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x7ff8ee2f0c70	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteA, address_out = 0x7ff8ec787de0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x7ff8ee2ee6d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameW, address_out = 0x7ff8ee2eeca0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x7ff8ee2f5760	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSizeEx, address_out = 0x7ff8ee2f5960	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x7ff8ee2f5b80	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLogicalDrives, address_out = 0x7ff8ee2e66d0	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetEnumResourceW, address_out = 0x7ff8e9fe27d0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7ff8ee1a6cb0	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetCloseEnum, address_out = 0x7ff8e9fe2e20	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryW, address_out = 0x7ff8ee2f2940	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFileAttributesA, address_out = 0x7ff8ee2f5af0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x7ff8ee1a7d70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointer, address_out = 0x7ff8ee2f5b20	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTickCount, address_out = 0x7ff8ee2e60a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesW, address_out = 0x7ff8ee2f5930	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindFirstFileW, address_out = 0x7ff8ee2f5840	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7ff8ee1a89e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MoveFileExW, address_out = 0x7ff8ee2f3010	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetOpenEnumW, address_out = 0x7ff8e9fe2f20	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitialize, address_out = 0x7ff8ec313870	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDecrypt, address_out = 0x7ff8ee1a9140	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptImportKey, address_out = 0x7ff8ee1a7b40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointerEx, address_out = 0x7ff8ee2f5b30	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileW, address_out = 0x7ff8ee2f5d70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibrary, address_out = 0x7ff8ee2eeb90	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateProcessW, address_out = 0x7ff8ee2edee0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateDirectoryW, address_out = 0x7ff8ee2f5740	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateThread, address_out = 0x7ff8ee2ebc20	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDestroyKey, address_out = 0x7ff8ee1a86b0	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstance, address_out = 0x7ff8edde7000	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileW, address_out = 0x7ff8ee2f5770	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesA, address_out = 0x7ff8ee2f5900	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptEncrypt, address_out = 0x7ff8ee1ad7e0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegDeleteValueW, address_out = 0x7ff8ee1a90b0	1	Fn

System (3)

Operation	Additional Information	Count	Logfile
Sleep	duration = 5000 milliseconds (5.000 seconds)	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn

Process #12: eqbnr.exe

112

Information	Value
ID	#12
File Name	c:\users\ciihmnxmn6ps\desktop\eqbnr.exe
Command Line	"C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:44, Reason: Autostart
Unmonitor	End Time: 00:02:57, Reason: Self Terminated
Monitor Duration	00:00:13

OS Process Information

Information	Value
PID	0x5dc
Parent PID	0x5d4 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 868 0x 864 0x BB0 0x 2E8 0x BD0 0x 2E4 0x 760

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x0000002eee590000	0x2eee590000	0x2eee5affff	Private Memory	rw	-
pagefile_0x0000002eee590000	0x2eee590000	0x2eee59ffff	Pagefile Backed Memory	rw	-
private_0x0000002eee5a0000	0x2eee5a0000	0x2eee5a6fff	Private Memory	rw	-
pagefile_0x0000002eee5b0000	0x2eee5b0000	0x2eee5c3fff	Pagefile Backed Memory	r	-
private_0x0000002eee5d0000	0x2eee5d0000	0x2eee6cffff	Private Memory	rw	-
pagefile_0x0000002eee6d0000	0x2eee6d0000	0x2eee6d3fff	Pagefile Backed Memory	r	-
pagefile_0x0000002eee6e0000	0x2eee6e0000	0x2eee6e0fff	Pagefile Backed Memory	r	-
private_0x0000002eee6f0000	0x2eee6f0000	0x2eee6f1fff	Private Memory	rw	-
locale.nls	0x2eee700000	0x2eee7bdfff	Memory Mapped File	r	-
private_0x0000002eee7c0000	0x2eee7c0000	0x2eee8bffff	Private Memory	rw	-
private_0x0000002eee8c0000	0x2eee8c0000	0x2eee8c6fff	Private Memory	rw	-
private_0x0000002eee8d0000	0x2eee8d0000	0x2eee8d0fff	Private Memory	rw	-
private_0x0000002eee8e0000	0x2eee8e0000	0x2eee9dffff	Private Memory	rw	-
private_0x0000002eee9e0000	0x2eee9e0000	0x2eee9e0fff	Private Memory	rw	-
pagefile_0x0000002eee9f0000	0x2eee9f0000	0x2eee9f0fff	Pagefile Backed Memory	rw	-
pagefile_0x0000002eeea00000	0x2eeea00000	0x2eeea00fff	Pagefile Backed Memory	r	-
private_0x0000002eeea00000	0x2eeea00000	0x2eeea0ffff	Private Memory	rw	-
pagefile_0x0000002eeea00000	0x2eeea00000	0x2eeea04fff	Pagefile Backed Memory	rw	-
pagefile_0x0000002eeea10000	0x2eeea10000	0x2eeea10fff	Pagefile Backed Memory	r	-
cversions.2.db	0x2eeea20000	0x2eeea23fff	Memory Mapped File	r	-
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db	0x2eeea30000	0x2eeea72fff	Memory Mapped File	r	-
cversions.2.db	0x2eeea80000	0x2eeea83fff	Memory Mapped File	r	-
private_0x0000002eeea90000	0x2eeea90000	0x2eeea9ffff	Private Memory	rw	-
pagefile_0x0000002eeeaa0000	0x2eeeaa0000	0x2eeec27fff	Pagefile Backed Memory	r	-
pagefile_0x0000002eeec30000	0x2eeec30000	0x2eeedb0fff	Pagefile Backed Memory	r	-
pagefile_0x0000002eeedc0000	0x2eeedc0000	0x2ef01bffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x2ef01c0000	0x2ef04f6fff	Memory Mapped File	r	-
rpcss.dll	0x2ef0500000	0x2ef05d5fff	Memory Mapped File	r	-
private_0x0000002ef0500000	0x2ef0500000	0x2ef068ffff	Private Memory	rw	-
oleaut32.dll	0x2ef0500000	0x2ef05bcfff	Memory Mapped File	r	-
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db	0x2ef0500000	0x2ef058afff	Memory Mapped File	r	-
propsys.dll.mui	0x2ef0590000	0x2ef05a0fff	Memory Mapped File	r	-
cversions.1.db	0x2ef05b0000	0x2ef05b3fff	Memory Mapped File	r	-
pagefile_0x0000002ef05b0000	0x2ef05b0000	0x2ef05b0fff	Pagefile Backed Memory	rw	-
pagefile_0x0000002ef05b0000	0x2ef05b0000	0x2ef05b4fff	Pagefile Backed Memory	rw	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db	0x2ef05c0000	0x2ef05d2fff	Memory Mapped File	r	-
pagefile_0x0000002ef05e0000	0x2ef05e0000	0x2ef05e0fff	Pagefile Backed Memory	rw	-
private_0x0000002ef0680000	0x2ef0680000	0x2ef068ffff	Private Memory	rw	-
private_0x0000002ef0690000	0x2ef0690000	0x2ef078ffff	Private Memory	rw	-
private_0x0000002ef0790000	0x2ef0790000	0x2ef088ffff	Private Memory	rw	-
private_0x0000002ef0890000	0x2ef0890000	0x2ef098ffff	Private Memory	rw	-
private_0x0000002ef0990000	0x2ef0990000	0x2ef0a8ffff	Private Memory	rw	-
private_0x0000002ef0a90000	0x2ef0a90000	0x2ef0b8ffff	Private Memory	rw	-
private_0x00007ff74eace000	0x7ff74eace000	0x7ff74eacffff	Private Memory	rw	-
pagefile_0x00007ff74ead0000	0x7ff74ead0000	0x7ff74ebcffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff74ebd0000	0x7ff74ebd0000	0x7ff74ebf2fff	Pagefile Backed Memory	r	-
private_0x00007ff74ebf3000	0x7ff74ebf3000	0x7ff74ebf4fff	Private Memory	rw	-
private_0x00007ff74ebf5000	0x7ff74ebf5000	0x7ff74ebf6fff	Private Memory	rw	-
private_0x00007ff74ebf7000	0x7ff74ebf7000	0x7ff74ebf8fff	Private Memory	rw	-
private_0x00007ff74ebf9000	0x7ff74ebf9000	0x7ff74ebfafff	Private Memory	rw	-
private_0x00007ff74ebfb000	0x7ff74ebfb000	0x7ff74ebfcfff	Private Memory	rw	-
private_0x00007ff74ebfd000	0x7ff74ebfd000	0x7ff74ebfefff	Private Memory	rw	-
private_0x00007ff74ebff000	0x7ff74ebff000	0x7ff74ebfffff	Private Memory	rw	-
eqbnr.exe	0x7ff74ec20000	0x7ff74ec54fff	Memory Mapped File	rwx	... Region Actions Download Dump
urlmon.dll	0x7ffb85bc0000	0x7ffb85d56fff	Memory Mapped File	rwx	-
iertutil.dll	0x7ffb88720000	0x7ffb88a95fff	Memory Mapped File	rwx	-
propsys.dll	0x7ffb8a850000	0x7ffb8a9d2fff	Memory Mapped File	rwx	-
apphelp.dll	0x7ffb8c600000	0x7ffb8c677fff	Memory Mapped File	rwx	-
uxtheme.dll	0x7ffb8c780000	0x7ffb8c815fff	Memory Mapped File	rwx	-
rsaenh.dll	0x7ffb8d3d0000	0x7ffb8d402fff	Memory Mapped File	rwx	-
cryptsp.dll	0x7ffb8d780000	0x7ffb8d796fff	Memory Mapped File	rwx	-
cryptbase.dll	0x7ffb8d8f0000	0x7ffb8d8fafff	Memory Mapped File	rwx	-
sspicli.dll	0x7ffb8dad0000	0x7ffb8dafbfff	Memory Mapped File	rwx	-
bcrypt.dll	0x7ffb8dcd0000	0x7ffb8dcf7fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x7ffb8dd00000	0x7ffb8dd6afff	Memory Mapped File	rwx	-
profapi.dll	0x7ffb8deb0000	0x7ffb8dec2fff	Memory Mapped File	rwx	-
powrprof.dll	0x7ffb8def0000	0x7ffb8df39fff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x7ffb8df40000	0x7ffb8df4efff	Memory Mapped File	rwx	-
shcore.dll	0x7ffb8e000000	0x7ffb8e0b2fff	Memory Mapped File	rwx	-
windows.storage.dll	0x7ffb8e120000	0x7ffb8e747fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb8e920000	0x7ffb8eafcfff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x7ffb8eb00000	0x7ffb8eb43fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb8eb50000	0x7ffb8ebecfff	Memory Mapped File	rwx	-
combase.dll	0x7ffb8ebf0000	0x7ffb8ee6bfff	Memory Mapped File	rwx	-
user32.dll	0x7ffb8ee70000	0x7ffb8efbdfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ffb8efc0000	0x7ffb8f0e5fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ffb8f100000	0x7ffb8f284fff	Memory Mapped File	rwx	-
shlwapi.dll	0x7ffb8f290000	0x7ffb8f2e0fff	Memory Mapped File	rwx	-
advapi32.dll	0x7ffb8f2f0000	0x7ffb8f395fff	Memory Mapped File	rwx	-
msctf.dll	0x7ffb8f3a0000	0x7ffb8f4fbfff	Memory Mapped File	rwx	-
shell32.dll	0x7ffb8f500000	0x7ffb90a24fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb90a40000	0x7ffb90aecfff	Memory Mapped File	rwx	-
sechost.dll	0x7ffb90af0000	0x7ffb90b4afff	Memory Mapped File	rwx	-
oleaut32.dll	0x7ffb90bc0000	0x7ffb90c7dfff	Memory Mapped File	rwx	-
clbcatq.dll	0x7ffb90e60000	0x7ffb90f04fff	Memory Mapped File	rwx	-
imm32.dll	0x7ffb90f70000	0x7ffb90fa5fff	Memory Mapped File	rwx	-
ole32.dll	0x7ffb90fb0000	0x7ffb910f0fff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb91480000	0x7ffb91641fff	Memory Mapped File	rwx	-

Host Behavior

File (5)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\users\Public\sys	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Delete	-	-	1	Fn

Process (36)

Operation	Process	Additional Information	Count	Logfile
Create	C:\Windows\System32\cmd.exe	show_window = SW_HIDE	1	Fn
Open	System	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\sihost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\taskhostw.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\runtimebroker.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\cmd.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\sihost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\taskhostw.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\runtimebroker.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn
Open	c:\windows\system32\cmd.exe	desired_access = PROCESS_ALL_ACCESS	1	Fn

Thread (5)

Operation	Process	Additional Information	Count	Logfile
Create	c:\windows\system32\sihost.exe	proc_address = 0x7ff74ec219a0, proc_parameter = 140700154986496, flags = THREAD_RUNS_IMMEDIATELY	1	Fn
Create	c:\windows\system32\taskhostw.exe	proc_address = 0x7ff74ec219a0, proc_parameter = 140700154986496, flags = THREAD_RUNS_IMMEDIATELY	1	Fn
Create	c:\windows\system32\runtimebroker.exe	proc_address = 0x7ff74ec219a0, proc_parameter = 140700154986496, flags = THREAD_RUNS_IMMEDIATELY	1	Fn
Create	c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe	proc_address = 0x7ff74ec219a0, proc_parameter = 140700154986496, flags = THREAD_RUNS_IMMEDIATELY	1	Fn
Create	c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe	proc_address = 0x7ff74ec219a0, proc_parameter = 140700154986496, flags = THREAD_RUNS_IMMEDIATELY	1	Fn

Memory (10)

Operation	Process	Additional Information	Count	Logfile
Allocate	c:\windows\system32\sihost.exe	address = 0x7ff74ec20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\windows\system32\taskhostw.exe	address = 0x7ff74ec20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\windows\system32\runtimebroker.exe	address = 0x7ff74ec20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe	address = 0x7ff74ec20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Allocate	c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe	address = 0x7ff74ec20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 217088	1	Fn
Write	c:\windows\system32\sihost.exe	address = 0x7ff74ec20000, size = 217088	1	Fn Data
Write	c:\windows\system32\taskhostw.exe	address = 0x7ff74ec20000, size = 217088	1	Fn Data
Write	c:\windows\system32\runtimebroker.exe	address = 0x7ff74ec20000, size = 217088	1	Fn Data
Write	c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe	address = 0x7ff74ec20000, size = 217088	1	Fn Data
Write	c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe	address = 0x7ff74ec20000, size = 217088	1	Fn Data

Module (33)

Operation	Module	Additional Information	Count	Logfile
Load	api-ms-win-core-synch-l1-2-0	base_address = 0x7ffb8e920000	2	Fn
Load	api-ms-win-core-fibers-l1-1-1	base_address = 0x7ffb8e920000	2	Fn
Load	advapi32	base_address = 0x7ffb8f2f0000	1	Fn
Load	api-ms-win-core-localization-l1-2-1	base_address = 0x7ffb8e920000	1	Fn
Load	kernel32.dll	base_address = 0x7ffb90a40000	1	Fn
Load	api-ms-win-appmodel-runtime-l1-1-1	base_address = 0x7ffb8df40000	1	Fn
Get Handle	c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	base_address = 0x7ff74ec20000	7	Fn
Get Handle	mscoree.dll	-	1	Fn
Get Filename	-	process_name = c:\users\ciihmnxmn6ps\desktop\eqbnr.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe, size = 260	3	Fn
Get Filename	-	process_name = c:\users\ciihmnxmn6ps\desktop\eqbnr.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe, size = 320	1	Fn
Get Filename	-	process_name = c:\users\ciihmnxmn6ps\desktop\eqbnr.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe, size = 100	1	Fn
Get Address	c:\windows\system32\kernelbase.dll	function = InitializeCriticalSectionEx, address_out = 0x7ffb8e973900	2	Fn
Get Address	c:\windows\system32\kernelbase.dll	function = FlsAlloc, address_out = 0x7ffb8e984580	2	Fn
Get Address	c:\windows\system32\kernelbase.dll	function = FlsSetValue, address_out = 0x7ffb8e972900	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = EventRegister, address_out = 0x7ffb914b8ff0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = EventSetInformation, address_out = 0x7ffb9148e180	1	Fn
Get Address	c:\windows\system32\kernelbase.dll	function = FlsGetValue, address_out = 0x7ffb8e968e40	1	Fn
Get Address	c:\windows\system32\kernelbase.dll	function = LCMapStringEx, address_out = 0x7ffb8e93a930	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsWow64Process, address_out = 0x7ffb90a5e960	1	Fn
Get Address	c:\windows\system32\kernel.appcore.dll	function = GetCurrentPackageId, address_out = 0x7ffb8df42310	1	Fn

User (1)

Operation	Additional Information	Success	Count	Logfile
Lookup Privilege	privilege = SeDebugPrivilege, luid = 20		1	Fn

System (11)

Operation	Additional Information	Count	Logfile
Sleep	duration = 5000 milliseconds (5.000 seconds)	2	Fn
Sleep	duration = 300 milliseconds (0.300 seconds)	6	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	2	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data

Process #13: cmd.exe

Information	Value
ID	#13
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe" /f
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:49, Reason: Child Process
Unmonitor	End Time: 00:02:51, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0x478
Parent PID	0x5dc (c:\users\ciihmnxmn6ps\desktop\eqbnr.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 564 0x 768

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000c3b0cb0000	0xc3b0cb0000	0xc3b0ccffff	Private Memory	rw	-
pagefile_0x000000c3b0cb0000	0xc3b0cb0000	0xc3b0cbffff	Pagefile Backed Memory	rw	-
private_0x000000c3b0cc0000	0xc3b0cc0000	0xc3b0cc6fff	Private Memory	rw	-
pagefile_0x000000c3b0cd0000	0xc3b0cd0000	0xc3b0ce3fff	Pagefile Backed Memory	r	-
private_0x000000c3b0cf0000	0xc3b0cf0000	0xc3b0deffff	Private Memory	rw	-
pagefile_0x000000c3b0df0000	0xc3b0df0000	0xc3b0df3fff	Pagefile Backed Memory	r	-
pagefile_0x000000c3b0e00000	0xc3b0e00000	0xc3b0e00fff	Pagefile Backed Memory	r	-
private_0x000000c3b0e10000	0xc3b0e10000	0xc3b0e11fff	Private Memory	rw	-
locale.nls	0xc3b0e20000	0xc3b0eddfff	Memory Mapped File	r	-
private_0x000000c3b0ee0000	0xc3b0ee0000	0xc3b0fdffff	Private Memory	rw	-
private_0x000000c3b0fe0000	0xc3b0fe0000	0xc3b0fe6fff	Private Memory	rw	-
private_0x000000c3b0ff0000	0xc3b0ff0000	0xc3b10effff	Private Memory	rw	-
private_0x000000c3b1160000	0xc3b1160000	0xc3b116ffff	Private Memory	rw	-
sortdefault.nls	0xc3b1170000	0xc3b14a6fff	Memory Mapped File	r	-
pagefile_0x00007df5ff3b0000	0x7df5ff3b0000	0x7ff5ff3affff	Pagefile Backed Memory	-	-
pagefile_0x00007ff6a4ab0000	0x7ff6a4ab0000	0x7ff6a4baffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff6a4bb0000	0x7ff6a4bb0000	0x7ff6a4bd2fff	Pagefile Backed Memory	r	-
private_0x00007ff6a4bda000	0x7ff6a4bda000	0x7ff6a4bdbfff	Private Memory	rw	-
private_0x00007ff6a4bdc000	0x7ff6a4bdc000	0x7ff6a4bddfff	Private Memory	rw	-
private_0x00007ff6a4bde000	0x7ff6a4bde000	0x7ff6a4bdefff	Private Memory	rw	-
cmd.exe	0x7ff6a4d80000	0x7ff6a4dd8fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb8e920000	0x7ffb8eafcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb8eb50000	0x7ffb8ebecfff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb90a40000	0x7ffb90aecfff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb91480000	0x7ffb91641fff	Memory Mapped File	rwx	-

Host Behavior

File (10)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Windows\system32	type = file_attributes	1	Fn
Get Info	C:\Windows\System32	type = file_attributes	1	Fn
Open	STD_OUTPUT_HANDLE	-	5	Fn
Open	STD_INPUT_HANDLE	-	3	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\system32\reg.exe	os_pid = 0x560, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\cmd.exe	base_address = 0x7ff6a4d80000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x7ffb90a40000	2	Fn
Get Filename	-	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x7ffb90a5d550	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileExW, address_out = 0x7ffb90a625e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x7ffb90a61f90	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x7ffb8e973a10	1	Fn

Environment (19)

Operation	Additional Information	Count	Logfile
Get Environment String	-	7	Fn Data
Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Set Environment String	name = COPYCMD	1	Fn
Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Set Environment String	name = =ExitCodeAscii	1	Fn

Process #15: sihost.exe

37473

Information	Value
ID	#15
File Name	c:\windows\system32\sihost.exe
Command Line	sihost.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:49, Reason: Injection
Unmonitor	End Time: 00:04:54, Reason: Terminated by Timeout
Monitor Duration	00:02:05

OS Process Information

Information	Value
PID	0x7cc
Parent PID	0x328 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 934 0x 8B4 0x 69C 0x 5EC 0x 4A4 0x 574 0x 598 0x 4FC 0x 4E8 0x 518 0x 128 0x 3DC 0x 464 0x 7DC 0x 7D0 0x 2D0 0x 984 0x 8FC 0x B10 0x B90

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x000000665a970000	0x665a970000	0x665a97ffff	Pagefile Backed Memory	rw	-
private_0x000000665a980000	0x665a980000	0x665a986fff	Private Memory	rw	-
pagefile_0x000000665a990000	0x665a990000	0x665a9a3fff	Pagefile Backed Memory	r	-
private_0x000000665a9b0000	0x665a9b0000	0x665aa2ffff	Private Memory	rw	-
pagefile_0x000000665aa30000	0x665aa30000	0x665aa33fff	Pagefile Backed Memory	r	-
private_0x000000665aa40000	0x665aa40000	0x665aa41fff	Private Memory	rw	-
private_0x000000665aa50000	0x665aa50000	0x665aacffff	Private Memory	rw	-
private_0x000000665aad0000	0x665aad0000	0x665abcffff	Private Memory	rw	-
locale.nls	0x665abd0000	0x665ac8dfff	Memory Mapped File	r	-
private_0x000000665ac90000	0x665ac90000	0x665ac96fff	Private Memory	rw	-
pagefile_0x000000665aca0000	0x665aca0000	0x665ae27fff	Pagefile Backed Memory	r	-
private_0x000000665ae30000	0x665ae30000	0x665ae30fff	Private Memory	rw	-
private_0x000000665ae40000	0x665ae40000	0x665ae40fff	Private Memory	rw	-
pagefile_0x000000665ae50000	0x665ae50000	0x665ae50fff	Pagefile Backed Memory	r	-
pagefile_0x000000665ae60000	0x665ae60000	0x665ae60fff	Pagefile Backed Memory	r	-
private_0x000000665ae70000	0x665ae70000	0x665ae70fff	Private Memory	rw	-
private_0x000000665ae80000	0x665ae80000	0x665ae8ffff	Private Memory	rw	-
pagefile_0x000000665ae90000	0x665ae90000	0x665b010fff	Pagefile Backed Memory	r	-
pagefile_0x000000665b020000	0x665b020000	0x665c41ffff	Pagefile Backed Memory	r	-
private_0x000000665c420000	0x665c420000	0x665c51ffff	Private Memory	rw	-
sortdefault.nls	0x665c520000	0x665c856fff	Memory Mapped File	r	-
private_0x000000665c860000	0x665c860000	0x665c8dffff	Private Memory	rw	-
private_0x000000665c8e0000	0x665c8e0000	0x665c95ffff	Private Memory	rw	-
private_0x000000665c960000	0x665c960000	0x665c9dffff	Private Memory	rw	-
private_0x000000665c9e0000	0x665c9e0000	0x665ca5ffff	Private Memory	rw	-
private_0x000000665ca60000	0x665ca60000	0x665cadffff	Private Memory	rw	-
private_0x000000665cae0000	0x665cae0000	0x665caeffff	Private Memory	rw	-
private_0x000000665caf0000	0x665caf0000	0x665cb6ffff	Private Memory	rw	-
private_0x000000665cb70000	0x665cb70000	0x665cc6ffff	Private Memory	rw	-
private_0x000000665cc70000	0x665cc70000	0x665d46ffff	Private Memory	-	-
private_0x000000665d470000	0x665d470000	0x665d4effff	Private Memory	rw	-
private_0x000000665d4f0000	0x665d4f0000	0x665d56ffff	Private Memory	rw	-
private_0x000000665d570000	0x665d570000	0x665d5effff	Private Memory	rw	-
private_0x000000665d5f0000	0x665d5f0000	0x665d66ffff	Private Memory	rw	-
private_0x000000665d5f0000	0x665d5f0000	0x665d5f2fff	Private Memory	rw	-
private_0x000000665d670000	0x665d670000	0x665d6effff	Private Memory	rw	-
private_0x000000665d6f0000	0x665d6f0000	0x665d76ffff	Private Memory	rw	-
kernelbase.dll.mui	0x665d770000	0x665d84efff	Memory Mapped File	r	-
private_0x000000665d850000	0x665d850000	0x665d8cffff	Private Memory	rw	-
pagefile_0x000000665d8d0000	0x665d8d0000	0x665d8f9fff	Pagefile Backed Memory	rw	-
private_0x000000665d900000	0x665d900000	0x665d9fffff	Private Memory	rw	-
private_0x000000665da00000	0x665da00000	0x665da7ffff	Private Memory	rw	-
private_0x000000665da80000	0x665da80000	0x665da82fff	Private Memory	rw	-
private_0x000000665da80000	0x665da80000	0x665db74fff	Private Memory	rw	-
private_0x000000665da80000	0x665da80000	0x665dafffff	Private Memory	rw	-
private_0x000000665db80000	0x665db80000	0x665dbfffff	Private Memory	rw	-
private_0x000000665dc00000	0x665dc00000	0x665dcf4fff	Private Memory	rw	-
pagefile_0x00007df5ffee0000	0x7df5ffee0000	0x7ff5ffedffff	Pagefile Backed Memory	-	-
private_0x00007ff74ec20000	0x7ff74ec20000	0x7ff74ec54fff	Private Memory	rwx	-
private_0x00007ff7ee80a000	0x7ff7ee80a000	0x7ff7ee80bfff	Private Memory	rw	-
private_0x00007ff7ee80c000	0x7ff7ee80c000	0x7ff7ee80dfff	Private Memory	rw	-
private_0x00007ff7ee80e000	0x7ff7ee80e000	0x7ff7ee80ffff	Private Memory	rw	-
private_0x00007ff7ee810000	0x7ff7ee810000	0x7ff7ee811fff	Private Memory	rw	-
private_0x00007ff7ee812000	0x7ff7ee812000	0x7ff7ee813fff	Private Memory	rw	-
private_0x00007ff7ee814000	0x7ff7ee814000	0x7ff7ee815fff	Private Memory	rw	-
private_0x00007ff7ee816000	0x7ff7ee816000	0x7ff7ee817fff	Private Memory	rw	-
private_0x00007ff7ee818000	0x7ff7ee818000	0x7ff7ee819fff	Private Memory	rw	-
private_0x00007ff7ee81a000	0x7ff7ee81a000	0x7ff7ee81bfff	Private Memory	rw	-
private_0x00007ff7ee81c000	0x7ff7ee81c000	0x7ff7ee81dfff	Private Memory	rw	-
private_0x00007ff7ee81e000	0x7ff7ee81e000	0x7ff7ee81ffff	Private Memory	rw	-
pagefile_0x00007ff7ee820000	0x7ff7ee820000	0x7ff7ee91ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7ee920000	0x7ff7ee920000	0x7ff7ee942fff	Pagefile Backed Memory	r	-
private_0x00007ff7ee943000	0x7ff7ee943000	0x7ff7ee944fff	Private Memory	rw	-
private_0x00007ff7ee945000	0x7ff7ee945000	0x7ff7ee946fff	Private Memory	rw	-
private_0x00007ff7ee947000	0x7ff7ee947000	0x7ff7ee947fff	Private Memory	rw	-
private_0x00007ff7ee948000	0x7ff7ee948000	0x7ff7ee949fff	Private Memory	rw	-
private_0x00007ff7ee94a000	0x7ff7ee94a000	0x7ff7ee94bfff	Private Memory	rw	-
private_0x00007ff7ee94c000	0x7ff7ee94c000	0x7ff7ee94dfff	Private Memory	rw	-
private_0x00007ff7ee94e000	0x7ff7ee94e000	0x7ff7ee94ffff	Private Memory	rw	-
sihost.exe	0x7ff7eed30000	0x7ff7eed45fff	Memory Mapped File	rwx	-
dbghelp.dll	0x7ffb7e690000	0x7ffb7e819fff	Memory Mapped File	rwx	-
licensemanagerapi.dll	0x7ffb7f330000	0x7ffb7f33bfff	Memory Mapped File	rwx	-
staterepository.core.dll	0x7ffb7f450000	0x7ffb7f4e8fff	Memory Mapped File	rwx	-
windows.staterepository.dll	0x7ffb7f4f0000	0x7ffb7f781fff	Memory Mapped File	rwx	-
twinui.appcore.dll	0x7ffb80a90000	0x7ffb80c9cfff	Memory Mapped File	rwx	-
execmodelproxy.dll	0x7ffb821b0000	0x7ffb821c4fff	Memory Mapped File	rwx	-
sharehost.dll	0x7ffb821d0000	0x7ffb82274fff	Memory Mapped File	rwx	-
ondemandbrokerclient.dll	0x7ffb82280000	0x7ffb82290fff	Memory Mapped File	rwx	-
appcontracts.dll	0x7ffb822a0000	0x7ffb8234bfff	Memory Mapped File	rwx	-
notificationplatformcomponent.dll	0x7ffb82350000	0x7ffb8235cfff	Memory Mapped File	rwx	-
execmodelclient.dll	0x7ffb82360000	0x7ffb823a2fff	Memory Mapped File	rwx	-
wpportinglibrary.dll	0x7ffb82420000	0x7ffb82428fff	Memory Mapped File	rwx	-
modernexecserver.dll	0x7ffb82430000	0x7ffb82507fff	Memory Mapped File	rwx	-
dsclient.dll	0x7ffb82510000	0x7ffb8251bfff	Memory Mapped File	rwx	-
userdatatypehelperutil.dll	0x7ffb82520000	0x7ffb82530fff	Memory Mapped File	rwx	-
appointmentactivation.dll	0x7ffb82540000	0x7ffb82561fff	Memory Mapped File	rwx	-
activationmanager.dll	0x7ffb82570000	0x7ffb825cdfff	Memory Mapped File	rwx	-
edputil.dll	0x7ffb825d0000	0x7ffb825fefff	Memory Mapped File	rwx	-
clipboardserver.dll	0x7ffb82600000	0x7ffb8262ffff	Memory Mapped File	rwx	-
actxprxy.dll	0x7ffb82650000	0x7ffb82ab9fff	Memory Mapped File	rwx	-
windows.shell.servicehostbuilder.dll	0x7ffb82b70000	0x7ffb82b81fff	Memory Mapped File	rwx	-
desktopshellext.dll	0x7ffb82b90000	0x7ffb82ba6fff	Memory Mapped File	rwx	-
coreuicomponents.dll	0x7ffb82bb0000	0x7ffb82e10fff	Memory Mapped File	rwx	-
msvcp110_win.dll	0x7ffb87810000	0x7ffb878a1fff	Memory Mapped File	rwx	-
policymanager.dll	0x7ffb878b0000	0x7ffb878e8fff	Memory Mapped File	rwx	-
xmllite.dll	0x7ffb87a20000	0x7ffb87a55fff	Memory Mapped File	rwx	-
iertutil.dll	0x7ffb88720000	0x7ffb88a95fff	Memory Mapped File	rwx	-
dbgcore.dll	0x7ffb89cc0000	0x7ffb89ce4fff	Memory Mapped File	rwx	-
faultrep.dll	0x7ffb89cf0000	0x7ffb89d4dfff	Memory Mapped File	rwx	-
propsys.dll	0x7ffb8a850000	0x7ffb8a9d2fff	Memory Mapped File	rwx	-
mmdevapi.dll	0x7ffb8a9e0000	0x7ffb8aa51fff	Memory Mapped File	rwx	-
wintypes.dll	0x7ffb8ab60000	0x7ffb8ac90fff	Memory Mapped File	rwx	-
usermgrproxy.dll	0x7ffb8aca0000	0x7ffb8acddfff	Memory Mapped File	rwx	-
usermgrcli.dll	0x7ffb8afe0000	0x7ffb8afeffff	Memory Mapped File	rwx	-
winnsi.dll	0x7ffb8b560000	0x7ffb8b56afff	Memory Mapped File	rwx	-
iphlpapi.dll	0x7ffb8b580000	0x7ffb8b5b7fff	Memory Mapped File	rwx	-
dwmapi.dll	0x7ffb8bf20000	0x7ffb8bf41fff	Memory Mapped File	rwx	-
coremessaging.dll	0x7ffb8c060000	0x7ffb8c127fff	Memory Mapped File	rwx	-
uxtheme.dll	0x7ffb8c780000	0x7ffb8c815fff	Memory Mapped File	rwx	-
devobj.dll	0x7ffb8c820000	0x7ffb8c846fff	Memory Mapped File	rwx	-
twinapi.appcore.dll	0x7ffb8c870000	0x7ffb8c95dfff	Memory Mapped File	rwx	-
rmclient.dll	0x7ffb8cae0000	0x7ffb8cb07fff	Memory Mapped File	rwx	-
mpr.dll	0x7ffb8d140000	0x7ffb8d15bfff	Memory Mapped File	rwx	-
netutils.dll	0x7ffb8d160000	0x7ffb8d16bfff	Memory Mapped File	rwx	-
ntmarta.dll	0x7ffb8d250000	0x7ffb8d281fff	Memory Mapped File	rwx	-
dpapi.dll	0x7ffb8d330000	0x7ffb8d339fff	Memory Mapped File	rwx	-
rsaenh.dll	0x7ffb8d3d0000	0x7ffb8d402fff	Memory Mapped File	rwx	-
userenv.dll	0x7ffb8d4c0000	0x7ffb8d4defff	Memory Mapped File	rwx	-
cryptsp.dll	0x7ffb8d780000	0x7ffb8d796fff	Memory Mapped File	rwx	-
cryptbase.dll	0x7ffb8d8f0000	0x7ffb8d8fafff	Memory Mapped File	rwx	-
sspicli.dll	0x7ffb8dad0000	0x7ffb8dafbfff	Memory Mapped File	rwx	-
bcrypt.dll	0x7ffb8dcd0000	0x7ffb8dcf7fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x7ffb8dd00000	0x7ffb8dd6afff	Memory Mapped File	rwx	-
profapi.dll	0x7ffb8deb0000	0x7ffb8dec2fff	Memory Mapped File	rwx	-
msasn1.dll	0x7ffb8ded0000	0x7ffb8dee0fff	Memory Mapped File	rwx	-
powrprof.dll	0x7ffb8def0000	0x7ffb8df39fff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x7ffb8df40000	0x7ffb8df4efff	Memory Mapped File	rwx	-
shcore.dll	0x7ffb8e000000	0x7ffb8e0b2fff	Memory Mapped File	rwx	-
windows.storage.dll	0x7ffb8e120000	0x7ffb8e747fff	Memory Mapped File	rwx	-
crypt32.dll	0x7ffb8e750000	0x7ffb8e910fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb8e920000	0x7ffb8eafcfff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x7ffb8eb00000	0x7ffb8eb43fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb8eb50000	0x7ffb8ebecfff	Memory Mapped File	rwx	-
combase.dll	0x7ffb8ebf0000	0x7ffb8ee6bfff	Memory Mapped File	rwx	-
user32.dll	0x7ffb8ee70000	0x7ffb8efbdfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ffb8efc0000	0x7ffb8f0e5fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ffb8f100000	0x7ffb8f284fff	Memory Mapped File	rwx	-
shlwapi.dll	0x7ffb8f290000	0x7ffb8f2e0fff	Memory Mapped File	rwx	-
advapi32.dll	0x7ffb8f2f0000	0x7ffb8f395fff	Memory Mapped File	rwx	-
msctf.dll	0x7ffb8f3a0000	0x7ffb8f4fbfff	Memory Mapped File	rwx	-
shell32.dll	0x7ffb8f500000	0x7ffb90a24fff	Memory Mapped File	rwx	-
nsi.dll	0x7ffb90a30000	0x7ffb90a37fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb90a40000	0x7ffb90aecfff	Memory Mapped File	rwx	-
sechost.dll	0x7ffb90af0000	0x7ffb90b4afff	Memory Mapped File	rwx	-
oleaut32.dll	0x7ffb90bc0000	0x7ffb90c7dfff	Memory Mapped File	rwx	-
clbcatq.dll	0x7ffb90e60000	0x7ffb90f04fff	Memory Mapped File	rwx	-
imm32.dll	0x7ffb90f70000	0x7ffb90fa5fff	Memory Mapped File	rwx	-
ole32.dll	0x7ffb90fb0000	0x7ffb910f0fff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb91480000	0x7ffb91641fff	Memory Mapped File	rwx	-
For performance reasons, the remaining 25 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Success	Count	Logfile
Modify Memory	#12: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x868	address = 0x7ff74ec20000, size = 217088		1	Fn Data
Create Remote Thread	#12: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x868	address = 0x7ff74ec219a0		1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
C:\ProgramData\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt	0.79 KB	MD5: e8662acb66fe73bfe17c84b6a59b8ea9 SHA1: 35701496614f055d203711e472cd32d68dff0182 SHA256: d8968c39ec81424c2dbf94586acf9a088fa19b6d3d5be8a9267f767b323d42bf SSDeep: 24:iVezHysv9F2Ob/87gPsoU3gMqvKHHLb1+y3RhXYmQ4C4sn:xzSsv9FjxFiH0iFQ4C4s		... File Actions Show Properties Download
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_427a1946-e0ff-4097-8c9e-ca2c1e22780b	0.05 KB	MD5: 93a5aadeec082ffc1bca5aa27af70f52 SHA1: 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 SHA256: a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 SSDeep: 3:/lE7L6N:+L6N		... File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2017-05-24_104601_b30-494.log	454.03 KB	MD5: 1159e6e6d8cf2038179f565dd6027145 SHA1: 2a36e2d557105bd78b3eb6e7f8474c96cb186fa6 SHA256: 8a1fc7e52745dffb4a188a77ea4cf2af86e38af7c424128af3a3eda65a6081c3 SSDeep: 12288:u1JPMBAm/HwU37MsOrm74z+JOvPeN88is5o:uDPiAfm7bO67QsNoB	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\Error.png	7.88 KB	MD5: 7238eb6a324c5612420bceb587d32337 SHA1: bcd3d71e940409de96cf9b6a5f2825e31c16e3e3 SHA256: a3bd4249d3a19dfe4beb14e91cf7d03685d862ce4bb6c123d2303b13f28a634d SSDeep: 96:6VVflBLd6kFx0XZLgXXnhY6lLxYBRNJ/qDD0773bpdkFSU7ovaesbyuc3ZCfSXix:sbtytYS6XzD07zkc+ssy4f0mbaCsGH	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\folder_image_desktop.svg	2.17 KB	MD5: 667ed7a17e3963f52d204c78f338232d SHA1: bb7ce4f2b8335ab6c6b0f6b763c62256d5a19b23 SHA256: c910dea423477e3a29e54c005d049268c514e4f3b6131d157f8dcd4a38baf073 SSDeep: 48:Ni7gHZUHvAQRK0rNgJMw0s58WT+qYzwfyQZ3pn4NdiG0asG7wff+u1:Y7QZUHvNRKkDkPuzwfyoqVH7w3+6	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\82BD62FD-974C-42F4-866A-5C738238984B	62.97 KB	MD5: a0c25ea9c36e0d4612507adb98038948 SHA1: 6dcf222a7e83b8f7a57ee707c4df905b0f4a8aaa SHA256: a25d0b6a00ce104ad2c96133631f20a990209b60fccba0cabc9094f7555d7ed8 SSDeep: 1536:wTyTw/TNBYIqwsXHXJpsO/cyMGKffnuCkdDCyGOlzbS6P:wuTeBYIqDX37/crGKffnuCkwOlzVP	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin	19.06 KB	MD5: f3312f68e755e031fa64d33a0d90f6de SHA1: 92fcd54d2cf2136b108a32eb532dbbdbb59ac2ec SHA256: 39959fb7cceccd2dd9e25ee13ec0f04b77e8249423411cfa433cc6332be36183 SSDeep: 384:totaLm1JFXQfvt/03sg7Y32NGdSFE//C91LjUo38YSb:totTJqfKcTAFEux3ub	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\checkmark_selected.svg	0.66 KB	MD5: 2d1462bbbf40366794de30d83ebd5277 SHA1: 3d29443dbbaff4643da70d2f6db1524ec416443a SHA256: 8aff4bae6c577cb5641346d9de3c81f7689b0205cc4b7b51c32423a73e97c993 SSDeep: 12:F9qw+4K1eXMnIVEhMnGLMPb4RrhHDpr9zE95i7W36afR/sYpwja4RDbn:+4KscpMSMPURrhHDB9zEYMWYSj3Hn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml	3.30 KB	MD5: aaf9a3ee8dbf9efc4cdf531b7cdf3436 SHA1: 363a67461fe1025cdba2bbf1f041689b2888f258 SHA256: 5638d5556bcd94f6011441cb4051c6b33521d74cd78a747e03bd552214ba5201 SSDeep: 48:BVJcpBarDvXKL2TvFlf96NrJPNUuHmizy4k6NITNaow82/PUHRmjMc41nFvRiSS:BABafvq2T9C5K8mizyrC8pYYcmnF0	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Common\StandaloneUpdater-2017-9-26.2241.1252.1.odl	10.99 KB	MD5: 7f44af3f212b99c015e348b5e6d23feb SHA1: d8eae479d34349fbf69459dd508fa4179194d90d SHA256: b3dd22c8d446c42688cde767e169816dd02ad28bcaf4c3061ab62be752e2d8fd SSDeep: 192:qyr5Fm8zbjDn5kzrJvCDf4gNjJBUV5McoaFdNR42P0+nMTTtBuig9QSKNl1rAUA:q2q8znDn5kzNCDf4y3UV5MVyK2P0+MTy	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\CollectSyncLogs.bat	6.55 KB	MD5: bca3bbcb329839b287961dd6c0837f09 SHA1: fc5798bfe93e193146924e75937c75f0134059f0 SHA256: 8f3858efbe3c98111d875eee2318704c56982c722752ab29747fb58f2bd7a244 SSDeep: 96:HmSuusuqJdvHvoud0m5mYq6oxxVSKPvu7nyGHbEve+KFwh87XUfZPHSr+SF:BhTqJdZm66XVSI8/Hb5FnXUxfC5F	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2017-07-12_164141_b14-7f0.log	564.99 KB	MD5: 7ad7ba8a257646d6a8b9b24d5b7cba40 SHA1: 66792f50b78bc0fb81e3cf606a6fb0ac53ef6733 SHA256: b7a198ec01b88dadec08786cc9f385adec5cf746b61074e64a86b6989967c6a1 SSDeep: 12288:XQQh89VF1cq36QePmHsV/gkG/TkjgTnwEWJTt3WjQAwyuQpO1tMsNneP:XaRcl3uHsV/g//gkT0XeVcQpO1TNeP	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1	18.03 KB	MD5: ac6eedbf8a230ddd5d94b29106568bec SHA1: 8ab7bb390759c0567e0992628ca85a51662c467e SHA256: f15b59fcb33638f1642c71a9f2e39ec9aba1d2b5063a79a17ca68563dc5e4ccd SSDeep: 384:pcbWk04DPDfMSISEUVRa2DExvWAcuZ3Eg7MTmLmI/v6OLVL9F:ebu4fEneK2gdWAvP7imZnpXF	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2017-05-24_104600_528-57c.log	92.00 KB	MD5: f29e32e74a63e25fc626ea82c1fbddde SHA1: 00bf3d9883b550f069923a3aca9e8b7078c91208 SHA256: 937d415d12c150d2af939f3220c98ad6ce5c8684c4cf9c8b4db9e8c21716ce18 SSDeep: 1536:DQu6NRv1e3omPS5PtfV3LFd/ggyPj03Xeu9RaAz2VKhr9Pz6GUbqBCVBTQ9umCmu:UnRde3bPSbV7Fd9hezxVKhrd6GSqYTQA	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links	128.28 KB	MD5: 6b752982bcb20d5d340a8fdb8158b5a2 SHA1: b13a3be2d80707a17940df1b64a2c02be17ffbc7 SHA256: d16f8d5c202651929a5877bc176fd5a37c5decc70c7eb1580213f6dd0eef34b7 SSDeep: 3072:9y9Ij9KvmI7L5lA4XzuU3QREwRmM8h9Bj:uIj9kmI/5lAOuOvYe9F	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\waterGlass.svg	2.06 KB	MD5: 9dd4b1d59e14b8d89003a8dbe373d498 SHA1: 8ad42bd691772f0c260e11b0fdb85aaa210ab290 SHA256: c53bb49aef0ef26f3b886ebef3b158969c40153c790c84d27687e14aa51b1fa6 SSDeep: 48:e8Q88NhYPKjk8863Ek8PFx3G2E7/Bfw93gKybaYG8xE8TkarBA2/xKm893srjH:eP88NhSKoO3p+FxVE+JyagE8FxYsrjH	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00009376\01_Music_auto_rated_at_5_stars.wpl	1.30 KB	MD5: 78ebcd91c1b886164d714e3359d0af16 SHA1: f8083e698147cf9b1a21d135444ea2422218a80e SHA256: 47b68fe9273167f07dd2e1a60124eb908ad7a7b1fbbd2e73d7a65d6c88e51ba2 SSDeep: 24:yPYyDY0J599Y8NN3abBycmuoQxfkX1LAGY7varp3LSNgf2vjG:yPYyDZ9TNpabUcm7scFa4G6J	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\8377A58B-6BB9-496C-A6DF-9A7A076B4B41	27.35 KB	MD5: 9f1f01dd760cf51e3896e63fba5da584 SHA1: c3d16b5dab2d73250476dd6612e8f3fd6fff6a18 SHA256: 26d29db9d31c8fa2b7eee61b8e93a914cf9b19f3526c998151f529851f2939e0 SSDeep: 768:S/67ZuiwBK+tYozzLsp61B2NGRBUvej6wEfh3:S/guiws+tYkz54wBwLjh3	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\acmDismissIcon.svg	2.52 KB	MD5: 68c6142dec097d0e32299c5abb96c287 SHA1: a5070d3694d77584cbb4d5ba2116675c9259eec2 SHA256: 56acf4e9d4d3410d74e093b2b052aa1bfe49602bd5d4db37dcc996469131fb16 SSDeep: 48:YmAV/TsrQ64GO3ECvVUo3iSPXejKQ0OBAkizMLD3jWH8QMvPDCRG:BAVSx4Z37/f1Q0OFizcowP2G	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\adm\OneDrive.adml	19.42 KB	MD5: 2a92984a7463436e75a913d4e27c32d0 SHA1: f1139aca4fedcc71601d678715461117edc570ab SHA256: cf02558364a285c4a9214294e5eebab05ec7bf71f479bda9aa7ea080c84c50c5 SSDeep: 384:iPhIByKpz81HTIJgz1BUyTKHV97yObh9QFW6LC+iFhFD7Phkn3fwKcNCxfbfKVw:v0Kpzfgz1BUL977t90hiFhFHS3fwKuC1	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\USStmp.log	3.00 MB	MD5: 6a8b687cb3d3ac213dfb17da11411f30 SHA1: dfb8be92dd3b765f4dea8d0a0f3d767d19f47b07 SHA256: 6d2fde929f720063eae98620a27f29ba1049ac8876eb04ee295776fff37c7969 SSDeep: 98304:s6JY5zWt5703VDZJkmiBD0QD2WC+WqSbJegE:hJY5cWJZmLD0QrWq8Q	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.5892.0626_1\AutoPlayOptIn.gif	374.52 KB	MD5: 0a05a533674156709802ad5566267a9b SHA1: 49b5b89a884a4d7b0cc5ac34e9ec07ad102dba85 SHA256: e6bee453d33f9020dcd703b81a044ebabd28aa9f518d09db169b58bdff84fc20 SSDeep: 6144:iUdTuRcDuS4GAv735vIUxJEGfnZOEWoYvVdZuL+zGJhrHxFxwWdGS+fe/QODD742:iTRcLITlIUHEmzWyrZtwHfwDDU8BB	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\adm\OneDrive.admx	9.88 KB	MD5: b770af0c20f3c5eb1202829f89cb9b7b SHA1: e87b4583b48366d0c8b959bcd6eebdbab5f3cef8 SHA256: 48fc823dfc2326ab7db5684a2e219b17a69c61865f2dc3b4cac8d01241906765 SSDeep: 192:mGzb7CO6L8xavs6LDlmq6SJUML5BnE5VNAGiKA1vwbXh2dARthkBU2q8:m0XV6L8xAllP6Q9LwVNAGiKA1vt2RIBL	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\Internet Explorer Suggested Sites~.feed-ms	28.28 KB	MD5: 7ee5a320911ae3a8628b95bf1ed1b811 SHA1: f94cb71465468a712905dcf29049e004591b9134 SHA256: 183f74c721f11ea7e5a4269f012aece9666ead0c1e6bfc36d339d55386bb278c SSDeep: 384:bG4E9tzBlUYueRp6aYnmwNZFMAq299/08uaJVM4GFFgb97ASEcYK+YLSq1N7:UStem3dXW+/s8uYVeFg97ASEhK++N7	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\F1AC218A-8D02-402C-876E-4B0E2A662BFA	20.97 KB	MD5: 0c6f09614c975e0c7879643e7fe095a8 SHA1: 8520ad617e2e37d3419daa5cf2ad6c5ab7ca3774 SHA256: d9ba8216625d60fe6dce019f2a3742517a2ac115ce6c34639b35465e210b6d51 SSDeep: 384:KbsNhd1lrjWiEqx/TXM1gUiPHnDlcMyCqD8h2hVE4OKNUMEH3lNF:KbsNVlZEqM1gRP5/y5DQgWMNilL	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\7A123EA5-56EE-4596-A54E-8E612EE6B11E	232.06 KB	MD5: 6c7fd94ad2678d5df5e4bf0b0125e9fd SHA1: e7056b2385b9f57e66238743fba5a60977222d9f SHA256: e9d12eb10c3d52ae12047230ef93c79ab30fc6e1b0c2d2f3e081ce1e3f493479 SSDeep: 6144:/uS6+qPknwmqflogD7bSU7/GURGOS4FO6ABjwZZxLYKk:GSl8kLqfygHexkBt86ABjYqKk	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\2378B1B3-B054-41CE-B565-01C50DF64F3A	18.85 KB	MD5: dcfed10b670493235eb7c20a6097e739 SHA1: be49705eff5cb3e7ac21b40b522d66bf0657199c SHA256: 12ca30291cec268bee958cfebb73846a5da0cc13d47bf649e344f98050155e8e SSDeep: 384:SphGN0cnhra6niPJjt3wQEj+aO5REI7dfREKHmudXgwH3DtPg:S+N0OxauiPJRUipL5fEQtpPg	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Personal\TraceCurrent.6998.0830.etl	8.28 KB	MD5: e81fe15abadffd1e607e106ca8d9601f SHA1: 07531411abdc929893590c64ee8985c8b72b0920 SHA256: 27c22e65c08ddd013808ab6fd0bb4ea7ac3220d820a3c137e8f1cf4a2dfab951 SSDeep: 192:CDRMMEnAUnPeedgrPddw3oJtSTgx2FFqFuyAjb2PsF6CBSacQOYgI:CDuxPPeedgrP/w3wggAF8qjbeEBj3	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\3ECE84BD-CF61-4B84-85B4-BB9C029B1D34	23.60 KB	MD5: 710de3f7dd26d9e5cace4c7fbc325982 SHA1: ab8cc249ee26375d83db633f20c6c06e175f1243 SHA256: 9d987adba3ae63c42e1fd75174276801d889b8ee375c9d3d4e596eb21e9c724e SSDeep: 384:xuUijXb4JMZ32Skfes3MjiR24zB8VdxFuCgQHUE/uhjfFHeK:47/Z3rKesvR24N8A8GxeK	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Common\standaloneUpdaterTelemetryCache.otc.session	20.28 KB	MD5: d4642e61f9e8df247e06c3b78c2fdad8 SHA1: 25b9bcd32846f3b79113893d8c38020af0644f1b SHA256: 9a2c48595a72b0deb4c2a7da236e39b4ca20351e784f2fe630bdde9e510c68a9 SSDeep: 384:WUkitKbthylEzO3FqVZKTyLMnrNv7X1L3fYN3fGRV76v:S3ClEY0PKGMBv7XR3fYNPUkv	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Controls.2\ScrollBar.qml	3.33 KB	MD5: 6f9d195f1a031be2d8325698029bc9f7 SHA1: b9e80c58a203f779679e053c9d3c424b51c5da09 SHA256: 5974459fbabddbd303b4d53386a4e9c5b63e6e8adc65edf921e01576b2fa47a6 SSDeep: 48:U8qWndWMbUV3abQOaVY6/Afk+OCckThIH83m9ES7wVIMqSLOKRrZJmm:U8qFh3yLaVY6/WM+ecesVIMqSLRrZH	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\CA21D7B1-0D7B-41BF-A409-4B77C898A44F	6.88 KB	MD5: 6bffc8cc9414c798c0a2e4d55118c0eb SHA1: 18a0c5701959570153e453cebc1dc6f2899c4bff SHA256: 5baa02f123fdcb1a62b5d4d36c3842f4ae53d9aa99c3a2b2fa22367eb64dacd9 SSDeep: 96:0pvgbqzE4HLQt0vGsWNeyBylDskKD/gb66ZRHGbAE1R1oqD6f3H+kMCO:0Cbqg4qGDyyAk4/geGm9Bog03+AO	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\ThirdPartyNotices.txt	48.25 KB	MD5: e070f16a63a7577584a8bd333749183c SHA1: cd420ec5de3cc5a32664ce9fe13613b6a5129bda SHA256: 0bac7484ed5af59adac03ecac84fffd5394e8f6ca68060643fc5aa699ac358d8 SSDeep: 768:Y24vA7Z3WPPwsaJcQFnIIFtPVPruAkbDTe9f5DurHRJABp6xsC7lFq5aYK7evVgx:bjgIcQntPp/k2xDuTRJgJx5nKBsJef	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\USSres00002.jrs	3.00 MB	MD5: fe027fbe29a98e3f59d7a0640d198094 SHA1: fd939a406d65550ae7b0ebfe985e10d7f86c8005 SHA256: d849c166a4249562a237e7903a5e7a37ea97a4095b7a11d3719771ba2c67ed86 SSDeep: 98304:GNkWeh00crMx4cKkQs9mJuPWzo8qcsprBmeS:GLX04O4JAhoomKlu	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick.2\qmldir	0.38 KB	MD5: 131573f02cca1b5acdfe7fab2c754b08 SHA1: c5059fe5f5efe841bd3f45584890957e23adfa9a SHA256: f76f4392974ecfff663b271084857850e91e2aa7e4f7da0b4cc5b154a5c15eed SSDeep: 6:z6xs7KOWhQjHuHGh4rdU5gJVyZ1WAP7hf3e/ZRym+t8bhsHy5Fs4Z:1M22GhOUgJiDhfu/Z4m7bhkybs4	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\index	512.64 KB	MD5: dd9ef12d51f77e3816aa04d2eb41a0b9 SHA1: a99bea7b4ac201ba6421c36fe8c7b3d568921605 SHA256: fcb352d4ef0b0216cbb9be6161b604a95a49704b763e7c352b30a261e9f189ee SSDeep: 12288:FLhAsSVA2xrmLr4ivYNT7/O1LIL8IVqS3dSfmwTuKergt2:V3Sm2gEivE/O1EtMAdam9Drg8	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Controls\Styles\Flat\qmldir	0.38 KB	MD5: 5c902f51283327365358a8a4862bcb09 SHA1: 4a097e6a001c7a3af361e0214d83aa2576ec4227 SHA256: 20a39bd19d6c907250e4d71c5ff44a53a78bece4f7047a79271c7ed87a9b823c SSDeep: 6:a2u4205+AloJmYTKTMsBYLAwg9pVJSKN+x3zOwmhF6Psxm1vpGX5+:U4IbTlJswG0x3zJmWPsxEAXE	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\07EC9290-11A1-4B7B-8542-424076F02838	13.35 KB	MD5: d7810b9732fe4714708c5fe5e8a0c495 SHA1: 9b0ef044785f3fd89fa4b511f5c85516686a5ed1 SHA256: 88633a29fffa9bc4c92764aa4d2bc7a37a21cc5732e2ed5c1ca88e8f150628ae SSDeep: 384:KBqH7IuB8WhBG+LopNd3dNmcOOj/lvG6L3:KW3B8WTGYobNOA/lvG6b	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\CF1CC7BF-A425-4541-8A36-51BFF9F38CBF	2.36 KB	MD5: bfb3aced8eb837e73076b6f0a9c889bc SHA1: 0c3ebccfb05667b5328e9fec7fb52177a14a7c51 SHA256: da794925864f92773a5596a7529ed1d7b601b81a48588801a829d43fe3027bc0 SSDeep: 48:QrXWCo/8je7nsP5vTzV8+SgEroZEfTriC0uWGqRvz17ycPMUUVh3ZSD:QrXlo/8CDspGxeE7rUGMvFycPM3He	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Common\StandaloneUpdater-2017-7-18.2324.2928.1.odl	11.30 KB	MD5: 1a860915be93684c363d6a7644c7ed1a SHA1: 986fa0d1716042e384449d2e051e190246bc2b24 SHA256: e1dbe14d90dba7263fed463b1c22b59b3d8fd9a7be2c5387c727b6fcdd8ecd23 SSDeep: 192:W5RnGI062yHMFtWGWgBw0cpk7jM9SVtnaNbnkp+A14esn2PNsBki:OG/62sMbWgity7jMYtn4naRsn2VsBki	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\18E43682-B084-475D-AA0F-B94BD8888B3D	25.36 KB	MD5: 98f24128287146b522d8c85ad08e06f3 SHA1: eb8ace392bea6eaa875434edb92b593c94bfdd7b SHA256: 57a6427fab3c52c13ae319812f9e5432249f74d2021ebee6912ab6080044eebb SSDeep: 384:TP2PrG5sSU8AKINRogsyD7mkzRiniyi9sRTjojLrkO7wTBKY+JiTnr3+qQ:T/j4NExIiTKLgOUTs7Ynq7	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\ElevatedAppBlue.png	7.49 KB	MD5: 03d7e09f7338567cc7965516485673f4 SHA1: 9a4779c75afc7160870da31058f2b4e87c1d5ce0 SHA256: d41713b1a7a7848108b402212d73f9ba66395cd09b053cc0dec6f174518c3d42 SSDeep: 192:chfjAP5uEIVD0UpvWgmXUJ0tYDqli60gcGRlmlXWouhuen:PrapvWkJ0/s60bGRlMWo2J	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt17.lst	9.61 KB	MD5: 49086783dfb9eefea04f17dcb17de893 SHA1: 5eaf45245f486ee58511aa7999ae45795f94712a SHA256: 6ffd20edc8e28df1f7d4a7e6ea12095d437e77bbaff8d343263f1864c208fbd2 SSDeep: 192:GBZCj8S7pTYBfH4KxSk9g2BrbPANoJWqjiAE8QSd8tGpheD07sEuuF:GBZCj18/xv3rbANowqjVE8r+tGpUDcsU	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\7E661E9F-0FFD-4BF6-A6A9-A33E185C9131	14.13 KB	MD5: 14078ed82b218c02f26daa487e1762f5 SHA1: 3c6d508bbe4a4d46a3d024e76cd571145779d25f SHA256: 6b594b233963f20dc5ecd8b101b584cb1dd5ff61f30aa4281a721c91fed966bd SSDeep: 384:HBQUpv1XimpGXwyAVhNNX4ExyDJnjsfaCHK0kmNhxJiz:hQEv1XtpGXbAVnl4+apofxkAZiz	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\AppWhite.png	3.25 KB	MD5: 867769c2127ba95346ab3418b6126a8b SHA1: 11d3be7a3564d20d5085f58078ea449114203417 SHA256: e3dac63ab074e56f0efed38462e92f5c85a1660df863b0b20390539b7d571581 SSDeep: 96:K0SPiFWwLTf3CQz8h9smkpRIR0JdcwDPQUVq4:4MhfPc9E7DBnN	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\chevronUp.svg	0.53 KB	MD5: a6fe8051ea2e3ed03e0a08ce9d765a07 SHA1: a087326797e40782469e1673388e5525773cd863 SHA256: 742a44cff122f5cdf3df1f5fab459ed7eee7823d75344dda6b239cb5cd1e05d8 SSDeep: 12:wOpw5n3AJBoRuEkc7LTvzHTff+fdjBaUndTMiRmjDBGQGoduIpHirbMZ0:XpNJeRvj77fivdTM1jUBoLHi3MZ0	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\797D396D-AC42-4AB5-A395-D4C7890DB4E6	5.08 KB	MD5: 1c81ea75019358c32978c5abf32cded7 SHA1: aa5be05e1869f2bdb6b9ea939fd7fef920c4488c SHA256: baf3a017e8ed1a7388b26da67398f2d704ab5255bbea9bf60d8a8123db3fbf61 SSDeep: 96:9CxDEUfLHQxyKD9Hh69G70wIhuzUjk9B7dCokWpLhYwrx37TqfHMAmNg/deUcvcO:94DEmQgKDhh6U01wyi7d5ppFYwt7TKHi	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\2017-07-21_123817_760-808.log	9.42 KB	MD5: 5ab46f0f36f3329904185d0c3d0472c4 SHA1: 237f7b81f26ec7c54d8c643d7d42df9fe423f81a SHA256: b11985dd26e7ed05e63d31840d97abf01a017cec40c5a07e7d56e6ec5e7f9373 SSDeep: 192:P9JWhdpQ0amBimICfdUYAiXAUVq3OvQYO+Fu4fatyF45wMLc1x8uCg:PW1Q0agimICfCUQCq+VO+FctyF455qxf	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00009376\05_Pictures_taken_in_the_last_month.wpl	1.05 KB	MD5: 87edf247867c4a94df08e3367a2aef60 SHA1: 2891dbbd141dae5948a4c0ca2e8a0c1d13a56ce6 SHA256: 130576403b0a71a28be9b942fdf59edd48e7279e06772caca72ed9bd57b8e3ba SSDeep: 24:E84PNOCwMAcnCVEdU61mF4owyul0ILRIBCgRKHFD0uAaY:EhPTC+CV7f4o/lILROCgCFYP	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D9C1BAAC-9EDD-4EBD-BD8A-5B53E9904C13	42.49 KB	MD5: a924347fbb608866e2a3730b5d0c7c87 SHA1: 4613daa15abff4f797693fdd8a8c628f1e3d7001 SHA256: 1a7fb3f611723a57ea41948a0541cae244946bb7c4dad174661ee555ddd98087 SSDeep: 768:4swj5Mgn7G+Y2dRPzfTZNbH7DoCv6jXynJsh3U9HeXtSWfE+h4ivNH:4swPzYIRrlJ/v8ynKh3S+oYNH	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\B8FFF45C-0C8F-4785-B42F-24711207C09E	26.88 KB	MD5: 2b38827d59f12dcf45d5872fbc35f889 SHA1: 63c0440c316f1ffa0f09659e959a9e7de9896e79 SHA256: 1ae0efe77de0959ebf5168e7267979a96f91b68f7491dd4ed87fd72ebecc6326 SSDeep: 768:FuWh3OWzl3QtK2kh+T3QM6g9L+wTyhO8kDzjjbjf5FPDlZ:g6zl3+KUkM7LJTiFkDD5FPT	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\store.vol	6.00 MB	MD5: 042cd7fad594bce4deb985e5427ee594 SHA1: b23a8d81652c65d54fe146ab6e6397845945b40a SHA256: a61f7f831dba5f8cc25bea7586c1514a3e3ada1e7144de0e552714e6fd5e3835 SSDeep: 24576:2UYQEClK/ORJ/ufiGAXg/h3EFFXFduGpRNgKpxYyDBR6n:r7+OP/uk7DpRp9Un	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\03E95D48-EBA7-4D0E-895B-1582FC40EC0D	64.13 KB	MD5: 709685d2d27403f1a844ef8d118fdebd SHA1: 6552a5945f21b3f2cfa310f7d8104268fe47591d SHA256: 67a36cb1fbfa6da3240d128fae8200edb1a7fb1476c59458b3af3f0b5bbafd0c SSDeep: 1536:ZnqxmerjY7Mt6zgzJ1lpf8fWNxbKUk5+TGge/JE12KcBsOX6XC5xkhonm08aMSCX:Znqg7Czjlp3xWUk410JEQKA+s2eXJMpL	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00009376\12_All_Video.wpl	1.33 KB	MD5: e33a7f2283b337f7a7d9bd8dba02133e SHA1: 26e0e617ef16c97f939e65688533c40c31451e62 SHA256: bfb70a95a547e830615a6ebefb8b454887b90a86dc2ec6282b1cd840dea99d13 SSDeep: 24:sqsZIX04723CflTXJdwwLL+3q5cFYmu2oGX5rieTp6bFzWf+gyOHGuMKR1VCfBbG:mQ723Q5ixlge16bG+AHmKaq	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\04A54DF6-2C68-43B6-89EB-3B7958597AC7	4.74 KB	MD5: 17715d29783752bbaeb5e80fea4f87ce SHA1: 382caca2173b1acce7fce2a0b7994ce80c5bf5e4 SHA256: 97b4c9184b1a11e3cc187ec105d0412c654ffb4eba2d199e3f01c69ed562ffe8 SSDeep: 96:2qmqshvPQsvFr8KLlA0OfCZnPGLUvMNKLGPiSFzmt0ZFloZ:27qcvP5uzwP/JLGHXZXoZ	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Personal\TraceArchive.6917.0607-1.etl	8.28 KB	MD5: de5adcb99c23615af70734c91cc86f07 SHA1: f1502bdd27e198ad14c55e5aaab24ae91630606e SHA256: 754a9100fb02e1040ffd295ccbfb3b9a85a41bc23d3b41d534f0d98feda6beb5 SSDeep: 192:+H2F8bbabo925edZsQx432bQvHzQ/fcQGIQrbOYWmE:+WFebabo925o2QxK2q4fMIQrbOYBE	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\folder_image_documents.svg	20.33 KB	MD5: 3f9269c022d7e8b952a494a9da64d88b SHA1: a84922f027fefa22141a50f851d28179ab1e3214 SHA256: 30cc2a905f6726e83959d7d2a324f8d1e8b94293c959a32733dd7dc95ad02cdf SSDeep: 384:xljXKT2ta5U6ma76HNJmKRoBIdirewENnzGH1mzdQ5N0S8NoW:7DJaOTQwirYBGouN0VNoW	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\8BE6D37C-5753-4A96-817E-B3C94B03A82D	19.49 KB	MD5: b613db4d1bc6bc82693576550402a819 SHA1: 0918fa9fde9eb961296d48a8657edbabccbef41c SHA256: af03dd8c73b9503f29ebd60fc4cb59eb9bfbe22a6d4c64b352542611553fc107 SSDeep: 384:pCp+qrc8GzVGUVP+1QkR0hE8Okt+ZLIKdvZsayuyHxXzIX4:Apdr/+VxBCQ5hokAZL3ZsQyHBzIX4	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	48.25 KB	MD5: c15d2e1b1f127f709cbfa10a3c0bd9d9 SHA1: e8482618a4d4f8b3a2b9f14e119511269540c87f SHA256: 18e8d5d206324679553c75c41684410605047248802671bdd758e48c0e4beab6 SSDeep: 768:2HRRy6m5Tw/9rcgTWAGMpViW+0ULZN7rV3+62NF9ZwRQeiTfdDTZYXI:2/y66mqgqopVX+7vFuD3wRQBTfdfZUI	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Window.2\qmldir	0.39 KB	MD5: a9c34d2fffbca64be6fe5a5c4ac0a33e SHA1: 8748ad4e6c6d42a14e80d67ebbb70e67eef06af1 SHA256: 66491260fb3549341627fd13c4928af60da15b5d6d9112de1c67372da08c91aa SSDeep: 6:SSEyN3c1ZS9U4fDxdY2MDPgD7SiDHAuBPzoeeIOTUhTG/oKJhT0imlDde+0pkQ4L:kt1Z9KHVsPGtDH1qInYhJZtmlDO+Q4L	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.5892.0626_1\CollectOneDriveLogs.bat	5.99 KB	MD5: 65aa8d01488f8b2a453669ba01353c5f SHA1: fa7a5d53bdbeeb2f5c3e2a26f1477eb347ae0131 SHA256: 42ad53b6ef53ee6cd421f7e6ffbcc344b69987ab9bc4f10c9a3fadf53c83064d SSDeep: 96:y/Q295r1xVDT0VxT0YcMrfBmS0zwXNh162e0eQOXqqSeHx3byENPGlE3qDU/2zdU:y/Q2z17AVmY370zw6KelpSSxx3q4/2z2	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\AutoPlayOptIn.png	10.27 KB	MD5: 5332c77eb6226b0234e74b8c21663003 SHA1: 2ceff743d1b5b22149e381f69ca8c6a0de188fc4 SHA256: 20b7f4ce358e4fbd2890bc9955be2053df9ab84ecdf778f30bdb1cb64ed057eb SSDeep: 192:k5hGBFBXrzLgzh3GUfgeQKHgE5z6YtPNzlvoVXg1cQscj9Mb:qhCXrfMb/+7UsaMb	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Extras\qmldir	0.42 KB	MD5: 61ae13294bdb558d31381fdff835284d SHA1: dc9056cea33cd668a2d412a26fb5cf9d21634089 SHA256: d6a1dc2541a212ba71c9ebaf1a4aca524e55f3d522caeca2dbae5704947dbe8d SSDeep: 12:xAolaj902VFD26HlaQSKRwPq1Cx9drpEUWM:xAouR26FE/xZ	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\A20B85A3-C624-401C-946D-7F2C8C9E0EB0	120.42 KB	MD5: 71a22907e6e37a268f4f4da080c79fec SHA1: 3f25135496b6b7cfbc1ccf7f870374ae386013b4 SHA256: eff21f7665e36258a49fb839ba2af0eaac61c6eec286b67aa9aa5630c2ff9efc SSDeep: 3072:fWNWp2V0arvVLCFCiE5NvjI4ctT7MQHx3E+aPY1ANQ7H:sWp2yaACF7I4cx7d0+MGD	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\OneDriveLogo.png	4.83 KB	MD5: a006c2397c360638645fda794bc36769 SHA1: c33a21df7f57fa21856027aef6970d30b3e2f469 SHA256: 6a8d90dd44f4fd41ed1e318d85b355c48656f7eb504ccb7a6cfaa0d58754a881 SSDeep: 96:R20RTbSTLl4Wj9AmUvjylLkh0P+eUuXGEryBswGel99PtSr:RlnSPl4mGhvj+A0GeU8HrLclzk	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2017-07-12_164130_2e0-2c8.log	4.49 KB	MD5: 3d45f7a02358cd511252292c5901a3f4 SHA1: 38bf33e9178fdc02a6daec91ca73c1a2adc11953 SHA256: 6346b620f7a4358da2cacaf439e0cfbd76b925bee2c07d08345b1046bd369fe3 SSDeep: 96:AnjtC/QewYF/bMX8P+lCIWaLk5VFY+aD1sooeoW57/TK3V:knCDS8ml2awFYHeooeoSKl	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\PowerP16.customUI	3.72 KB	MD5: 317e9b6d01048d1cd84057d797c4582e SHA1: 8c3bc127f100fe4bfee21b34c1336a2d9f3800f4 SHA256: f1bb05a4ff5a48183f257c02fc91515e9128ef50d092cd4f85744992b867778d SSDeep: 48:k8bD0BrBFWDp0cXA42Y+Bn83Jq3Kmp84ix0RhNxYY3IhPza97BXLGx1bVEMJh6bf:kj2HXAv1oq6mhVR0da97ZGv5bJUbQE	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2017-09-26_160326_bb4-8e8.log	590.47 KB	MD5: 8958470ea06d9969141f4b70209c70b1 SHA1: 8c1dc286c793db76de995d385736d06af1806fa2 SHA256: dc3f28995fed3daa0fc52e6b8f5e949f945f02fbcc3a8fbeb14047f35a3d36ca SSDeep: 12288:9zxM5Jrr4lvCsRXL23pB/WqHgHuGDvy6b7E8vc5OYeb/6wXSD:Xerr4NFdQ/Wqcvn3E8v1x6wX8	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\2017-07-21_121120_934-848.log	9.42 KB	MD5: 03a7aea4d3bc417d5c4a773415fb3418 SHA1: 1aa9fdc5bff9a74aa2f78c50e165245a9cd661b7 SHA256: d90f990e2cdd29bad97950f6a88a77ea2ce17a1a6264e68978b533225d57aab4 SSDeep: 192:dPBzeAhlPqiPNwcfMFljD6s8onBrMMcP7IjEfrGZzUR/eXvv5MK7tpiv86yP2:jz3/Pq6dfK8qnFMMK0jEfrGdURWX2KpK	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\ACECache11.lst	1.41 KB	MD5: 7fd617ecd2cd4bf0979d38f79ec15ccf SHA1: ae0ba39208fdf524f346b73489f0f17c034cfb80 SHA256: 15b86c03e5c4f4c8c58cb05443e1868a28bb158efd31364346c394b429edeb74 SSDeep: 24:uwVl0QngEXd8eoOLwBI8+4Pos9czzGlEBdnZbr4hShoHeYC7j+LvK8:5gmroker+4PZKGWdZfAq0W7j+X	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.5892.0626_1\AutoPlayOptIn.png	10.27 KB	MD5: f5fca51478551ed131b5f8faffed9f8b SHA1: 36656d1f49d7045d09246c68a1138b892b460a00 SHA256: 42313abd81c24a5d96890f2cfc8a2477d1d49682815058c27dbf82a43fc64d81 SSDeep: 192:h9igQdkCWunzMQIBe67Tlgv6dBwp9b1TKx+v+aWe8jVU/tWOO+XzrE:h9igmznMQIBe6flgv63U9b1T/xnH/EOw	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Common\telemetryCache.otc	10.00 MB	MD5: e93bf0605841d3c6ae9cbcd4212c9a00 SHA1: 2e19d7aa2b3c0d00500c8dbab3377b80f0ded4e0 SHA256: 80ec885969a1a97d50c40e514bc46fc6326238ad157aaae5351ae76dc3ee42ea SSDeep: 49152:9fjDLzt7gz5+JzqMeYizC3M9oRACGYnnNCjs0VVYS:9fn1c1Q/AiM9uACXnnsooY	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\CLR_v4.0_32\ngen.log	1.00 KB	MD5: 8f72485999e2b519178c2fb528549ff7 SHA1: 3faaf257e968f5e6bf35b14cf537325fc3c02ed7 SHA256: 089fc2c003ea40ff80ae8db47fb01b7486308b20d311c20709c53a56686c09e0 SSDeep: 24:g5TSiH5qr3IulTClNh+Be6TkUwWJ+87ZVDo6lXLrn:gPZo1UekUX+4DV	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Common\StandaloneUpdater-2017-7-21.155.3700.1.odl	11.30 KB	MD5: 453f929c4f661859d2c5049b0d5fa606 SHA1: 5b9af8e85c879d87634f1a16d847d87d15947d18 SHA256: ad6d4e5aa94dbc89aa06e3a75230aa2a62a57e5b4b3c6ddf8a73320e2586d7d6 SSDeep: 192:QYy0quXj4DlCChqvMFF4JrENNv89wwXomkbMGxlCqcZ3iXdkfQ2t7G/A+ZR:/y0b2sMFFPfv8fomMlRafQr	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\01A0C0A0-84FB-4EB4-A9A1-4BCABE4EFC24	19.28 KB	MD5: 69f03d6ff663b8a9eb1090ca4d26453d SHA1: 8498f927825f48851d89bb59a5aacc1260f1f2c0 SHA256: 29bbb20755ede247859195a047009fdb696db551024c4c1e1b507b96a6c32250 SSDeep: 384:vv3l6o7lHhaTeAcnTZPTlXYVhKYynhwjxUVPx1Whqhvpu5:HzHhaJ65TiKNGFUVPqhqU	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\0552393D-14EB-4F89-8C21-8959A49968D2	14.13 KB	MD5: fbc04dbc67a5baa4e59a4fa8dfab1e42 SHA1: 2bb7badef3a67be478a45f27d8d55808b0d1d066 SHA256: 9ffbfe8f3ccceb303984162d6393bb04957753f36007fab8f0e9702e59e098ad SSDeep: 384:U4i49xzo4R2uzuyrUqIefgYdImiCXL+N747+nJS4:U4iUJV2ubrUqIy8miCXLBMJn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Controls\Styles\qmldir	1.81 KB	MD5: fb2f2a969164713389d0264f0972ead8 SHA1: 69bff677d1612c7246cc61ddffe040151b7ae885 SHA256: a48d272383b0b2f9e0734c86436b07a2fa43ecbefeb6970056b3a4ffc243d402 SSDeep: 24:qnE61dJHWpFtGGD5JSbsbTSCaffD47/73wipDQ8QfWv1KZHhtb/CyApzRJRice79:qnF132rXdcbsbeL7/gDOfAKZH3KyAjha	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneNote\16.0\cache\00000001.bin	20.28 KB	MD5: 421ed5aef7d156a5def579b0234484d8 SHA1: 6e581a421a59ef05b627cfd7c8512d1bb668bae6 SHA256: c0fb7a41845bc987e2ef285da21683335cdd1c5c62defec13167a0ca376a0937 SSDeep: 384:ILN/h7YncYduxyfbqI+t4Z6c+M9YtTT4Attc:ILf7Y3Qoq7SPqJFs	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\LoadingPage.html	6.53 KB	MD5: 34c98972504df9402a375c7e0426c54f SHA1: fe12512c6fa0ac1a525d2544ace0280622196d28 SHA256: 067bf972376428576b68ec1dbd49b7499d39e63e89aad12bb14b6160c467c026 SSDeep: 192:cWMYTL//Gf1EWfXLpfdVmV/WLzv0OD9II7f02K5SdtZ:iiL/Fopfd0Vufv0ODRcXSdtZ	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\4558EE3B-BE9E-4DDA-A9E5-D74AA0D2D069	2.63 KB	MD5: 45211c07d2703dc830e82a839e187e65 SHA1: dbe5673fadb9186a790155ac7af530423b55d0b1 SHA256: c58f547558a46111392bbdb6dba4a986f7e7503ad6292047042f33ffea9cf7f4 SSDeep: 48:Qj7AbrqgW/0cnZFiMjs9xgepdaQK/K8QInO12GPclUep44UpCMbKTP0KBJfD:Qj7A34McZFiMjo+lH/K8HOj8UeuJpCdv	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\stackedIceCubes.svg	4.97 KB	MD5: e5da4d8aba2319f9e3d8b1ff01559135 SHA1: b8b93b1752cdd767cffd8f3b04b5555a5b3d042e SHA256: e260c1b6b5ef851bd95cc32e4cffd9d37dcf299be2fb7eb305f4ea7ca18ec61b SSDeep: 96:ZNGPF/p31uULWCbErcixrhI/4UFDrA9rT1V9rT6NurxJ0hAnGgLzriQmnlKyN6Ll:yPwULhbOcixl+4UFXiP1V9reNuH0hAGA	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\5B8C44D4-2A63-481E-A1AB-5E6CF4501F02	23.71 KB	MD5: b1145c589a630bd05f1fcb984a8eb486 SHA1: b58272dd7b66b74d460072ec22ed8f231dfa5d3d SHA256: cc77fa6236be3d52596989355521ae3ee77b89f8226a65fb72957539f1fc23ac SSDeep: 384:4udtcUdeQXgLcTphu0ac9oQgPpayYvYwljjSLzb/qZLxyIVvOQ0adzt:4uEHQXgA9huA9o7a3YuvSLwxJmQ0aT	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\AppErrorBlue.png	7.67 KB	MD5: 92d32d6185b774cde6bf231891405af2 SHA1: ed21b47e7de2467d7c9dd3c0d5fadb262df4941f SHA256: 0f63b45db958b1dfc5129167de532fb6ff7e99c97f6e79396f8da101bae123c7 SSDeep: 192:M+3ZCqEHDjDzsZBuK8QTdKDhgnMblVzVDcog:LpCqEj3AZqQTdKDhHbg	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\CLR_v4.0\ngen.log	1.02 KB	MD5: 84d3805861c30362baec9bcbc17740e8 SHA1: e140c0d2f1d093c2132f49241c2151402f0597ba SHA256: 08e815ead449c035bfc8ec512c725ec9339ae1a6576ccfb48f2b4bbee1b16c70 SSDeep: 24:g9QXS4pLrPS5V7HQbetP/XlMZ1zp5ADYNXgfaZfYw+ZkYYXqe8VH5pjVKe:9ZvS5JHQbetHX+ZFp53NwsfYw7a/H5Vf	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\iceBucket.svg	6.06 KB	MD5: de09d9ab1270a4e2eaf697f8acf1f82a SHA1: 89fbaa96f179769926382e507a2a3ddba3477d31 SHA256: d5e072e279d5d64a6a3f82bc312f01c9cece339e56fb0bc33c3164471cbed7e4 SSDeep: 192:2XZb857deKOkUWDLcH1zlTmdRN08ezSGIg:0dGdek1Dckb0b6g	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\9403D050-B4D3-428F-920D-D3B5F01FD272	16.61 KB	MD5: 1302dfa18ed7fc8c3572b982e305daa1 SHA1: 140656c089d07edc68b1e9604f5622c246026e10 SHA256: 8584cafc234fc60b031f4ec67ff3a1fd5cfd02b73e8e2323b3ac13d035031ecf SSDeep: 384:hkKK+dLRVO9iivjCDEAieXZvh2OUgtWAuYo57Pln77J0sF:hzK8LRk9iijeDXJIsQvP7t	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\settings.svg	1.63 KB	MD5: 151a6cd9510912c94627020c57a71ea3 SHA1: d062480869c359e3a1faafc0b11879c0a63b316f SHA256: 30d28140970906c029ebbad8c7455d2c038068f6928603470ff6965385b0c281 SSDeep: 48:QT2SlyLzaI2cY6eJvi+7gk8tL2LfYb5vmRL/:QV8r7/eJa+uYYb5+t/	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Controls.2\Menu.qml	3.08 KB	MD5: 37e26f644e29e9bfd51ec410b4a1bf2f SHA1: d5a62ffc67849a21732d736a401da3b5468ea3ab SHA256: 1639bbbc7d94582c2f7506dc954beb72ce69c1f053fc421ee5ebc31a7bc0b9c1 SSDeep: 96:N8Aa/2BmubCgHHYZ87D/j0U+qr8t3xtt89DJlk:lS1KCeHYZ8b0vqY3tt8rlk	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\parentTelemetryCache.otc	20.28 KB	MD5: af81c876689d3bab9b4c295afccdacf2 SHA1: c9eec448f6702a30e93556ebbfd10ff4c67ea78f SHA256: 845d0fc4d1a0e1a42d1833f9c3dfc9b46d8cba9dd736613a21ced5c8530c5b24 SSDeep: 384:7+zKEXyDPsuVJ9tODf7mtJdS7XtVBYT8kCY23mXVDCYS/k6MtL1GSy:7O+zJ9tAG3S7dc8w23QCYS/k6yASy	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\E164F0A7-B014-475B-BC5C-1C1285127D5A	21.42 KB	MD5: e5837c7bc962ab6c46ea940f4b88fd4f SHA1: 14da1510dc2ec5eb6274bc4fe804be39c1ace996 SHA256: e32c1cc7dd3f1e80fac4fc380f5d8fe3fee8298b794ec6bf98b9ecb964359f49 SSDeep: 384:haWcZPmJ7ztMNtpHDWICNE4WFhl7CNITPnYT1VTxxz9rQlD:EWcZP9tpSXe7CoPoPxxz9rQ5	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\onedrivePremium.svg	1.38 KB	MD5: e8457ae66f174b729f277a6879452d2b SHA1: ecd28fbe0db32e0939c339dc164b282e94335037 SHA256: 2551ef472910014c03f6309fdb11b4b0e0c48b502be4fd47e9b1c3589b1fcf1e SSDeep: 24:b4zrKsrKQVduzEKvdRmDpINC8EFazaXkNgF5VyeK4MV1VrnnK8IDScaXwuOqB9Oy:b4z+srTduhmDpIoz0MoRHVK3xaZbs4bz	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\AppErrorWhite.png	8.38 KB	MD5: 3395faf4aa12bb4abcaf72f0cdf7495c SHA1: 53fb4c8e0c96b3c6dab394fffde7d6ba4ee38a61 SHA256: 80b53c91d183ef74251db153d986446b07c9afb3b58487372ede667c21718344 SSDeep: 192:fdSRGlp+KKlUm7/+Zs/i08Zph5ETnmDThrmx1NPxL:4GL+mMiBph5ESDTNmx3ZL	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\A6B97942-B79F-460B-AEB5-87B754D40071	52.36 KB	MD5: bdaa8bc27a6abb6f2d4836269e9cbaab SHA1: 0442480f4af04eebb46eee0b54e819630ef1bc10 SHA256: 3547daca63f8d01eb6405d81b4b297d19d251bba3e04b6da84b3ca4fbef8a25a SSDeep: 1536:2TzZI51K7eLqELFHHuHGhvuKmlInf5kWBXo+:uzuHKSme1xAInf5k8Xo+	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\overflowIcon.svg	1.24 KB	MD5: c6e692b178187caa90f459dd5cd9d50c SHA1: b820e7516bd9ae9797d9af544125f901ae738d13 SHA256: 25ee290c5dc329cd2a472f3b600b162ebfe6d5e04141b9f69463c8d55fc34ef8 SSDeep: 24:qTBA0ykY7EBQQSeQ92q6bOm5QioCCQQ2h3XRbxAgHOtWoxq93W:A/YYSp92zbZQvtQQ2hRbygutPxqI	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	5.28 KB	MD5: 9009f15668091c9ec84c39618dd277ce SHA1: fbfa0a3b700da0d7cca6fa476b62c0d96b488d35 SHA256: ba656fc1a7b63b6feb677d639bc13945583cce4ab62b413b050583f44c38578d SSDeep: 96:iePVSw3zinyRUmiBdj4u+wNiFjsNMHBmzBnHuf0tN5P:iePVTzudbj4urzhHusLJ	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00009376\09_Music_played_the_most.wpl	1.28 KB	MD5: 48559444f0fe3dc8c30a6e566bbe3123 SHA1: b587a8e79bf90b9f2529c063017f1ef0c199ea53 SHA256: 8d5d4be639293837147e1195b8735ffdf57e0258a9cb624fb5998b06cd967266 SSDeep: 24:XB41OKYBB1XGwCNsUKvAFxsABVnoWLCjkDUbojrdyHBP96GuPs0hWvTDI:xKcXGdsUKvALsABVoW22UboPUhP9kPsu	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\brndlog.txt	6.71 KB	MD5: b9a75e9d8d2230eeee43859b2248fc3f SHA1: fef2c918a0fe888a5f2465524b8cf0cf2f74dcec SHA256: 14a9b2ce48e34b09b3f9d0f2dbbee429cb27fd539ec4261e9c0d683432130d9e SSDeep: 192:EXSL9R8MT9b51z45rXf+bixffU6RpTkow8uI:EChJbs54ixH3kYf	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\2017-07-21_133220_864-704.log	9.42 KB	MD5: 1a89a52b1525a6b3edce8fb4b65ea2bd SHA1: d5ef86052532188b1d066166033b455fbb3c5695 SHA256: 074cea3281d06e9e1b7822d09ab3e14420c22048adcdb3729929cfb7a066277d SSDeep: 192:aJbj9OwP9vFsBPlqZa8unpOUTjXLZ0etTDvQeKbEmRLGNk:al9bGSZadpO4jXV7Jv7UtRqe	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Layouts\qmldir	0.41 KB	MD5: bbecfe1f4ed357428da09ba89a946897 SHA1: b23a58677d6c6e2e06e3270d2f9a2e6ea690d1de SHA256: de44f7e7eb1a987f961c30de2f657f69f0d2a72161fa23f3ea0bf59b0d5d14c0 SSDeep: 12:8Tic9FO1mV5folqA9HU/IwdBUOytOZgUHt/ORU2v36m6ZkezpdQ1+:8Th/I+o19ITddVEUc3X6dnQY	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat	52.60 KB	MD5: 573a999fbd3ede78668b13699110475b SHA1: 5ffb737c8ee85f573dce2d8bdea9fea33da6f6fa SHA256: ce240a93e988119db51f32e43904ada94f02e954c4b30d8f8efc901f075b6f6d SSDeep: 1536:WLRP3n2x7ydjo5zQLYvK6W+f9G+6v1yHTkswiR/:kExupohQXEatyyiR/	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\E277E429-138B-4461-B716-C03D493C22D0	19.61 KB	MD5: 8ee5590d0307041a8ea4e7700aeb1e30 SHA1: 4cb21c55462bbdd2595f3150b635f01dac610924 SHA256: 7465442695467fe4deca1fc95ec0b3f5e5e5548551d6a84f25cbaf22379fe0b7 SSDeep: 384:3KgOA8gNMWKuifcuC2K7P6dc/R/bkbzHijWcDGQAeyycjuxOb:FYpf3zKUCRjkHSdDGQAeyl28	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\USS.log	3.00 MB	MD5: f04c607727bafec06dc02e00f1ed3c0b SHA1: 73f2a55f862714ad48f0b1330375d22ca599bcc6 SHA256: a85ee9dd036c6b0959bd97e0e5734331b07107b4463a4d8d4d11cb961915358d SSDeep: 49152:IQceXsQlIemvY4wQTlo6/jfz+cXXH6cHEa+fkVDy+RbSoSxJvwxSYp4pus9a8GJJ:IQcRZfRRh/dacHV2ktnZ9xkja8Bzc	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\Profiles\wscRGB.icc	64.94 KB	MD5: 28509bf443accf047936b49907623d5c SHA1: 24370de0f89e6f5a97352e0fc949023836c06835 SHA256: ee4a4618712038c3c6d61c387a4eb04df474b817e1e4bd56e99058c7996ae967 SSDeep: 1536:6QK7nvzhAqAjuKcMGIKnv1eKbWmLofeTauhUpvu7R4:MLhAlZv/KfnLNwvu+	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\QuotaError.png	9.35 KB	MD5: 416f6ce39b25a9f411a32c200f1418c0 SHA1: 44179f2b37822a785b1500356b76b38830edc6c8 SHA256: cdd55ebc109058222b74f569930f058a66edc7c57912024a74c387c8182d06cc SSDeep: 192:KpiPwR+rf9f81yetKXHPo+DQGveOuWHSxKhaVyzl999fEWIqjG:KpOwG9fFe8vo+DmfWHUKheyHrfFK	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\CollectOneDriveLogs.bat	5.99 KB	MD5: dc49cf081310c073f35eb4b17a1cac5c SHA1: 7bd3538642bb8d05ed9f9e392e849d82e1bf4efc SHA256: 185f47e1c21efeaf6815205ecd64282b947e89580c591f2e7abc79a12033b395 SSDeep: 96:08ZLPqVJLLUxTWxkAO/LdOMfNxdBmV1mPVFXxvVROrry6ND7JYABmTPR1RoytPAU:085SVxLYTBAOzdJfN9HPPxvVWNDzSqSh	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Layouts\plugins.qmltypes	3.97 KB	MD5: 345f6ed070da33aa82745f9bc82e4c1a SHA1: b5aeba4bb9f9728b5f7e11aeef28bbad8b88ad41 SHA256: 4c2cd853172e2209bde3cba1864b65e94f4d7097f61c176a55100ade718a8c94 SSDeep: 96:qHTlnKSKG2/5mmtfv7qTZLhmJPqaboeVXlJ0xL2tOjQ4lBopXT4YxcVX:qHId5ttfWNUqaboACL1jQ4ANT4Yx0X	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\A590259A-C20F-4378-9A6C-F9556FC0CBA6	6.72 KB	MD5: 8a7931f0a89d97e535cc35c589999cd8 SHA1: 813f6949ba85152f0a840af16204b4afd0970789 SHA256: c0e9c4c8ca248a6814a343f3043b0497443923f3659b6ef5acd6914689b7de6b SSDeep: 192:6rvCJt3tMR+oZ63KdDA+gb63D91csY/T977:6robMRDM3Kd0TbgaH	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{94C50253-C9AC-11E7-9BDD-C40142ECDE47}.dat	12.78 KB	MD5: a3a4c1d40bbc69fbdf9ef704d7b4f78f SHA1: 98b74bd4c08dcd1d9723721a0d1f08a5291fc442 SHA256: df40f8dd1f46952d98684f9b45e2c3c1e478e3480fb20383613963fe64952129 SSDeep: 384:JQdpaaCvxwv2WuxtpSa9FlgwdXDIE/Hb9GekH:aarvB/tMa9PgOXDtk	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\QuotaCritical.png	8.88 KB	MD5: abb5acbf817d896670bf6fd6489ebf57 SHA1: 5370394e66a108f63c86dacbe85efa20ebfa473b SHA256: de8e80c3f786c7b4aed50d69ac09872847bbe1dd4bdc6e9e6f8fa9361f84fb6f SSDeep: 192:qvkI1D217xHwWv32w8MDkvc++MLPDN5yFi:q8oDsNwWOwbwvFxbB	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\parentTelemetryCache.otc.session	20.28 KB	MD5: ac02e4de3b656d99805fe94b24d97cb0 SHA1: 993ccf337067cb216c3afea772552f4be00965fa SHA256: 73d2579cd4bc6a30edd20e63cbcd0a9ad92641b0a87fb0cfc06d2c867afd9868 SSDeep: 384:9eurzdHE8W7uX3EcX2qr39ASIJIo12qxdW6oNpwH/orL47BvJlUA8ANj0klgjXFH:/JHAuX0e2eFIJIosiW65/ovqKXIQkGjV	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\USSres00001.jrs	3.00 MB	MD5: 8f57d32c598c87367041470c98ee58b6 SHA1: 60e3762904502544a9fef8846111f112514efbe5 SHA256: 640c86ce8dbb937f02e1c2ec0509482471cf0636b70b4ef04218b591ff558049 SSDeep: 98304:BFOEPwrx8NjlXi33CNuII3vmS0FTxq0XXuJ:BFODl8NkyPuuq0XXuJ	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\QuotaNearing.png	7.61 KB	MD5: bc09af17393f37d2b715879d535d682e SHA1: 84979d9401a8c070a029dcecb65acdb1d73bbe36 SHA256: 124c50b5a3c4ede96bab211a03ec850e5f5ad56ef060f425bf100d459526a803 SSDeep: 192:X4ayT2KENQ+s85K0NvITOK/ikYuzWdxSz4OmVDuGrple/:oaA2K2QVuK3qK/ir3Sk5VDL0/	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_2	8.28 KB	MD5: 83178ca6f543cd3f98ffbeb13792eef7 SHA1: 3f37151493352c43181034a137fed34cfd13d378 SHA256: 1b2e9972954c4b8755f14c42b4e52bf0df20fe2562aff59b93e9cf54ef307aa4 SSDeep: 192:OOvM2pdRz+UQ00YJLl+BYb1iu+Ytg/tBkIxFLS:Ooz+UB0sLl+BYBiuM/tBk6o	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\9854EE7B-727A-4189-BCA8-C1A2F7C3ED6D	8.94 KB	MD5: 26911655e2def713623a8a9ec4f22ba5 SHA1: db26a43994554834e2c9fc67a6a3e3fb4a2b3562 SHA256: 86a134d534c6c56548f08ec7a401edea0ad2d83c0d038ddfafc7a8815dccf035 SSDeep: 192:1iRo+Q5xxCULkN0bSQlfhOIN5x47zdV6QZrokmS8G8AeQ3:l+Q99LkHQxhOIbx47v5Z8kmFAeM	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\542AE9EC-2AAB-4A8D-86CE-BF36E018A365	5.53 KB	MD5: b686f833f12178e9061bec6b73dbda60 SHA1: 3cfacb45c30648bf12e654ea9ae4c3d86374f306 SHA256: 7a59c717f755789c7765f4b03c32b42c28af1de493dd0cf20d600f6f5357bb7b SSDeep: 96:ufColsJJc+oO65Q4Pyj7aKvxWsIa5GB/HrpWRv8W8vaCicklITArmPD3sx:7zJJH5eo79WBPUkQCicSMQx	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Color\Profiles\wsRGB.icc	2.89 KB	MD5: aae4aa3a51ac13f40305e06a76dc51c7 SHA1: eaa624ba568aa3ce8ce7d4aed95b7c80319d949e SHA256: fa661d51f8969a25673b6685019ffb0a10dd946394f424805bfee84ccf235ec9 SSDeep: 48:qsCvwVEhqBoPF4Htfvmo9+Bk+ogdWwNaW/E6tVEdzaF6tLkQsTbCcqVGazlDjjn2:7CORCtAdvmQ+Bk5gUwNaWM6b+mstD2bR	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml	14.38 KB	MD5: 9edf2f9a174a8c69ce0433efb8e0b044 SHA1: e01d570ada1c5e16933a7a4e8f6a3f28bb21d1a6 SHA256: 45d9fbbea6965f4251d72aa3e7c76a3fe634c393b78295ac6c0cec1b7e9413a1 SSDeep: 192:a73Cv+LEAkInuc353Y2b5u+EYTP5X6xvlozVRui6b9Aq327aqpmklTuISTUrzUoz:gCIvn53YKxD5IlEGi6wOMlvSTUXUkL	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\folder_image_pictures.svg	12.53 KB	MD5: 155da4480a1e8395691bd4663eab0e21 SHA1: 3e7063853ba6d8fb7f3465e42bcfd258e0dd37c8 SHA256: 092e926e17f1c454765c23e8211c2f90050e8e24f35373d2969134da023db449 SSDeep: 384:TuMcU4A4uRAAB3hZ62vRmpPdtyucRvJEl:FGuRtB3L6250PdHc/M	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\E00BE78D-CFF7-47B9-8E8C-37ADF516B28A	19.96 KB	MD5: 3d591c4612cc681d5f2a019f5fa66384 SHA1: 27bb159379ad714d13f951888bdbaec1aa8a57cd SHA256: 63889830bb5dc8861b24bc13f030467e244ad56d28fe1a7afaa1326c83fbcca1 SSDeep: 384:n12zypDvrja21HeAcBlhuhsKgNNHuTCTXjRa4+pVaQ5r+oG1mxrPbxvtuVDLc:120K21+AcZuhsKz0TQVdB+oG1m7Ulc	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\804C4A29-C626-4EB0-9A5A-CEC3A687FD1B	98.71 KB	MD5: c617554bf3c2b388c6c92d334ca932b7 SHA1: 60d69b191886c91a31cfbc8660df929b794f8ad0 SHA256: 63c0cf7077caa15c3460951d349196582016aad2f741d4a8e449898b6a35e2e1 SSDeep: 3072:WZhEpl5eeBooC2FuygC/RKHTZjZu0EcifATZE:gEFKoCbC5K1jZu0ER	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\C8E2BE08-3214-419E-98CF-7DB7BAFDF7AF	21.10 KB	MD5: 931f330de1eaeee78b34184cfa5a61c5 SHA1: 295f06e1e70b86ec5746530c2568aeaa26466aef SHA256: 67945aa3bdb7478824b37ec917984849c4da2ee0d51c6b6d6e15c940385faad3 SSDeep: 384:EMl/lCYVRU858R61uCzt73urZzAJHJrXDCez0GQSRzxgXA1P9YSwhw8q:rNCYTUg1bt+SHJXpdvgXA1PeDwt	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\loading.svg	0.97 KB	MD5: 41e8e3258611baf58f95bfec5ec91c2b SHA1: 998235fb121b9dd6516d7d1ab158feae27c59ce9 SHA256: 8e0045364412b1e6319f35be37a6373172ab2d333d9d25a9702428ab6572fe22 SSDeep: 24:4bdBxp7FZ7T6+iVsBaIS8D9vNAoimrcxLOhmv+vO+N:EBxxn7XSgav8Dqmrc5O4mvO+N	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_0	8.28 KB	MD5: f2dd38dc08f3b52c31b6abf689277cd3 SHA1: d26367fe37ffb761d9e9c1151e2311b4989c8c63 SHA256: 7b6bd50de4656016f3cf6411c7023f5eb692536254a8d8e3ccdad6a117e04e19 SSDeep: 192:a+BXIAPwc4h05osjfbrixGm7iRfaLk3aGjLfNASJVcR89dfjHyX9:lX/4h0NT4Gmi4k3a0LjJWunfj69	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\chevron.svg	0.56 KB	MD5: 1502bd29290aaa2c73495f83a5f8357d SHA1: 13b802c10801f56bb8dd68af43784d8ccf37329f SHA256: a3f7c7c5c3a554705bee39222af461b51ff152dad6c2b6fd4dea41e6771b84ba SSDeep: 12:VoYWGjhMTHaOFopsut91R1hXfdAypD/GiM0:VorGj8FoKurthvfRGiM0	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{63E26EB7-6816-11E7-9BD2-C40142ECDE47}.dat	6.78 KB	MD5: c5aa0bf3811016aaeee43a41cf7a109e SHA1: ad7eb10a3797e8390336118c670fe8149771251f SHA256: 78f45b84f6b935a06583393418b6eaf9ab18a726287bd333389d225fe5202c6f SSDeep: 192:bIhcf7y5Wy9p2elDJmyNJ3LE0UpWPsXLz:sKf7y5Wyn2elFmmoJpasn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\7CDC9D9C-BADA-4EA1-8A7A-91189CBCBB42	23.91 KB	MD5: d03b04d8d4781fb7998674eb11fb0dd8 SHA1: 50a87e2aaee486037cfa457a89b13bf26627236c SHA256: 2cc83fabb024f3f314a3203e0f4c6f18dfd6335e145ad0fb8359413cb8d696b8 SSDeep: 384:RiAwQBW4iFwFlXu6EGFVZGPQEMF8TBsKm1p/6xDh9BZzUbDVDeF6CeFexn2CY7hl:RiAwQ6uFWGDdqTBs31p/SZwbDVan2t73	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	11.28 KB	MD5: 1f8db3aecb6c36fb815c73cef2af6eaf SHA1: 405049b8569fc4c67624e2ca0117117138a3935c SHA256: 2f189e843cc35bf4e50729e54d32aef2c312e051925b7d2b6e9231f98fac62c3 SSDeep: 192:6NLWJvcxuT9uhXLiaTgbfr1vc4BDzr91gSPjpyRQrQtyUNK9y8Vf:HJkxuJuR7Mfr1vc4BDP91N9RO/s	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\BCBCE985-2A13-4141-A7A2-2395FC5BAD3E	15.00 KB	MD5: 927236574d556ed9941099ff771ac936 SHA1: 35188c14797f47bdf76f216235e5103edeefb76e SHA256: 30935c5e1e5c0404b39544fd6906434413909b986e526100f4f14403cfa60da4 SSDeep: 384:QmO6Lx7vRIGEbByknm7SSFoW6IxIIYAoZwcfcZ1ACBN0:1Lx7pIGiyknm9oBlI8ZwXBN0	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\folder.svg	0.56 KB	MD5: 90ce3ade122288ec09f22790d372dd77 SHA1: 7275fe56750a37942c692784752c2a6c2dbe2abb SHA256: 0f530c276bb1f0fdd6fb652c525bbd9c96b80dc3c0caee9ed28100eca57ee39e SSDeep: 12:ATsdU7ZZ6EoDGn6zgkITPQnmFFtxye9Ro1hPH03qVgTq9iJ6/:Ml77Svz3IbQnmrux15dVja6/	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.5892.0626_1\AutoPlayLogo.png	4.83 KB	MD5: 0bf46eaa566336878c7004bc8cbbe9f8 SHA1: 937feacd7e70829ca872af900f99aecc1112e515 SHA256: 014a800174f13d98d694b0eadb4f455eb2cbec89e724ab4688a9731dce95f107 SSDeep: 96:vQ3KBRYA+QVoo7a/5mbvyzLS6h9hwZLDtgR5oa0hJFSBG3LJxr37ug:o6zYPQVpa/cbaq6LqgRaBhSBG1tV	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\488F2960-8DBA-42A5-A6F9-DF66073E536D	23.99 KB	MD5: 25377706f180366fe79b4e66c05669f9 SHA1: 21b7153328f69dd901537824a34385573526b14a SHA256: 558d3b26f1083aab94cd1f3930298182c7525c01a213a2257f68d0dd0bad960a SSDeep: 384:LtvTKXptJC4S7nhpbQctG3N5gDscGUguAtfD6Sqg9FzFxe+7xQUG9oqZM/vh:LpTKXptlSNpbQmG3fgsMguAtWvg9Fzz5	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\done_graphic.svg	31.89 KB	MD5: 0afcfc4e9577914ba402fff7f357b595 SHA1: f783d9ea66957cbe1d16cccaf41b1378a91467e1 SHA256: 2912b82ecfec4273017bfdda42488c32520864848db2c571716f6680bf6b5b76 SSDeep: 768:AISNPbCImyyfe16/UUb6rnYDp8qpYVq0eBBKjV6:AI2Pbtm21UUYiUp8q6gBeV6	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\BA1A7D9C-8B77-4E7D-97E6-EFCC062E7F93	168.64 KB	MD5: 1d19bad459e8ec8cdffe6f21fc39071f SHA1: 4f9f800e2a582233feb61bcd70ac11596d97bd42 SHA256: b12126148593ea00ab4405d6bf76e9aa63c7788835883753f5fbba7ecec16db7 SSDeep: 3072:bNcWrO0F64LubuLHbKuHF6iwgb7lQ/2Q+UMvzWQ3+nEZFREYp:xbreFqLHPl1BeLMvzWPEZD/p	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\2A9BD5FC-A11E-42DF-A867-B07EE85C6137	28.16 KB	MD5: c3733e4e1148d310e557c6e4f2f53e32 SHA1: 19709c087066cf6982d94b69434bbd83b559633b SHA256: 837beb7866d1a10b3f8dfb2bbcd3c8360a0343c61696a233a205a98c123b921d SSDeep: 768:zMaJRT8SUbPQhT+VG99HZGbv2LJ3YBbpCoQUJGEE+:IqRzU8q09950uLJId8oRwI	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00009376\02_Music_added_in_the_last_month.wpl	1.52 KB	MD5: dfa8286840d37d95d07e2cacdcacbb00 SHA1: 281aad73cd19a3ff530bf4c3c57f9a5908edd8fa SHA256: 7fa3c41a0ff4386205e16ab423f434864895614642f301f8398c6cd0c81a22c4 SSDeep: 48:3QfK+hTMHbbfiyTye6xrmouJAW4koulMvuh:3QtkbTiyTye6xrm5JW3ulKuh	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00009376\04_Music_played_in_the_last_month.wpl	1.53 KB	MD5: 47e4eb3b0416946083583b7b9da7891c SHA1: 993ba7be130391e97b6aa58a51f05f604c048606 SHA256: a712ad99d651a4ac7913fe7527d461b49efbb6c39319c056566e86c9818b4aec SSDeep: 48:k3WWqgPV1bzEIM/2IjDfLC6vuLU3sVYzzWk:kTTw2Inkg3pzzP	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Controls.2\plugins.qmltypes	69.33 KB	MD5: 85d57011b06606d180f18cb698cb4d61 SHA1: ee59b4d44da189071e295bae53fb9a0ec477610c SHA256: 854bc2f684584c1e5ec2a8b68ef09e3fd79efdcda9421f1fbc00b19d6b768c78 SSDeep: 1536:US76jBf4kTTYvvPL5l/vw5Qzz8g/YXcI5zUDtItv1v9+I:U12/v1zWMsUDtItv6I	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Controls.2\MenuItem.qml	3.83 KB	MD5: 05405cf1a5b5639da0e23c81f22ec595 SHA1: 0510ce70999e361a01dda3fe8fc56c575b5a7acd SHA256: 1de75d15c25c6ff455101a38a6560ef96b825c05a86c2a6d4c983f0533c164d1 SSDeep: 96:ycWqK5j1AOCKKPommtQg34lMlapeME1LLpO0KBZ:y9ZjR3H4OPb/k00Z	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Templates.2\qmldir	0.39 KB	MD5: 8561c7c87b930e940f3b1bc8b09392f4 SHA1: c769deba80744f04e28e154163f4f0d28855a75a SHA256: 44ff2355f7f26076e7c3957a8fdb6099517bbfda21c89540460467e193d26db9 SSDeep: 6:FPlWJlSRf4BD1IOnjhP4wDxENaC4kU5vTFD2SfAK5TiAfNUfJBAFvyBSBb7n:FuSRQB+P6CNaSU5RySfv8y0rmvyMfn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Controls.2\Button.qml	3.78 KB	MD5: b4121977c338bd6afb67a83e8aa0730d SHA1: 605b6a806c8cedec9936e97ffedf5fd9e236f665 SHA256: 253f3ff2bd9e292150837476baac7f6684a01e995dabecf88035bd45cb38a5d6 SSDeep: 96:ZJm+Nvr/C+Vdgk1rBSxufYdGihvRcBJK4n4jJz96Y:ZYGvu+VdNVSxuwpRclAh6Y	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\Update.xml	0.66 KB	MD5: 3727a6f69bd7947d04d49dc5cb3f92b5 SHA1: 3ea6e4143e6b839f27bcf5996d0d9f58324461d0 SHA256: 6d7fc9a58033daf9f3dec2dca6c82cd2a849b5564181230b5b6575b8400f1093 SSDeep: 12:GuykD4t/ANrPGcdg+WqAA2EgTC8z5X8nHBdgXAE7f18loIlPJ1cTEJQuydX7EUBt:GJ2u07U0HXLUfTIJrcTEiBrEl87	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2017-09-27_084159_4e4-594.log	2.24 KB	MD5: cb0740bad354b2df214d15a0aa731200 SHA1: b446ebb31a53fa3fda6fc9c8587a2a9c625c3313 SHA256: 4a1ac2f25b863b677bd6c2f7b21756d68202b8daf81dab5f3c4c47c391af9e0a SSDeep: 48:m3Jg0u7V6zhHTltmXhdXj0CtXkDTZBnrLWvq8ynssNxFuD9:znV6zpTjK0OXqT6TsNc9	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\errorIcon.svg	1.05 KB	MD5: 4324abe2f75a74a4e2cd471749ac2077 SHA1: b2ce2b0ca41a365deda6f0c2ee652bb33c29ecd1 SHA256: b6770f333c2198349687186b28e7b7c3112257656c0d224aa765dbf602c89a44 SSDeep: 24:Lnd2q8gB1IgWf6nnlOh5pEfoqCEm+ILunP5pp:zdH7BFnIvjqCkIap	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\Word16.customUI	3.71 KB	MD5: 5986c6ff451ea6787cd1f71443086657 SHA1: a5a52d758699d9b9a437d5fa09218c9df9cf8454 SHA256: 25471aad3e06f4b4b38f5b028fee95e6e0f1b9a610fe7e932b07b9b29b815ff3 SSDeep: 96:ZzYZbUTrjIPPqdOCg2eMN+Wbn4FL8vXmTS2R6+E8AJAt:8UrjJgU5L4FYXmSkAJ4	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\AutoPlayOptIn.gif	374.52 KB	MD5: 2a8165ad5896780841c1662440b873eb SHA1: 3a7fc4fc91d15793b059899f14b34c6194527559 SHA256: 8d66a5717a8bd3fcc7262d93385c1326d2eebcb10f8bbaff45cedb37590ee366 SSDeep: 6144:dSQTlZtRk6JJ1S5BKBC+1RE7PbRdmQzT5SenlAwvlHOYJ89+ZOEdaycm775B5PSM:dSElZtekGfKBC+1mRUelnv5OYJ8Gd8mn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.5892.0626_1\ExclusionList.xml	19.86 KB	MD5: cd6647b63ee3e017515d89e05b80391f SHA1: 8f594a8580beadb98894dcd8b370802a02e634e8 SHA256: afd171846d3199388f77f7c2746cfe0c0a3d394b3b2dff6f4df3f66866d41b5a SSDeep: 384:7XXcyn/9MMiVLIaJb+LsBY+0zR5jsHGarn8HFGOjExpfV/9hX0F:jEMELIaJbW7bz7jMhn8HFhIxY	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\signIn.svg	10.96 KB	MD5: cfb3bfb6e5404a760050559d0b3dbec4 SHA1: f55eb4c1e385860f27229e6b69e2dacc69f753a0 SHA256: c8728df31548bbacca46dba18bb74982e44a99491d98adc82cb9c6d09f48df5a SSDeep: 192:SgrZp1oqifr0K2HkGymz9Bd7svR5hjGt1qCBsKCX1Igflxb6Domi9Gs:hn1oVrLMdwpvCaX6gffb02Is	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\checkmark_in_progress.svg	0.66 KB	MD5: 8b81fb0426f10dcdc5be4cf6e56e6631 SHA1: 074867de7ec2356517c52bda03b507106ba9121b SHA256: c84dd4cc032e527b7a5112f05cfb8b58deefc4153bf8c48e85065dd9f5b759cf SSDeep: 12:QvYpp6+jQ1ozvvwh2tw4aFviMLqhDjNjJBGUoZNzDrI62P4QPHB83DmgEof:eYpU+jPvvRNqbLqJjNWUcK4VDmgBf	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\AD0C61F1-C301-4A56-8793-549CFDE8A507	20.28 KB	MD5: ac55142ebaf86a9d42cc2f72de69f407 SHA1: 382fd528e904e24f5187b986c003aa6187a02c8b SHA256: cdb7a5aa8e0bfd2fee202a493b35be4638852f52d17134dbfc0a2a832364481c SSDeep: 384:0FVDQDqsiEGeFfgWRpaTbkNHr2f5jXUX9MPKyBqHB8jCAUxEnl:07kJGeNBRpaMHaOyPKlSeRxEnl	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\2017-07-21_133220_ae0-29c.log	8.77 KB	MD5: 038dc72fc8bca31f537a980f7e10f242 SHA1: 3c4c6a1a10228307dba0cd30847ff2edf83e7cde SHA256: 689c8899937e4b5aeead420fc893406e33924ad59433bdebe3b1b8b016c4af33 SSDeep: 192:7Iiwb4UDjePhdin12e1zh365dzS145GdZy:k4UDiPh4pD65tS14b	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9097A298-E9C2-4AFF-8C46-428E8A30E31C	64.28 KB	MD5: b5fb6a562642e950db15083223822ff6 SHA1: c5ed7099fd849c8d29a0b37a65682f162cd3f940 SHA256: 16768eb13886d8649c5ce1386444c372da907872502c69da151c9191aa71ccf0 SSDeep: 1536:OFXiVJbvZXqJ8xNs3OYFpMdYac6Mw6Ghh985SG+ZyfJAx:EiVnXq6xSovMw6V+yx0	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\ErrorPage.html	5.22 KB	MD5: 4b07c0ac556d42ec33bbf032f651ec6e SHA1: 4a5e464a9d443d75d419e74be884f4918ec052ed SHA256: f1be71a632cda832e638e1257c010c4d2d768bbd62e3cedab10320957661f761 SSDeep: 96:/7MHyBdrCx3tIG8Ifo0NExRfP5Y4s4NQ9LpofhznVYsjE:zr43tIGHfTORXPwpofhzWsQ	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1	264.28 KB	MD5: 675dedcfe29090e3e91c1f7e9ced8f11 SHA1: 1028d768bdbafaf9a3f701399ba3534c068a615d SHA256: c9ee6f720808cd0ecd52fed4c12541595669e41ae690e5b6c9425f140765767b SSDeep: 6144:RqjNKZtFiiIWJAmuT+Tg0+d0KyITjlAnOkuS0i2v1tDD+CNyeCNA33:sgbF7IWJA1+M0i8ITjqHEi2vL/LNkm3	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\94D14502-E144-414C-89AE-0998D2709D89	96.28 KB	MD5: 02f730040ed8c3586f14af7606464a1d SHA1: b59a70fedca04a51b7cff0a1011fdb3193c83132 SHA256: 0938f9e516c61e35513a9bd50bfaca72c9f05f3b89ae92b6c74ce2cc40dd5c5a SSDeep: 1536:/C1j2+OXKotQqUW3O69t7NfvFzBUScni4xISVWyz4F4rAkS7hZgMyeLvbJ0RCF0M:qlOXXQI3l9Yi4mn4tS7hZPHbCcy24q	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\ExclusionList.xml	19.86 KB	MD5: c45ecaf859de943b68f7bda1ea710841 SHA1: a2e6fb428639b7d636bb47b171f21d807d0be8a9 SHA256: ccae162d34244d106cbc542850bd18496f8f6c842052b329dde1ff10262a1356 SSDeep: 384:be1ekCsO9re501fMO1PVvJftLZeCW8Gu8rzyCqEYMWKgeeUWWwpOM:B/9y0h1PtDLH8q5agfUWWwpOM	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Common\StandaloneUpdater-2017-7-13.2154.3480.1.odl	11.30 KB	MD5: 240f839bc76be9158cd2c60264ce81f7 SHA1: c4ed07497ef8039dff0f607b4e1e59e6d2b424b2 SHA256: 5bd663234d5354b08e663c294b8f68f567e008453a85c8e42933019a0d9edbca SSDeep: 192:4nzfwlem6FtZiG9BtHLl8Gia1ANm7rLHgqHjsjpez9YPZnxOTb4kFPGG9O4XWBnG:Iza9QtT9nHR8Wam7rLTHjsezmhxGtF+8	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Common\StandaloneUpdater-2017-9-26.63.3668.1.odl	15.50 KB	MD5: 64bcdc8f6db1bac44dec3f5c88c8e4db SHA1: cd554d49f660d4f9f4fe32ec2687d9567caa3ff9 SHA256: 409dac4d8f91d10e8c533630253e2bc89a8b8c74a4b2732608d5e00b9cdb76bc SSDeep: 384:dWWVl/PePLMViSYvSAj36tTkl+ueNdkq2Pk3eySPQD:U4lPeT0iSBAz6Kack3KPG	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\5EABD895-1369-4673-B65E-C121C8F05C93	17.44 KB	MD5: dc4fe35d6185b1b4baa1344dc4fc546e SHA1: 9f9403645eef17c876b29f209e0d90eef2c2d25e SHA256: 05078bc0ea129c15c5b066bef6d01e7acace59a8a70ec8044d147063ae05660d SSDeep: 384:HzVlCGixCdnlcHgKK899x30jMkoz8OSJd3kqbuvh:H5IxC5lRKK899xEjhqTAL+h	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db	122.60 KB	MD5: 0bcfc2cd357923c75ca2b9784e82d0d1 SHA1: 7ed0f21310897aba08ae6c1badef6da6a6a7f9e4 SHA256: ce82a4195c11361c5650a5301e529a0b2043e1013ac5990dd74c580414e717fc SSDeep: 3072:uBd+WSIEwQ6XThDIk+ezB7Ptpxi/Jdwt32XUPw6v/o0sxVoolt:O2aNfdBTt2BkPw63oVP	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\cloud.svg	1.97 KB	MD5: d57cc4358aa3536e9f025a193341a7fa SHA1: 63cc8c67bd7084894c285d16e48dcc3058bc7068 SHA256: a34254b3a41bbfd5fe009598edb42070c71d38fc03cc1c702c6fc90f0c133810 SSDeep: 48:xdO9PrUOFZQVoZKH7o8qO84hq0XLysNFbzlYm6mL:xd+gObyokbiOfoq1YmtL	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Common\telemetryCache.otc.session	64.89 KB	MD5: be7b89d458557a72adb51911fc32911f SHA1: 742d71dbb5c16d6e3ba5cb1e73d13ce087c193ce SHA256: 7cff5cdf69e42d3c2fc71b4e7bcbc48ac2d74528ca7b61d1fc4af5afbea6d206 SSDeep: 1536:PVQMW7rQgGlr0Rb+KJwLJoOA/7feAoof0ara0RKvzpRP8+jW1n:PVQ7rQllr0RULGrzfekf0KaaWzpRP8+u	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\AutoPlayLogo.png	4.83 KB	MD5: b92c0977ed9e964272d971910ee50a41 SHA1: 8101f57ca1e85ec33c1b3bc686356f3c5375f4ef SHA256: da658882964cd7f5fb12e388dd82929c2af635a5d3398c2186306dc4d927e5c4 SSDeep: 96:5A+Ly0bM3HInft4ng1NEVqom/1Ffnt/vga+Bxqnw7GDbXaq:5A30aIn68KVqom/ff5g5Bwn3Xd	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\77FD6918-29A5-4F0B-B1A7-EDEADD0A695F	18.77 KB	MD5: f4c9e31b139996b7eca66acf11a01315 SHA1: 4377c9509158093c811f964ae4c989e12f43e565 SHA256: 82ff96696537b252d40837565065b4a5a67e9fcbe3bfe11ddad43e2ad01a957d SSDeep: 384:XlckJ/KHcOl8xwVMvLqTKhKAAg8aZiO31VYTUemIDOLKwaURIaCC:VcEKHcr84LGKhKXK3kTUeXeRIaCC	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\Warning.png	2.81 KB	MD5: ee341b043541dfb021d8bd5f11dde7c7 SHA1: 3ae082bc7bd26b14b202460174504a22bf1879eb SHA256: 66b77ebe2617cea2dba4c7710ba3f29e61a4f2f90dd728894674b8e6d3b8368a SSDeep: 48:aFfrAJG6cI3eB7rLIUe9yiEkVLtxSQhioH8sQTvpRGp9vIOQFQs8h5ADQbM7eDjh:qAQIOB7PIUe8iRtxVhidJvmFlZliciCv	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Controls.2\ScrollIndicator.qml	3.19 KB	MD5: d06d66ac9f14cf19e6c981be19569719 SHA1: d1dd9f767daa533b7424701a056e056945ac47ea SHA256: 975d0e7ff94dce236def548c08e72c12e078421cae2c16c5f252ff522b803ec6 SSDeep: 96:pqNfyjJ51Tp1DqNUhB+m2nnvYe07rYSe2TNg+:pqct51Tmc+msvYeKze2Zg+	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\partiallyFreezing.svg	4.58 KB	MD5: 1a6f8db89e302e5ef8012265f8ad23c9 SHA1: ee085daa569543c3feed1b0a50b2286fb3f4af8c SHA256: 190596a6a44bb37b3e141203c01e58d2c2332fb164ff729ed49b10e5b090cf8c SSDeep: 96:JNBBDRb3T1oIztTbwv76ibp/+OrfIGBWRSJX5lplXp9cTqsK66l8V7X:P/voutTbUR/rgFR+rplqNGo	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8BD876A5-9C43-4F45-9565-3FAF3AC71A0B	64.28 KB	MD5: 8eeb913adc8809c94d7fb8843e7b8255 SHA1: ac5e3a9ffc752ba17890b701a9d033cc80b73b23 SHA256: c6e5c30036c95ae910a75be5dc4c0264eb6183912430e9e8346bcf203f8b61ec SSDeep: 1536:kb0PNcyEwVPrPzNpUx06TnRihnJRS+3ZzBvzYSRDw:iylPTzNpUWeRihnlpzBvMSW	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00009376\03_Music_rated_at_4_or_5_stars.wpl	1.52 KB	MD5: 6c347cb7e958a5638f268143f2990c96 SHA1: c075f9eb44e5b6dee9ddc62255ad0b59f0f7e678 SHA256: 6261e1bd056d03a45ba04fe16d1c0a6086e40877dd4fb92e5ad85a34d149f13f SSDeep: 24:jxeUXAx37glTUBtISY8trNDy5BdXm6WYNe9LMUmwGieDtQuqTwR9:1XILkUbrRTGlmYNeVqwdexqc	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C246F9AB-D3D8-41D6-AD9F-FDA8F3368F67	71.71 KB	MD5: bcdf11952b70500910fd7ac968fa8b1d SHA1: 5503ab819fdfa362caa778c6954c85b704d6b07c SHA256: bc47e0c0f9f6367d6fc9235b4892863708acb279e374ef9edac85a5176793bdc SSDeep: 1536:7st4rGxtaIBOh/WdPj5uxX4imERsg7Aw7ybgeuglKMi5sc/ttG:Qt4qxtjL9uxI2RJ7A+yBugwWOtG	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\ElevatedAppWhite.png	5.22 KB	MD5: 6072ec2d014b639c5c185809369ac910 SHA1: 41d01be00b65fc2dc79ddc093c53a1d13eb83384 SHA256: cbdd8746c304042950296b12c7dec5970b157dab4f8c9120ad9511a06f0120c9 SSDeep: 96:Tu6Ao0gVn/s8F10H2gYafm+GNOGEL8RhQSiT3soHLw00cdyOQlaoEewDD3ixn:ayj/2WgV6OHL8nJiT3soHLw0iaozUit	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Common\StandaloneUpdater-2017-7-12.641.736.1.odl	15.19 KB	MD5: 287cec2cd1797bed0387320bbe9a0512 SHA1: 0584dffdbb281bd120fb8cabc22191d3a3743150 SHA256: 70c4ff86699bd9515a444a76a0a6434676c46143a78bb34893ca1e2397633ff6 SSDeep: 384:qDWeVVwKuOw5s5UUptWUUGkDhE5jitG4w:qDW4VwKz6GkDm5jitG4w	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Common\standaloneUpdaterTelemetryCache.otc	20.28 KB	MD5: 03b998b172d5725f7c08c74ed68a3937 SHA1: 26eec44d59951d1eab3a69d4c5a8436e74e10293 SHA256: 224c337b05809570badc69f6371059ca0a8235e495b23cbf3c730e0b953274ce SSDeep: 384:c0YP/MSUultaIpy16Yvoz2bdqf+Jj6u9XKSaSSR10Zn35RXoLYl:cr6By20WV6AKSe10Z334L4	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml	0.69 KB	MD5: 498b8a0190713dff1f4f9b31339f4670 SHA1: 0b27b1d69a8207a68c297f5184582474f819f0a8 SHA256: 525e2555d48a15ce9f86e1f55eb104704752d5bf85f1d47a6182a8d20e2f02d9 SSDeep: 12:kQnY4zocStfJAD7t/Us1ExqiIeHW5mbNJujfwxUfFzldYojUQSNjBYw7HO:ZnrVStfJOBMOj5mbNiIkCoI7YoO	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\AutoPlayOptIn.gif	374.52 KB	MD5: a390e48af2ebc028f4b9b5c907d60a87 SHA1: 02d7c5f8278345049b411c039c0cf1451ee535b1 SHA256: a434dc9448f009d82fe1180bebb856e53994617c3845396a059fe1c1a0a392b9 SSDeep: 6144:m8JmKIb0ZWQZA5kmN7QNplEX/Z37EZFN+3NFo3llMixthgHLbhLoY0gITzxXnn39:m8JfIwZnZeJQNY/NEZFU9Fqlwrbh/0jX	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents	6.28 KB	MD5: 2c3b560f5bfa26c9de1899b9ad97b80d SHA1: 92ba23211c223f632d0d85e7960863dea6f35978 SHA256: 02c8439a9bfa3b869ad655a0f6a0acbdd59e5e5bc9d8c0147973d7dd9c1fee4a SSDeep: 192:hII+RPh+q+PCYe35UnvgPhg3yXwJt4ZOE436IUo:huRcq+XTEhgeI4Zu3lUo	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00009376\08_Video_rated_at_4_or_5_stars.wpl	1.27 KB	MD5: 133761110c3f36a5c5539986f9010c71 SHA1: b22ae89b6943eb293bd7135197642a0638d6cd72 SHA256: e9c7faa66abcdee99cdd040edc60e7491c05cda4a7b43b1fb0f8fba795f7475c SSDeep: 24:4aEjPl3H1BibLZL2aYYmYgUAXJYHV49EHGnSTN/H2CbrELw:4aEjNiXZKaYcglOS9uioH2CbCw	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\7E7F2D4D-7FEC-45D5-9242-391C5BBDCE7E	12.17 KB	MD5: f9970270d75c13ec5e8db77d64b2decd SHA1: 2d457253176ae2c5360d123ae4eb53785e09d8e2 SHA256: 09950dcc8f337a8232a2648f5152b561edfccd8c34e80e4b13341fc8b9e82aba SSDeep: 384:7rWY1Mc9+++VwqhHVJ0ZEMlvdzASKRQtzz7UsBNI:7rWY6D++BbJpMl7Th7lNI	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\683C6C51-6FBE-4F12-8495-5B218743CC76	22.97 KB	MD5: fa63d28676774338affb006b3a652451 SHA1: 008a3b6facd8a6bbb474db255345a8c51793a6a3 SHA256: 8f8495e21bf964d57b1ef8000af088e505b0fcee32b5abd553c6450b9a08622a SSDeep: 384:+305+pIS3Zj3VlFpNCP9IPz5VZ3pd0jLxLCTZFwA/6myq0awQnjoN/hcXCRsI3s6:iJj0lIPzzRYjLxLIykwQnjoRACdsJ8fd	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\onDemandSelectiveSync.svg	2.86 KB	MD5: a2b29ec25712b59f4a56e9d32e9149ab SHA1: bfc5087004d59f7645cfee0710c3ced9519e1910 SHA256: 02b645dc802afba2bb3f55e4b6f78c4ec492ddbe664c253f157f6a04d4fc1a19 SSDeep: 48:5KED1C91Jk9UT5EGrJ/pTMJ4QJ9nE8girkk8IWpffPXCKe2u34Qz1S+:r1CjdEy/VMJxE2AdfpP1ru34q	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_3	8.28 KB	MD5: 49c376ae18c4d8b77c8d60b8d0126631 SHA1: 32b18e1fb785074cd2d6d3cdcfdddb6568a52418 SHA256: 29c46de875260cf2912378c7cbc62eddfa068dbd5be90d8135f87b2d43e80fbf SSDeep: 192:pAkYsBoeqXJLuSYSmuGbzpA2mWcda22nQ6i0uNk8r:pkbeqXFnYHuG3+5WMa2zcJ+	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2017-07-12_164138_904-4d0.log	110.42 KB	MD5: 511c827d6b6076f1849630bc2a597747 SHA1: a5c5f0d0bb0c7e74153cd2a22488888ab7c4a0ad SHA256: 58c5659165a949acac8ce9802401c30217325524b3c88f7fdec0874890f33f75 SSDeep: 3072:uoWD8TQ1/1+i40/2eGxRbJEzcbPgDkWc+:uZ8c1/1+i4eGbJEzcbIkE	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2017-07-19_092447_b70-3a8.log	2.24 KB	MD5: decee1f919e0eee76180b9db1f7e7e27 SHA1: 20d20ebd8922c5e5ca0f4c058ab482e9353b16ca SHA256: e628d419dd7392c1b82dd93dc513880c9f17364d8cf953558b70591d920e853d SSDeep: 48:x7toqq1CW/ktlZpOwPwNYHUTHC+aBHLCNvuVNMZXTRw:ttk/ktQab0THDa9LkvuVWY	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2017-07-14_075507_d98-d94.log	2.24 KB	MD5: 5b54716dbeb4835441b4d3de83895f68 SHA1: 5519c69c2fed9598a6dd111d35587d65c0b001af SHA256: 57cfafb5587f69de875dd03919051017aaacfd6bc6f183c2675c87d38f5d08fb SSDeep: 48:audnO8DSwBRMJRzD/FLZMJxhEMjH2Jh2hR6Gg/NYc1R8XUd45ETy:ak7bB2JtDTYjWuu3Y+8XUS5L	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\SaveApplicationEventLogs.wsf	1.74 KB	MD5: 625cfa5822cdaa890f6202a15ddd770f SHA1: 6d2cea8fb481baf915a364066ef329cb5dbf1e8b SHA256: 1e86718ba76cb22df1c4a49c87e228523c2ff9ad90185f80a4b8dd3e696f47fe SSDeep: 48:8rpEMcIv+cW1p4NQD4OicQuwMKIVZUXuwWvVPSe:0pEoXW6QDhWuwvqOUpX	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\8C065BBF-7AD9-42C4-9735-9EEE5F756EA9	16.19 KB	MD5: e94103fc5fbf0a040bf8be38abc3aaee SHA1: 30e355358fba09b07ac7ecc64ccf9e82ae40170a SHA256: 7214e48b3662d2035cc4eabe538fcc7d2bd7f94a8cf0acd4a19e91d8ccd6a0ca SSDeep: 384:0YDl4lA0uqzaAcmibWF+91jcx2tgTCkXqNhSuslllTqyK6oB+:0y7Cb1cbjcx2u4clKyWY	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\E4FDC49F-730A-46D4-9B3E-AE4CD4D8873A	11.52 KB	MD5: a97e63647f4ad9ce38674997e3372820 SHA1: 44a3e892d366ad19330c317ad51036fceb1d7096 SHA256: c7a7e251b5d3765920f786424d811c782c2a2a0a55a6f9c289fde7985778ba76 SSDeep: 192:PnIw0JVZtGgBNLJ3GzMIudlnxcvV8cEc3Y3I4GQkKIET+ZZYF3pPLZ:wVZAQdGzMI0oeczB49nT+GpPLZ	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst	1.56 KB	MD5: 854063bb259047d4785967fcd314d5b4 SHA1: 9fa8c5a3319655a27487be5ebaaeaf2cecd23568 SHA256: 5a155177ff7e699110a7a2fedcc81008b7e0d2a1137c025eb7b307cc8b66497b SSDeep: 24:mILyVAwtH8iUp4JGfvf9kkuH2e8Bt6W+maIY+WEMlX+vdvFEjSsxs6PLixrscy:mILyGoH8iSmjHNG/HrMx+vAjSsxs6PWq	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\FA975BDF-A96C-4D1C-A93C-60FD5D97AC90	42.56 KB	MD5: 179fb051a4786e85abce50d024f8a5ba SHA1: f8fab4e1aca0aa6dfae1cf8281f0b776333dc378 SHA256: 1e6222188132af0e9661234731ed761ebcdbb5af7228896414c92f0b9af0a814 SSDeep: 768:sC/lQ8NgidtsZejQEI944WwWSJvNtVGPC3/n+GoxfP1xKqa19JBP11cgyAEIaU0:9NekNcJvNtVGPCv09Za193V0U0	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\66408A6E-F696-44FA-B896-9073D83C9463	17.86 KB	MD5: 6bc23dac84962dbbb447cfa0b049b683 SHA1: e5b22b70fa1a6651a8d65d2f10201697ea9314fc SHA256: e72ea2783e875a825e5928d0268029158f7d6733ee35e71689630b547695c2f9 SSDeep: 384:oUrgjkFIYcKBEgcGflKAdai8WbYEBPTg+4DusDuuAH63V:nIYVt1d/aTWb9B8zDrDujMV	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Common\StandaloneUpdater-2017-7-13.114.4068.1.odl	11.30 KB	MD5: ca0372121cbc7ab66517a8578d3bcae8 SHA1: ce664907a3ab60a91ebe2ce68b0ca05984670c3b SHA256: e1bee020fa769402e4c44b65232b2685cc9a8b422ff2e5d205547587d451a774 SSDeep: 192:UkkbJv+mJw2Ohy9uaeVIP5rapR+ELpAc2k3hVORcfPW3a9x:Ukk5rghy9uaeLR+ELnB3ocfuW	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\OneDrivePersonal.cmd	0.35 KB	MD5: 4a4b1d077299179bf400c5033c056d26 SHA1: d1afe9aae1e7e97143dda7296761bb0a3262daab SHA256: 13dc60dfde7489b0cc4d8f0a31b6b21c96367fd10d749a81ede4ff05502109d1 SSDeep: 6:Pa8a0Cef8tmo10vZgROH5/taNWD+lV2qoGrWwtRgg0h0tDF:Pa8aPPtmo1MeA5Fad32qo0Wbg0ox	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\loading_spinner.svg	0.71 KB	MD5: 69b736849616a7e6554172a08b2fa890 SHA1: 6a615d15d4dacd27b86b59432fe6eab370f23fcc SHA256: d9fb03d629bab98d28eaddee7e489b63973d80a627c4a8eafc968beab96f439b SSDeep: 12:XNiDgZzazPQYy/f/A/KV1oxrq2yDK57YAe7NlXDQbpwAsS8RjYrbXgMTWaYSnOUN:d+gZz4tIf/qKoxrq2yWlYAKXKt8qqVSf	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Comms\UnistoreDB\USS.chk	8.28 KB	MD5: 048b7c5fd1820688a291a675c25ca689 SHA1: 88ec62b7cc9a0d1eadfc968ffcbf7388fe5137a5 SHA256: b94983eeb26d15a9b76a373e4ac58707bfd896d9724fa424b55bcadab9339c6e SSDeep: 192:nW1z/6TZv8nfisdVzkK0mCldzezdsEAXC6fPbwoqo5t7mnHFWQF:WWZOgMWKcC2GGt7qMQF	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00009376\06_Pictures_rated_4_or_5_stars.wpl	1.05 KB	MD5: 7f751fd3ead49c522f112fe8e594c8d8 SHA1: 7f616de401d0b7df7b13016b607e140d84905251 SHA256: f7a35ea57cf97e46734553a018c5f58d65349585f297333df82ddb8f6c9ad0e7 SSDeep: 24:kRoX/MQXmqLQGjtX51K79xyq/E5F4yi+5MbPW9QqMTom6mzyDtZ6Ul:kRK/TXm0jNi7TJE5FiEQ6a6Z68	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\9B5E72BE-B516-4DBE-8414-EC40CCF98DF5	15.74 KB	MD5: 8248069733323c894b5cfca1c9551e8f SHA1: 6918dfed397841ae2a00ea432dc7123224665048 SHA256: c810be14cb27f8253db69dcca5bb79ae15eeab1ee47a68b4757615cd216cbe8e SSDeep: 384:8jZVzSdYKWdOPmuh6IFDB5iqmuo3mQPo7vdR:8j7zeYKnAIFDriqmD2Hrj	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\logs\Personal\TraceArchive.5892.0626-0.etl	8.28 KB	MD5: f5a870a9c1ad9b74e87f42448c31666d SHA1: 56a77149802099e3a7fdc813769c86c90bb40dc5 SHA256: 81e4d6174ff6c6f16c8287ea2fc159c2715fddef718ebed9614ad7f84ad0fc41 SSDeep: 192:/z5fcOxNeLPgMcd/NTKjslB5muvfnI3E7C2gJVO9zYLDt:/lfhIK5KjKBbvvM2mMER	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\66172C59-AA66-47DE-BD2B-1B908C570062	33.41 KB	MD5: 4dce188a25d3d6dd3cafe3d583a38bd8 SHA1: c3531ad0193f6b39c610980c278bb0cd74707ecc SHA256: fd8fb446784ac016cf1182b268f4ce01c4fe9c19535b911d570f539357c8e16d SSDeep: 768:Vb7KYQuJ119rKahpTUhyp1yxhcaet+rC+MLsBxgRHWBHlHf+FUf:0YNJX9zhpbp1UpeECBFWllWY	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\BAB84B72-0292-47C4-A0B3-39B2FB0A440D	76.74 KB	MD5: 8e2ec33a26f3f0ae6935447fa62b80d9 SHA1: b344b9e49f442f8b146861d717b95fdad7afd9a5 SHA256: 8c1d22b261db227931b3f8212900559e614665583f0211b4b884f88f4e1cfc48 SSDeep: 1536:04knWPB8kzcWQxcXY79dsho6Eys6FnqCZE7YgeDWYrcz6phjdd4mr9:0EJ7Dw9dstc6FqdcgeGz+v79	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\2017-07-21_121121_d68-ddc.log	8.78 KB	MD5: 20dad3da4eb08da2186d1e1e68f06a1c SHA1: 3bd71d3ad424fc0c1e86eb03e72775be4621499d SHA256: 7ea56412e285682d76b4217b880b6cb6b62937ea8a5789fea207303a5e86a0e4 SSDeep: 192:9e7h3Z1PrLgDgXXfSrBcauvaxNAqftvgJjmEAfCxhsEqXfrJVllAF:9e7hp1PXg8Kcas8Aqftq0Co9JVlqF	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\alertIcon.png	0.97 KB	MD5: c91cd8191ce92df9e5835468f305a232 SHA1: 754a7e6832a1f2ef5c99b25fb90db3031e2af598 SHA256: 01da8effc5bc880c59904229f688eaf26bf4a976f38f9bbacaebda092b41ef0c SSDeep: 12:KiXj5pNs6cKYmuX72ail9NyQmbMUi7gN9etAW9JZxyd1JORinc9x5yEu7ygSa5+Q:DNDo71ihIxYow7twf8Rqc9xlONiI2T6L	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2017-09-26_160311_e54-e58.log	4.47 KB	MD5: d46abbbdecaa353d82f27e4bb6af7650 SHA1: e1624acefcf879da39c526ef6d2c7b7d45e9a721 SHA256: 561e4c7d70601765546d3b471ffedae667d1d2dcfa1ec006ea1b9935b8c14ee6 SSDeep: 96:LTggFNzlLGnVFwnH1tGS/tzrV3Z8QpnjRlqmBoa0B1MsnEQvYdCgMYgZ5H:nVhGnVFwVHlzrYQtjpR07MUfvYdIYgZl	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\checkmark_hovered.svg	0.66 KB	MD5: 746c4abc61f2106d2a39bd42d8328804 SHA1: 771a111f2bf9090cd2a4f36bf985d5f11d654635 SHA256: 55719d4e5dfbc139e27024a19c2ee24b971ea23774bc16e63b3d0977b814066b SSDeep: 12:cf7RjInRbgPs/6wBm3xmlVWN4MZyDzrX/s4bUgmfeo+ft7Ovo9wVG:O7RjOD9EC4Ibs4xmfWtivo9wVG	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\41D65FE9-AE28-4485-82A5-B9D59D0A0019	20.19 KB	MD5: 381dc2839ff89c214b9fcb53bd7695d5 SHA1: ef112a9d8962555828d930401d02ef3369711ccd SHA256: c91558c3a1c34d1997ce007b98588869322563a8d3dbf92a0cf94ce1d2c1f42c SSDeep: 384:3kN+eld2MSZmASYLVl5gI1N8nYoHEdKzIiscmAFaVgSkNDsZ27bd:s+e7lSZmDYLVvnNBdKzIiscegRNIwbd	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\2017-07-21_123818_e38-824.log	8.78 KB	MD5: 80bc30123d98c460df685252f99080dd SHA1: 490160bf47837c7dd419f800d15a2050478540f1 SHA256: d550d7aee1bddc346af57c6d8f81d1d6f45810b4a0c426b589da7e61c26bc838 SSDeep: 192:Ht1LvEwhBU7X2zGINlUhGRbp+Vx50U3Z5nk7uRWk0TI4VHu:Ht1LnhyizGIvTIx5b5OpbTIyHu	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\46DE614E-0C9B-46EB-84F0-89F985E8C156	20.92 KB	MD5: e0a3bb6be1e83fd746bbae6c4de32bd7 SHA1: 14833e69c19c558a5bebd9eb0505ee3c6e5f9a99 SHA256: 4d9903ea53917073c2ae75de0cf52ab0fe408c61b9ded618a3759c1e14728705 SSDeep: 384:Q4hxveKPInhPErtAHNkxQ7LdaTP+8vcTH1TdFqzKq3TWtkJ9RpM:PaRh5hLY+VTdm3DtDRK	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00009376\07_TV_recorded_in_the_last_week.wpl	1.30 KB	MD5: e4cbab379180b6c21eec3d88cb025998 SHA1: 0c877011409728f4ffa731e3f28e478ea9abe3c6 SHA256: 41c331c2d889ba2f9895a8feddb197eac81abd8da511a31e1c5677c903578a7b SSDeep: 24:24akebNJcCOFYSO30kp3on6Vdzf/dVLP1jACEZBwmfk4IuywzQ:taaCOWSOEkp3o6Xzf/5jACEZCk5zQ	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\fabricmdl2.ttf	104.36 KB	MD5: 409e4be444d44f2d76c3fad547bd03c5 SHA1: 9909182147a1884abb50d18d73fd5e7d4566e6c9 SHA256: 89192b4bba4bb5c9ae888e68a3af59a8b2b09666effc6fb554497e509322d681 SSDeep: 1536:QIVgoPskQmwJmikoz27T6wsOUKP5TeraHAV9cW3WcWS9wOKTu5brt7GVXERpwPS7:bVgivPybwsfA5uF9YcWuv97fEbSbR	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\TestSharePage.html	1.41 KB	MD5: 82f0d719872b8a770fa2af0ff3f73f0b SHA1: 1fa2ee08de4b35c10c917ab5410305b97052eb74 SHA256: f18661aae2552cf99964ecdef5481e9acbcd4a20b251c93ddca153ecb6c22221 SSDeep: 24:/kZ8JapM0fQsFVs/XgFPhHo5eZAlMelaNZ251+agKBugzLgwiY0SkVylxuZZIhpA:8ZWYQsFVsfaoQ6lMecM51ngT+0SDlxuL	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick.2\plugins.qmltypes	181.61 KB	MD5: 1ef01c760dddc613e21ee5339d0145b1 SHA1: 063605284af5296b3fe607369f28cbbf6ad825b5 SHA256: 5ed3ab49578f1e16fb8171f3f30b51cd0c11d5104e63e229d10e1cf574ab45d8 SSDeep: 3072:UBoBNkxukBZ/TDNRESXzAEuqgd0a97Pw7Ud1ns5dIgmY36tbIU8WIIx:Uqsuk/rDbXzNRgmuEQdq7lmFbVzx	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin	14.39 KB	MD5: 2369c5e64ab6270aa1c3a6e724c130bf SHA1: a64fc7dafdf3ee9a55a3ce659df74526120e54da SHA256: 2f811c0283bb604e4c4825478176058f65273dea8c10c1752ab0e26b0c5b6e77 SSDeep: 384:3gi7BqWlUMpo7PWUnokX6goUc2w3KUCLvdv7AS+Fws9/:3gSBqH7v7XCpaUCLvdv0d/	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D99D1198-2688-447D-9BF2-F9F9C1375AFD	35.83 KB	MD5: 3a3b9d6a20ff3dcbfccd214c9f51b97a SHA1: ceccbedf80292156821779c35b59a1ef7014d454 SHA256: 7801f6e3d4270f7bdbee7c663ac45bab46d193cfd2f7c3dc1c7291f4477ce5d0 SSDeep: 768:b+K3+M8zbaE47LyuNROMcpyMKVxbA3TzI38f0FwkLVDhC:b2yVmo8JwMKVm3TQ8f0FwmVDs	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2017-07-21_115555_e74-e78.log	2.24 KB	MD5: 2f830265edc9436aa707b3b8fad09d33 SHA1: cbb646190967a364dc929d24198f4d594d288dc5 SHA256: 0f5a91efb0f8e7f1b88d6cb3e1566822f9aaef8793de8337583f92ebcf6a1775 SSDeep: 48:Ksip9+x7yXmJ6hIr75+wZAB8XAYTXwo4NPX49Oln/eJ:KPkx7omJjrFG8drwooXS62J	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00009376\11_All_Pictures.wpl	0.85 KB	MD5: a56640e14eb2637516ac70cc912ba7a2 SHA1: 77d1f24da4ada8727ae963775d5b5670686bf9e9 SHA256: 9f70b71adac6b573e25600aa779542f8562db87794f0d79b4ac432608e6efdf0 SSDeep: 12:C5JA9nukXINXa5vJE43Cxzkri+K8qv9VXlamL6I3ZOKKummaUAlKUoUHr6meMatr:CPA9uZaxnWoL6vromW4naUFx867HOJC5	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\9CDDC916-A2AC-41E6-B1B9-CA1B9971F195	53.72 KB	MD5: dd1349d7f527b77d24bd3d6c0b75fa69 SHA1: 5bd06a04bbd346be6d10e6d616adc3e1b81b8add SHA256: 08c9b04130e32476225f647c5b273340c50cece4b7a9bc953c487f4b9ad71fad SSDeep: 1536:ZhYm0akyJxmDxcJOnDdOp1D2w8pYmzg3CB0mDRU2i:MpyiDxJnDOapjN7DRU2i	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\8C607B24-1BCC-4C57-8CE9-EC64CDD7114B	12.97 KB	MD5: d31e7397c60c5ec71b562d43959cdfba SHA1: 90db912455ca05b0cd220f4941c0b6b72ea55fcf SHA256: 3e5509c28c07b5055e95a4dba2fcfe9b5422d26e9517f180f222417c0c5e65b0 SSDeep: 384:B1B68PW8Nkm2yK8oYvYJ7l8MNZ2VTyyTwax8:XB6ENkAFdWTNZ2tyq8	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\29598952-6912-4B4E-8754-D3E714F498C3	0.97 KB	MD5: 41d705e6f135eac71ff4a91a4d92e61d SHA1: 2d089c864be23a2ddd257068daa004c55906cef7 SHA256: c189071408b8a4c85b8e3cbdf0f52e305f7a7cf1184c85e9dc6b06c4c5ebb483 SSDeep: 24:zaLZ9NWlYiCI/SwkWedGCeuV4fTaSG5COl5DLdN8:zaLZWlYiL1kWNTu4GSGgs2	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\24E98DA1-B779-4FAC-9144-3233D1979336	26.11 KB	MD5: 3f83cb90c875b4f7cded4b6cfb6ae6b7 SHA1: c1084e04dd069cd0650cb01ef45b9bdfb82db1e8 SHA256: 3ef17bbd20ea8dd2265a2e6afda1e2d14ee5a66cca2a1588115899a265581a6e SSDeep: 768:webaCj1ErNAHK9ipBPm371OXfXapDj/5ZAZDtCU:UCJErNAHKMpBuLMXfoDj//Apj	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\Cookies	7.28 KB	MD5: 556cb86324404942841a1a0ff1705fe4 SHA1: c28b319cf4e70f0f75cb78e9a6973fc6d090bc7a SHA256: e49f179ae53a627310d148ef37aac6fe2a6566d5e055e337f7c93c91eb0c21fb SSDeep: 192:PTig1VzyKtro2V/EUhzK+sGz1v4qvCQg1EAP:2eVNtro2V/f4GzxCQVAP	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\overflowIconWhite.svg	1.17 KB	MD5: 7abfd0d77fd24ab4a0cf7f29315f34a7 SHA1: 8b4a5c35e831c552fb731e6eb8a2c3ca0d2ab32e SHA256: 1f46ea3da92d71eee67d21252e1dc77a98807c3e3a8394c595a7340e422e416c SSDeep: 24:0cnanP8QJ3m8cHYpKQZIPTLk5t0bQalL2W1gwzA1/mLH25UvmpAAYRlu+:0caP8sW6p6PKt0ARL/mH25amfYRlu+	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\A3899EB7-943F-45BF-9B62-7976C872C7D6	58.00 KB	MD5: d1b8545d1ac48fca7b7b03f7ccc6cc67 SHA1: 39a5e6de72eb9638069ace85bd8aaebf0400150d SHA256: f0ba9e4dc6d637f7faeee8d15a98567db61370492c157f3a957e04467a28a49e SSDeep: 1536:Yit1Gw2qOVxLQODFZjgFz5Lbjeqswd3N/LXzfNp:HywVkB5TgFzFSqskN/LDVp	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Controls.2\qmldir	0.41 KB	MD5: 606dbea97de7f095eeb1f15db7525b36 SHA1: ba7f18e8915d1543492542aa4c149f19a5f97fd8 SHA256: 9035925e7aa318dca2d400a03dceeb39f73974c0982a818b35df0a8a9addef29 SSDeep: 6:66AP11g74aJdTSaR5SxcoGwMm/hoob86FGpNeXxj/tlOdCUPXhaZBgQERWa/7vW:L+11gDD7R5Sxcs/+oY6gbeXxjea9CW	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\blurrect.png	1.06 KB	MD5: 9e6db4346ee900f3e5d63e313be72a45 SHA1: 8b1af8eee3a3e6ce7ba63df6bc316d36461cce96 SHA256: 5c7c74901c330151e8e9725966f2af0c2a59cd12671eb03bd24d092ed37eb9e1 SSDeep: 24:K9hE7DrPY9C74ySnf/cJAIFwh/rIfZDpSSDEzi7Fcw1QI7F/qK4MR:K9mPYo7nSf/5+MjOZPDj9jg7MR	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2017-07-13_111425_fe4-f74.log	2.24 KB	MD5: f236a0bab580007adf1f82987060a0f2 SHA1: 3406013f5e51d52a18119a349df23933e1316055 SHA256: e6e37868fb650ef3e9ab29edf0d78330c972cb1c238b7429c6fa59b7041b1b69 SSDeep: 48:n2Bg9P3ErEOA5/ZOxjj3JAJYPce2E+20VWIGX2m2XgASxqPfsMG4y8Q:2BePeEbcX3GJY5AVnGCgASxoNG4w	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\AppBlue.png	5.64 KB	MD5: ab669961c58e375170c0e52785b6dbd1 SHA1: 36e3917915e426d7021f3aeec34aa8a1347860f6 SHA256: 06414de98e6fc6804679c741097b8cc9a09a26cda4ca2d9a9f4baa1a5c6aa731 SSDeep: 96:JIHoStBh8j7hptzXX4XQqp9td3TXJmczv7Jf3GW8o93dA3CJYRWEkO:GIStB27ftzXIXQqpJ37Jd7JffHkCJYRj	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Internet Explorer\imagestore\sl72e5n\imagestore.dat	5.80 KB	MD5: 8cab3b923824eb128d8681c21713aa82 SHA1: 2c66ae169045229c5d2b5dd9003e928460c90e46 SHA256: 2402c5285b40e287cfa6f47a7c17cdfa4317a32624793dd8f9b966f9d1108780 SSDeep: 96:1qFRlybhzjEk//XWLw4JAjT492Evp5SvF1AZFhSN0zGjDoKI9wiA6lFdNLgetOyZ:wlq/vWECAjW7vpWFy/zE8xA6D/LtfTQU	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2017-09-26_160323_3a0-354.log	117.00 KB	MD5: 804213e5f165646cc0692fb6c50014f6 SHA1: 24a2249da1ccbe88213384d80da65d8caa8d42d3 SHA256: 4f3d8c632f9b06a7d128657b0d4210a4c8a8ccf793c2e9594cb52acc8aa05484 SSDeep: 3072:LGzGzNoVZuvUoB8MUI2CLDARXOykqrUYn:LquNoqvCcnARXlrUM	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\FORMS\FRMDATA64.DAT	249.21 KB	MD5: 71767d1ed4a8bd33bef34bce435e9d64 SHA1: 65d8cbf2f635dde1002b6008a211c9fb98b20bb6 SHA256: 1001ab073f9af8cd2bdebed7f72ae5e146285aed6db5759229868374accce877 SSDeep: 6144:AYysOfYcxTI1qZ1NRr5Ctt2u0QoCEVRoPvzPgVL6U18fX:ETI1k6tKCEzoz+L608v	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Extras\plugins.qmltypes	29.46 KB	MD5: 0b4813d4abcff0f50769a3d0d1e87a53 SHA1: 04ca18d725329123537df269443ab4c13814d222 SHA256: dd8aad026c3ad470f0435d0344aac1cb5e2de689d65bff537010ee26483982f7 SSDeep: 384:0T0J6vb7/E+LHHc+tQGYr6eQCizHvCEkiq9OJyO2kZhY4rIIgM9SLbpuvM8uHcOI:A0svb/LH8nuEGUx9NwhY4F39SLNWK/Ct	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\F442332F-BE2E-45C6-B52A-9FA2F82F4F72	20.02 KB	MD5: 45beadb29ac59500f5695be9ae552922 SHA1: 00d09d07aad28a65f828f63171b71a63d5c15cd4 SHA256: 3c0d8a2827e230b12fde711889af829a0c6192442198ab8e5cb8efd458a8f767 SSDeep: 384:7YWhzJrBY69WXRuZxsCorYSjTEmMTX7qYMhIrvAPsd6XAf:vJtY+mQmTY+TFMHmhcEsd/f	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Controls.2\ProgressBar.qml	3.00 KB	MD5: 0fe40850c382ea2247f5461de4f78c7e SHA1: ef8091b208156121072dcb7e5cb3bdb573708429 SHA256: c77a42fa9b4365906fc885a7369a14a4ed51692f11185d4670b99db97c100ee1 SSDeep: 48:xUYy2jfM8aMgQkr4moGBik4OCeNiULtG2BsOTuOvocEjmQTzhCiu6wXIwSoda/bJ:xtjkEI4mx3KOvdQTwiu6n1GO	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin	1.85 KB	MD5: dec5a1c8ad95eec95226505ea985e4e4 SHA1: 3db0212a7c3bd6634740c6aaba4113f948d36eaf SHA256: 8ae68d237ecfe71b5447ccb8e26df006066a8f7622ba9def4ef0778ae63a0f41 SSDeep: 48:qTIiV72xB8nVUnhNKvdkHJMw+dcrJ7Mu6Rix5TEaeWqrjGG:q3o8Vg2vda6ndcrJmixFEaexGG	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\userTelemetryCache.otc	20.28 KB	MD5: 55a476ab475f049a4141f9f387864aeb SHA1: b57995e9cedc8853eee217b0e76a748ebb5dd1f9 SHA256: f9e7c8c2b46c253ff2a8a2e73930a349887667a4e7c861345a6ea375b54ed4de SSDeep: 384:z4I+ec8SwjZiOOPeVFY+cdyVYamO5LoJ0ZpE9ItIaM:0QgPeVwdyVY25LkZItM	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Window.2\plugins.qmltypes	11.77 KB	MD5: ce924d0e7c6ff76ed9d34d6a5111ce95 SHA1: f2d0e92e66ea6d768067ec2f616a1315f3198f95 SHA256: d9b49ad9ec1de92611f81a050fd9062ed7e3b9a86b27fe61300bf7a5f8f865c6 SSDeep: 192:4IVIezGxUtkUfYqM2GGIfmjSX0FCZ1BYWh4PYg5XmwWrslFad7xH11tg:4Inu/O2P0gPBTeYT7aFaldC	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\ScreenshotOptIn.gif	238.06 KB	MD5: e1e4f1dc4285540e8e426d4f57162d82 SHA1: 657f7b0e10dc6b61c495bf802360070c976dca54 SHA256: 37dd519f6eae84ec34aefc2b54d63f62ea1c93a403779730585419260c9caeae SSDeep: 6144:z7eIzVLBtETBZBxKLCXj7QAVUCUEP/K7OE7PT0qI7zstigt:zyIzJBAZHZrVGzqQgqNQI	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\F85AB5DD-848A-4CA1-A9F0-ECCF7052094F	30.14 KB	MD5: 4b1db2833dfc86852e5d6cc871ed6dee SHA1: 699a3ab40c2a46508d63acb0113538c05a88f18e SHA256: a7555af0e38463c3c40e685f67045132318bfbfdd667b601197ea21353f19d83 SSDeep: 768:u7uiJYR+ibjzNlSynHj6lMQFLDbXT9o+WLCRbghHKOLgjRNd+qrvJy+Cye4RLE:0VLiXzLSyHj6WQ9DXtWLkQvwR+yBYUVE	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\UserCache.bin	62.21 KB	MD5: ebe9bbfd65316722be4a891eeb617039 SHA1: 669a81facaeea61696b2e48c5d3101f04628875e SHA256: 2f59746bb77b803a4d350b4a3264b1b8483fe1e55dc2fc7b3651a3f4811729a6 SSDeep: 1536:qSXYgURMdPL+5TD8TCtJF97isM+i9/Wyx2tdsoBeL8GZkII0Jvz:qSIgCMtL+59LqWygUoeiII0Jvz	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\qml\QtQuick\Templates.2\plugins.qmltypes	50.31 KB	MD5: 9b5600222343bee95e13319a86c03219 SHA1: 50fc2aeaee585e3fb6a06e7c6acbd5e6d95f05a7 SHA256: eb5deea6ec04ae65570c4ba3455946696cb88009321cf5cd7eb06769cf8f33f0 SSDeep: 1536:eWmrXDOzm+dFf0F1cpp/kRH9LN+6Y66rEJ:FmOSc90F1i/wdNH6rEJ	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00009376\10_All_Music.wpl	1.31 KB	MD5: 1de2b95160868d499cb3747c89ee5aa2 SHA1: 7c1ba9f720afa0c46089ee591cdef791178518dd SHA256: 1eab56a153a81a440c896ad9c726f2e76759ffa60718198b0e341068bb5ff0df SSDeep: 24:Bv/g/8zJb4xn+SQ4Pha3+DiK0JSVB64wzt4fD6St:2E1b4x+SG3+DiVJQB64ytSB	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\onDemandFiles.svg	7.61 KB	MD5: 7f5c42ec7fde0d7430e38815840a2a50 SHA1: 15d26ac762a14faa74747c6cea7b01a28e1203ad SHA256: 3152c7d5d23a12f755b2e72bf1fa2cffe647eef60fba436e16b9f6bb3b9653eb SSDeep: 192:scuVoM3XyJEztTJG0YPVftGNf8EXXNd1HM6CM5rGdFzUKnmD28VeFfo3Dy:scuVogiJEzRJkzAT1vCQV+madou	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneNote\16.0\cache\00000000.bin	12.28 KB	MD5: 6f68e26c4f6f9c3b1c373e2072993aba SHA1: a8a160538a22fd3e9fab6227dd09f925a175c3bc SHA256: e615c9409388795be4cd42701d0c85e71406efc5f12265a26a510eba517e546a SSDeep: 384:zMur/+MXtLseU6sb49ikJMIZoZ9XymPJBV/kj:zb+MfUv2dZoZVjFkj	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat	182.85 KB	MD5: f2af6312a5708cb09c83a7b77054321a SHA1: 16f79e151fc59591dc70a5f931e821818dfd7f08 SHA256: c4ce7b73a97bdb4dcb1ffbd72a28e8f65b392c73f6af2fe7d8ca3c0c4c73488a SSDeep: 3072:l6q+my9sUwcrAT15jddU3ujrbzkudmfa6qivvCDAwE3WCuIXaxjmG9FvsmA+jINP:Iq+5jwcrAT1jdU+jrUUsRTv7uCaxjz9O	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\AutoPlayOptIn.png	10.27 KB	MD5: 40e2424d9174aead4c2a3c72d49eb9b2 SHA1: c969e403d515ab0047bfe7d15ace1c469fddcf1f SHA256: 923a0bcd3acba5b368fa54808a23a05e6fdf7597314030568bfc5752173c666e SSDeep: 192:rB6TOKFHXHKZ/h/D1ctNNU3nMJ2+EicrMpkg+t8X9dDsIVMhsAd+aXv:rE6WHXHgD1U7mnMk+Ex2kBe/DsIVqfdv	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\settingsdisabled.svg	1.63 KB	MD5: 8244f09d3dc38d82f05d661d382bf698 SHA1: 639d4c90f826de0303127e3cba465c65827bd0ce SHA256: 30d0c2a62132e75c645b98ee7d49c7475a8b0ac53f23b9e2aaadd27989e08790 SSDeep: 48:7bfYEbazgfiDwDDQb0A89sCKetAvyL0HQ:7bgE+ai8nQjqs5etWyt	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\OneDrive\setup\logs\userTelemetryCache.otc.session	20.28 KB	MD5: 1323891b56eb672eb1db01df07d09a28 SHA1: c03f2bc59c8a47228eec25ef5d64490f7a625c73 SHA256: 5077f1c80f5376aaa237fc06aca03919736c469509902af29467b9bab1544ce7 SSDeep: 384:+XD5m5YE8PXILH42lq9OJe7bkeT2NyOD9uN/w8hrAjENmiWXSzbK/pftB:+XFma5v5ekHkrNjW/wQAViwssVtB	... File Actions Show Properties Download

Host Behavior

File (7915)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\users\Public\sys	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN	1	Fn
Create	C:\users\Public\PUBLIC	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\users\Public\PUBLIC	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	5	Fn
Create	C:\Boot\BCD	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\BCD.LOG	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\BCD.LOG1	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\BCD.LOG2	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	41	Fn
Create	C:\Boot\bg-BG\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\BOOTSTAT.DAT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\cs-CZ\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\da-DK\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\de-DE\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\el-GR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\en-GB\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\es-ES\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\es-MX\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\et-EE\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\fi-FI\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\chs_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\cht_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\jpn_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\kor_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\malgunn_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\malgun_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\meiryon_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\meiryo_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\msjhn_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\msjh_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\msyhn_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\msyh_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\segmono_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\segoen_slboot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\segoe_slboot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\wgl4_boot.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Fonts\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\fr-CA\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\fr-FR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\hr-HR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\hu-HU\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\it-IT\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\ja-JP\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\ko-KR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\lt-LT\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\lv-LV\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\nb-NO\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\nl-NL\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\pl-PL\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\pt-BR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\pt-PT\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\qps-ploc\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\Resources\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Boot\Resources\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\ro-RO\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\ru-RU\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\sk-SK\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\sl-SI\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\sr-Latn-CS\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\sr-Latn-RS\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\sv-SE\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\tr-TR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\uk-UA\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\zh-CN\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\zh-HK\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Boot\zh-TW\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\bootmgr	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\BOOTNXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\BOOTSECT.BAK	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Config.Msi\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Documents and Settings\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\hiberfil.sys	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\pagefile.sys	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\PerfLogs\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	4	Fn
Create	C:\Program Files\Common Files\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	5	Fn
Create	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	13	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\i641033.hash	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeUpdateSchedule.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ClickToRun\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	44	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\da-DK\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\de-DE\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\el-GR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-GB\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\join.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\split.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\es-ES\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\es-MX\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\et-EE\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	11	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\he-IL\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\it-IT\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\th-TH\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\zh-HK\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\MSInfo\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\OFFICE16\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Source Engine\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Blue_Gradient.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Cave_Drawings.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Connectivity.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Dotted_Lines.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Genko_1.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Genko_2.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Graph.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\grid_(cm).wmf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\grid_(inch).wmf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Memo.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Monet.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Month_Calendar.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Music.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Notebook.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Pine_Lumber.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Pretty_Peacock.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Psychedelic.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Roses.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Sand_Paper.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Seyes.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Shorthand.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Small_News.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Soft Blue.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Stars.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Stucco.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Tanspecks.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Tiki.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\To_Do_List.emf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\White_Chocolate.jpg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\Wrinkled_Paper.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Stationery\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\TextConv\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\Triedit\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\VC\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\VGX\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\VSTO\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\Services\verisign.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\Services\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	5	Fn
Create	C:\Program Files\Common Files\System\ado\adojavas.inc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\adovbs.inc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\System\ado\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado20.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado21.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado25.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado26.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado27.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado28.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msado60.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msadomd28.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msador28.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\ado\msadox28.tlb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\msadc\adcjavas.inc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\msadc\adcvbs.inc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\msadc\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Internet Explorer\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	4	Fn
Create	C:\Program Files\Internet Explorer\en-US\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Internet Explorer\images\bing.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Internet Explorer\images\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Internet Explorer\SIGNUP\install.ins	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Internet Explorer\SIGNUP\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Java\jre1.8.0_131\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	3	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	4	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\dtplugin\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\javacpl.cpl	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\plugin2\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\server\classes.jsa	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\server\Xusage.txt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\bin\server\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\COPYRIGHT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\accessibility.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	11	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\amd64\jvm.cfg	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\amd64\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\applet\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\calendars.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\charsets.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\classlist	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\cmm\CIEXYZ.pf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\cmm\GRAY.pf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\cmm\LINEAR_RGB.pf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\cmm\PYCC.pf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\cmm\sRGB.pf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\cmm\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\content-types.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\currency.data	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\ffjcext.zip	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_de.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_es.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_fr.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_it.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ja.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_ko.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_pt_BR.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_sv.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_CN.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_HK.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\messages_zh_TW.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash@2x.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11-lic.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\splash_11@2x-lic.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\deploy.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\access-bridge-64.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\cldrdata.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\dnsns.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\jaccess.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\jfxrt.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\localedata.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\meta-index	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\nashorn.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\sunec.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\sunjce_provider.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\sunmscapi.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\sunpkcs11.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\zipfs.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\ext\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\flavormap.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.bfc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fontconfig.properties.src	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiBold.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightDemiItalic.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightItalic.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaBrightRegular.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansDemiBold.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaSansRegular.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterBold.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\LucidaTypewriterRegular.ttf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\fonts\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\hijrah-config-umalqura.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\cursors.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\invalid32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyDrop32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_CopyNoDrop32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkDrop32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_LinkNoDrop32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveDrop32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\win32_MoveNoDrop32x32.gif	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\images\cursors\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\javafx.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\javaws.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jce.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jfr\default.jfc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jfr\profile.jfc	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jfr\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jfr.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jfxswt.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jsse.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\jvm.hprof.txt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\logging.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.access	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\management\jmxremote.password.template	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\management\management.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\management\snmp.acl.template	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\management\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\management-agent.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\meta-index	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\net.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\plugin.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\psfont.properties.ja	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\psfontj2d.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\resources.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\rt.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\blacklist	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\blacklisted.certs	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\java.policy	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\java.security	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\javaws.policy	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\local_policy.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\trusted.libraries	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\US_export_policy.jar	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\security\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\sound.properties	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\tzdb.dat	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\lib\tzmappings	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\LICENSE	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\README.txt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\release	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME-JAVAFX.txt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\THIRDPARTYLICENSEREADME.txt	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Java\jre1.8.0_131\Welcome.html	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\AppXManifest.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	3	Fn
Create	C:\Program Files\Microsoft Office\Office16\OSPP.HTM	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\Office16\SLERROR.XML	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\Office16\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\PackageManifests\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	8	Fn
Create	C:\Program Files\Microsoft Office\root\client\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	3	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00004_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00011_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00021_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00037_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00038_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00040_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00052_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00057_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00090_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00092_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00103_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00120_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00126_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00129_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00130_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00135_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00139_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00142_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00154_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00157_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00158_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00160_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00161_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00163_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00164_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00165_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00167_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00169_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00170_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00171_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00172_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00174_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00175_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AG00176_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00010_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00015_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00790_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00853_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00914_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00932_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN00965_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01039_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01044_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01060_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01084_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01173_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01174_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01184_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01216_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01218_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01251_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN01545_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN02122_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN02559_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN02724_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN03500_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04108_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04117_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04134_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04174_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04191_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04195_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04196_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04206_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04225_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04235_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04267_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04269_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04323_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04326_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04332_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04355_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04369_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04384_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\AN04385_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BABY_01.MID	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD00116_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD00141_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD00146_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD00155_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD00160_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD00173_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD05119_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD06102_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD06200_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD07761_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD07804_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD07831_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD08758_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD08773_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD08808_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD08868_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD09031_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD09194_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD09662_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD09664_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD10890_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD10972_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19563_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19582_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19695_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19827_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19828_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19986_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD19988_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BD20013_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00008_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00012_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00045_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00098_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00105_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00122_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00130_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00148_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00152_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00194_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00195_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00234_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00242_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00247_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00248_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00252_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00254_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00261_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00262_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00265_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00267_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00269_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00270_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00273_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00274_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00296_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00390_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00392_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00524_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00525_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00526_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00648_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00921_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00923_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00932_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BL00985_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BOAT.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BOATINST.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00076_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00078_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00092_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00100_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00135_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00136_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00145_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00174_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00184_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00186_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00200_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00224_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00438_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00439_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00440_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00441_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00442_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00443_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00444_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00445_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS00453_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01080_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01603_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01634_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01635_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01636_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01638_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01639_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CARBN_01.MID	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CG1606.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CLASSIC1.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CLASSIC2.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CLIP.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CMNTY_01.MID	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CRANE.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CRANINST.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CUP.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\CUPINST.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00117_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00121_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00234_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00255_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00256_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00261_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00297_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00372_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00405_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00407_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00413_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00414_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00419_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00437_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00448_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00449_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00687_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD00705_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01015_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01039_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01138_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01139_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01140_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01143_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01145_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01146_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01151_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01152_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01157_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01160_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01162_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01163_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01166_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01167_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01168_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01169_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01170_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01171_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01172_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01173_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01176_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01178_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01179_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01180_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01181_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01182_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01183_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01186_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01366_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01434_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01585_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01586_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01628_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01629_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01630_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01631_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01761_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01772_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\DD01793_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\EAST_01.MID	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\ED00010_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\ED00019_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\ED00172_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\ED00184_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\EN00006_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\EN00202_.WMF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143743.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143744.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143745.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143746.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143748.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143749.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143750.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143752.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143753.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143754.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\J0143758.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB00516L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB00531L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB00673L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB00703L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB00760L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB00780L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB01741L.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02039_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02055_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02073_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02074_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02077_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02082_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02085_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02097_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02106_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02116_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02134_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02187_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02198_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02201_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02214_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\WB02218_.GIF	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\CLIPART\Publisher\Backgrounds\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	4	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Flattener\CommonSequencingProperties.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Flattener\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\fre\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Access.Access.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.accessmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.accessmuiset.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.groovemui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.lyncmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.outlookmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Project.Project.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.projectmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.publishermui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.visiomui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\QFE31927.msp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\QFE31928.msp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Integration\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses\RyukReadMe.txt	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\1ZJA02JO.txt	type = size, size_out = 111	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\268TPJIA.txt	type = size, size_out = 620	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\6KWA3R8C.txt	type = size, size_out = 77	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\85DGK2J5.txt	type = size, size_out = 213	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\container.dat	type = size, size_out = 0	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\FPNDV7T3.txt	type = size, size_out = 416	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\J9KFLZDX.txt	type = size, size_out = 385	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\JN00AKV9.txt	type = size, size_out = 88	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\OR8K8VRM.txt	type = size, size_out = 260	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\TK0LXHBL.txt	type = size, size_out = 211	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\VC62GJSF.txt	type = size, size_out = 182	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\VSMDVD55.txt	type = size, size_out = 92	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\51TU1403.txt	type = size, size_out = 127	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\5GJKP08H.txt	type = size, size_out = 447	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\6NQ9V8CD.txt	type = size, size_out = 395	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\container.dat	type = size, size_out = 0	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\JZ1UUUP9.txt	type = size, size_out = 419	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\KW0ULAFV.txt	type = size, size_out = 358	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\SW6Z4AI1.txt	type = size, size_out = 209	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\TU6XBKFE.txt	type = size, size_out = 200	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\U9PT9V3Q.txt	type = size, size_out = 561	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\1143SFPT.txt	type = size, size_out = 111	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\1HP9XSYA.txt	type = size, size_out = 149	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\205ESPV2.txt	type = size, size_out = 159	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\container.dat	type = size, size_out = 0	2	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\Y51OCFZ0.txt	type = size, size_out = 121	2	Fn
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\1ZJA02JO.txt	size = 111, size_out = 111	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\268TPJIA.txt	size = 25, size_out = 25	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\268TPJIA.txt	size = 620, size_out = 620	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\6KWA3R8C.txt	size = 77, size_out = 77	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\85DGK2J5.txt	size = 213, size_out = 213	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\FPNDV7T3.txt	size = 25, size_out = 25	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\FPNDV7T3.txt	size = 416, size_out = 416	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\J9KFLZDX.txt	size = 25, size_out = 25	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\J9KFLZDX.txt	size = 385, size_out = 385	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\JN00AKV9.txt	size = 88, size_out = 88	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\OR8K8VRM.txt	size = 260, size_out = 260	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\TK0LXHBL.txt	size = 211, size_out = 211	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\VC62GJSF.txt	size = 182, size_out = 182	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\VSMDVD55.txt	size = 92, size_out = 92	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\51TU1403.txt	size = 127, size_out = 127	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\5GJKP08H.txt	size = 25, size_out = 25	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\5GJKP08H.txt	size = 447, size_out = 447	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\6NQ9V8CD.txt	size = 25, size_out = 25	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\6NQ9V8CD.txt	size = 395, size_out = 395	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\JZ1UUUP9.txt	size = 25, size_out = 25	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\JZ1UUUP9.txt	size = 419, size_out = 419	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\KW0ULAFV.txt	size = 25, size_out = 25	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\KW0ULAFV.txt	size = 358, size_out = 358	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\SW6Z4AI1.txt	size = 209, size_out = 209	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\TU6XBKFE.txt	size = 200, size_out = 200	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\U9PT9V3Q.txt	size = 25, size_out = 25	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\U9PT9V3Q.txt	size = 561, size_out = 561	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\1143SFPT.txt	size = 111, size_out = 111	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\1HP9XSYA.txt	size = 149, size_out = 149	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\205ESPV2.txt	size = 159, size_out = 159	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\Y51OCFZ0.txt	size = 121, size_out = 121	1	Fn Data
For performance reasons, the remaining 3000 entries are omitted. The remaining entries can be found in glog.xml.

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\users\Public\window.bat	show_window = SW_HIDE		1	Fn

Module (78)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x7ffb90a40000	1	Fn
Load	mpr.dll	base_address = 0x7ffb8d140000	1	Fn
Load	advapi32.dll	base_address = 0x7ffb8f2f0000	1	Fn
Load	ole32.dll	base_address = 0x7ffb90fb0000	1	Fn
Load	Shell32.dll	base_address = 0x7ffb8f500000	1	Fn
Load	Iphlpapi.dll	base_address = 0x7ffb8b580000	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x7ffb90a62080	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x7ffb90a56060	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualFree, address_out = 0x7ffb90a5bc10	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptExportKey, address_out = 0x7ffb8f307b50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteFileW, address_out = 0x7ffb90a657a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDriveTypeW, address_out = 0x7ffb90a658f0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCommandLineW, address_out = 0x7ffb90a60150	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStartupInfoW, address_out = 0x7ffb90a5ed80	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindNextFileW, address_out = 0x7ffb90a65880	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address_out = 0x7ffb90a5baf0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameA, address_out = 0x7ffb8f31ec40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExitProcess, address_out = 0x7ffb90a5ef50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb90a836a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateProcessA, address_out = 0x7ffb90a5d5b0	1	Fn
Get Address	c:\windows\system32\iphlpapi.dll	function = GetIpNetTable, address_out = 0x7ffb8b59f0b0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExW, address_out = 0x7ffb90a5aa30	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb90a83690	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemDefaultLangID, address_out = 0x7ffb90a62ba0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameW, address_out = 0x7ffb8f30da40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x7ffb90a65a90	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x7ffb8f307dd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x7ffb90a65510	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegSetValueExW, address_out = 0x7ffb8f307850	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x7ffb8f3072e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileA, address_out = 0x7ffb90a7e430	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFileAttributesW, address_out = 0x7ffb90a65b00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WinExec, address_out = 0x7ffb90a81e60	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDeriveKey, address_out = 0x7ffb8f3207a0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptGenKey, address_out = 0x7ffb8f30cab0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Sleep, address_out = 0x7ffb90a58f00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x7ffb90a56580	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteW, address_out = 0x7ffb8f64abc0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSize, address_out = 0x7ffb90a65950	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x7ffb90a5b810	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindClose, address_out = 0x7ffb90a657c0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x7ffb90a656e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x7ffb90a60c70	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteA, address_out = 0x7ffb8f707de0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x7ffb90a5e6d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameW, address_out = 0x7ffb90a5eca0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x7ffb90a65760	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSizeEx, address_out = 0x7ffb90a65960	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x7ffb90a65b80	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLogicalDrives, address_out = 0x7ffb90a566d0	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetEnumResourceW, address_out = 0x7ffb8d1427d0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7ffb8f306cb0	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetCloseEnum, address_out = 0x7ffb8d142e20	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryW, address_out = 0x7ffb90a62940	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFileAttributesA, address_out = 0x7ffb90a65af0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x7ffb8f307d70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointer, address_out = 0x7ffb90a65b20	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTickCount, address_out = 0x7ffb90a560a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesW, address_out = 0x7ffb90a65930	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindFirstFileW, address_out = 0x7ffb90a65840	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7ffb8f3089e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MoveFileExW, address_out = 0x7ffb90a63010	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetOpenEnumW, address_out = 0x7ffb8d142f20	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitialize, address_out = 0x7ffb90fc3870	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDecrypt, address_out = 0x7ffb8f309140	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptImportKey, address_out = 0x7ffb8f307b40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointerEx, address_out = 0x7ffb90a65b30	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileW, address_out = 0x7ffb90a65d70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibrary, address_out = 0x7ffb90a5eb90	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateProcessW, address_out = 0x7ffb90a5dee0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateDirectoryW, address_out = 0x7ffb90a65740	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateThread, address_out = 0x7ffb90a5bc20	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDestroyKey, address_out = 0x7ffb8f3086b0	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstance, address_out = 0x7ffb8ec77000	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileW, address_out = 0x7ffb90a65770	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesA, address_out = 0x7ffb90a65900	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptEncrypt, address_out = 0x7ffb8f30d7e0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegDeleteValueW, address_out = 0x7ffb8f3090b0	1	Fn

System (9)

Operation	Additional Information	Count	Logfile
Sleep	duration = 5000 milliseconds (5.000 seconds)	1	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Info	type = Operating System	2	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	5	Fn

Process #16: taskhostw.exe

122

Information	Value
ID	#16
File Name	c:\windows\system32\taskhostw.exe
Command Line	taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:50, Reason: Injection
Unmonitor	End Time: 00:04:54, Reason: Terminated by Timeout
Monitor Duration	00:02:04

OS Process Information

Information	Value
PID	0x7ec
Parent PID	0x328 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BC8 0x B4C 0x AC4 0x 9D4 0x 9BC 0x 9B8 0x 9B4 0x 9B0 0x 420 0x 410 0x 7F0 0x 2EC 0x B2C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x00000084e6a50000	0x84e6a50000	0x84e6a5ffff	Pagefile Backed Memory	rw	-
private_0x00000084e6a60000	0x84e6a60000	0x84e6a66fff	Private Memory	rw	-
pagefile_0x00000084e6a70000	0x84e6a70000	0x84e6a83fff	Pagefile Backed Memory	r	-
private_0x00000084e6a90000	0x84e6a90000	0x84e6b0ffff	Private Memory	rw	-
pagefile_0x00000084e6b10000	0x84e6b10000	0x84e6b13fff	Pagefile Backed Memory	r	-
pagefile_0x00000084e6b20000	0x84e6b20000	0x84e6b20fff	Pagefile Backed Memory	r	-
private_0x00000084e6b30000	0x84e6b30000	0x84e6b31fff	Private Memory	rw	-
private_0x00000084e6b40000	0x84e6b40000	0x84e6bbffff	Private Memory	rw	-
private_0x00000084e6bc0000	0x84e6bc0000	0x84e6bc6fff	Private Memory	rw	-
taskhostw.exe.mui	0x84e6bd0000	0x84e6bd0fff	Memory Mapped File	r	-
private_0x00000084e6be0000	0x84e6be0000	0x84e6cdffff	Private Memory	rw	-
locale.nls	0x84e6ce0000	0x84e6d9dfff	Memory Mapped File	r	-
private_0x00000084e6da0000	0x84e6da0000	0x84e6e1ffff	Private Memory	rw	-
private_0x00000084e6e20000	0x84e6e20000	0x84e6e20fff	Private Memory	rw	-
private_0x00000084e6e30000	0x84e6e30000	0x84e6e30fff	Private Memory	rw	-
private_0x00000084e6e40000	0x84e6e40000	0x84e6e4ffff	Private Memory	rw	-
pagefile_0x00000084e6e50000	0x84e6e50000	0x84e6fd7fff	Pagefile Backed Memory	r	-
pagefile_0x00000084e6fe0000	0x84e6fe0000	0x84e7160fff	Pagefile Backed Memory	r	-
pagefile_0x00000084e7170000	0x84e7170000	0x84e856ffff	Pagefile Backed Memory	r	-
pagefile_0x00000084e8570000	0x84e8570000	0x84e8627fff	Pagefile Backed Memory	r	-
pagefile_0x00000084e8630000	0x84e8630000	0x84e8633fff	Pagefile Backed Memory	r	-
private_0x00000084e8640000	0x84e8640000	0x84e8640fff	Private Memory	rw	-
winmm.dll.mui	0x84e8650000	0x84e8655fff	Memory Mapped File	r	-
private_0x00000084e8660000	0x84e8660000	0x84e86dffff	Private Memory	rw	-
private_0x00000084e86e0000	0x84e86e0000	0x84e86e0fff	Private Memory	rw	-
private_0x00000084e86f0000	0x84e86f0000	0x84e86f7fff	Private Memory	rw	-
private_0x00000084e8700000	0x84e8700000	0x84e8700fff	Private Memory	rw	-
private_0x00000084e8710000	0x84e8710000	0x84e8710fff	Private Memory	rw	-
private_0x00000084e8720000	0x84e8720000	0x84e8723fff	Private Memory	rw	-
private_0x00000084e8730000	0x84e8730000	0x84e8731fff	Private Memory	rw	-
pagefile_0x00000084e8740000	0x84e8740000	0x84e8740fff	Pagefile Backed Memory	r	-
private_0x00000084e8750000	0x84e8750000	0x84e875ffff	Private Memory	rw	-
private_0x00000084e8760000	0x84e8760000	0x84e87dffff	Private Memory	rw	-
pagefile_0x00000084e87e0000	0x84e87e0000	0x84e87e0fff	Pagefile Backed Memory	r	-
sortdefault.nls	0x84e87f0000	0x84e8b26fff	Memory Mapped File	r	-
private_0x00000084e8b30000	0x84e8b30000	0x84e8baffff	Private Memory	rw	-
private_0x00000084e8bb0000	0x84e8bb0000	0x84e8c2ffff	Private Memory	rw	-
private_0x00000084e8c30000	0x84e8c30000	0x84e8caffff	Private Memory	rw	-
msctfmonitor.dll.mui	0x84e8cb0000	0x84e8cb0fff	Memory Mapped File	r	-
private_0x00000084e8cc0000	0x84e8cc0000	0x84e8d3ffff	Private Memory	rw	-
private_0x00000084e8d40000	0x84e8d40000	0x84e8e3ffff	Private Memory	rw	-
pagefile_0x00000084e8e40000	0x84e8e40000	0x84e8e40fff	Pagefile Backed Memory	rw	-
pagefile_0x00000084e8e50000	0x84e8e50000	0x84e8e50fff	Pagefile Backed Memory	rw	-
private_0x00000084e8e60000	0x84e8e60000	0x84e8e66fff	Private Memory	rw	-
pagefile_0x00000084e8e70000	0x84e8e70000	0x84e8e7ffff	Pagefile Backed Memory	rw	-
pagefile_0x00000084e8e80000	0x84e8e80000	0x84e8e8ffff	Pagefile Backed Memory	rw	-
pagefile_0x00000084e8e90000	0x84e8e90000	0x84e8e9ffff	Pagefile Backed Memory	rw	-
pagefile_0x00000084e8ea0000	0x84e8ea0000	0x84e8eaffff	Pagefile Backed Memory	rw	-
pagefile_0x00000084e8eb0000	0x84e8eb0000	0x84e8ebffff	Pagefile Backed Memory	rw	-
pagefile_0x00000084e8ec0000	0x84e8ec0000	0x84e8ecffff	Pagefile Backed Memory	rw	-
pagefile_0x00000084e8ed0000	0x84e8ed0000	0x84e8edffff	Pagefile Backed Memory	rw	-
pagefile_0x00000084e8ee0000	0x84e8ee0000	0x84e8eeffff	Pagefile Backed Memory	rw	-
pagefile_0x00000084e8ef0000	0x84e8ef0000	0x84e8efffff	Pagefile Backed Memory	rw	-
pagefile_0x00000084e8f00000	0x84e8f00000	0x84e8f0ffff	Pagefile Backed Memory	rw	-
pagefile_0x00000084e8f10000	0x84e8f10000	0x84e8f1ffff	Pagefile Backed Memory	rw	-
pagefile_0x00000084e8f20000	0x84e8f20000	0x84e8f2ffff	Pagefile Backed Memory	rw	-
private_0x00000084e8f30000	0x84e8f30000	0x84e9f2ffff	Private Memory	rw	-
private_0x00000084e9f30000	0x84e9f30000	0x84e9f30fff	Private Memory	rw	-
private_0x00000084e9f40000	0x84e9f40000	0x84e9fcffff	Private Memory	rw	-
private_0x00000084e9fd0000	0x84e9fd0000	0x84edfcffff	Private Memory	rw	-
private_0x00000084edfd0000	0x84edfd0000	0x84f1fcffff	Private Memory	rw	-
private_0x00000084f1fd0000	0x84f1fd0000	0x84f1fd7fff	Private Memory	rw	-
webcachev01.dat	0x84f1fe0000	0x84f1feffff	Memory Mapped File	r	-
webcachev01.dat	0x84f1ff0000	0x84f1ffffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2000000	0x84f200ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2010000	0x84f201ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2020000	0x84f202ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2030000	0x84f203ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2040000	0x84f204ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2050000	0x84f205ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2060000	0x84f206ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2070000	0x84f207ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2080000	0x84f208ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2090000	0x84f209ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f20a0000	0x84f20affff	Memory Mapped File	r	-
webcachev01.dat	0x84f20b0000	0x84f20bffff	Memory Mapped File	r	-
webcachev01.dat	0x84f20c0000	0x84f20cffff	Memory Mapped File	r	-
webcachev01.dat	0x84f20d0000	0x84f20dffff	Memory Mapped File	r	-
private_0x00000084f20e0000	0x84f20e0000	0x84f215ffff	Private Memory	rw	-
private_0x00000084f2160000	0x84f2160000	0x84f2167fff	Private Memory	rw	-
webcachev01.dat	0x84f2170000	0x84f217ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2180000	0x84f218ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2190000	0x84f219ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f21a0000	0x84f21affff	Memory Mapped File	r	-
webcachev01.dat	0x84f21b0000	0x84f21bffff	Memory Mapped File	r	-
webcachev01.dat	0x84f21c0000	0x84f21cffff	Memory Mapped File	r	-
private_0x00000084f21d0000	0x84f21d0000	0x84f21d7fff	Private Memory	rw	-
webcachev01.dat	0x84f21e0000	0x84f21effff	Memory Mapped File	r	-
webcachev01.dat	0x84f21f0000	0x84f21fffff	Memory Mapped File	r	-
pagefile_0x00000084f2200000	0x84f2200000	0x84f220ffff	Pagefile Backed Memory	rw	-
webcachev01.dat	0x84f2210000	0x84f221ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2220000	0x84f222ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2230000	0x84f223ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2240000	0x84f224ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2250000	0x84f225ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2260000	0x84f226ffff	Memory Mapped File	r	-
pagefile_0x00000084f2270000	0x84f2270000	0x84f227ffff	Pagefile Backed Memory	rw	-
webcachev01.dat	0x84f2280000	0x84f228ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2290000	0x84f229ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f22a0000	0x84f22affff	Memory Mapped File	r	-
private_0x00000084f22b0000	0x84f22b0000	0x84f232ffff	Private Memory	rw	-
webcachev01.dat	0x84f2340000	0x84f234ffff	Memory Mapped File	r	-
webcachev01.dat	0x84f2350000	0x84f235ffff	Memory Mapped File	r	-
pagefile_0x00007df5ff990000	0x7df5ff990000	0x7ff5ff98ffff	Pagefile Backed Memory	-	-
private_0x00007ff74ec20000	0x7ff74ec20000	0x7ff74ec54fff	Private Memory	rwx	-
private_0x00007ff7cbcb6000	0x7ff7cbcb6000	0x7ff7cbcb7fff	Private Memory	rw	-
private_0x00007ff7cbcb8000	0x7ff7cbcb8000	0x7ff7cbcb9fff	Private Memory	rw	-
private_0x00007ff7cbcba000	0x7ff7cbcba000	0x7ff7cbcbbfff	Private Memory	rw	-
private_0x00007ff7cbcbc000	0x7ff7cbcbc000	0x7ff7cbcbdfff	Private Memory	rw	-
private_0x00007ff7cbcbe000	0x7ff7cbcbe000	0x7ff7cbcbffff	Private Memory	rw	-
pagefile_0x00007ff7cbcc0000	0x7ff7cbcc0000	0x7ff7cbdbffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff7cbdc0000	0x7ff7cbdc0000	0x7ff7cbde2fff	Pagefile Backed Memory	r	-
private_0x00007ff7cbde3000	0x7ff7cbde3000	0x7ff7cbde4fff	Private Memory	rw	-
private_0x00007ff7cbde5000	0x7ff7cbde5000	0x7ff7cbde6fff	Private Memory	rw	-
private_0x00007ff7cbde7000	0x7ff7cbde7000	0x7ff7cbde8fff	Private Memory	rw	-
private_0x00007ff7cbde9000	0x7ff7cbde9000	0x7ff7cbdeafff	Private Memory	rw	-
private_0x00007ff7cbdeb000	0x7ff7cbdeb000	0x7ff7cbdecfff	Private Memory	rw	-
private_0x00007ff7cbded000	0x7ff7cbded000	0x7ff7cbdedfff	Private Memory	rw	-
private_0x00007ff7cbdee000	0x7ff7cbdee000	0x7ff7cbdeffff	Private Memory	rw	-
taskhostw.exe	0x7ff7cc850000	0x7ff7cc868fff	Memory Mapped File	rwx	-
winmmbase.dll	0x7ffb7dfb0000	0x7ffb7dfdbfff	Memory Mapped File	rwx	-
winmm.dll	0x7ffb7dfe0000	0x7ffb7e002fff	Memory Mapped File	rwx	-
profext.dll	0x7ffb7fb20000	0x7ffb7fb34fff	Memory Mapped File	rwx	-
msutb.dll	0x7ffb82ac0000	0x7ffb82b38fff	Memory Mapped File	rwx	-
msctfmonitor.dll	0x7ffb82b40000	0x7ffb82b4bfff	Memory Mapped File	rwx	-
playsndsrv.dll	0x7ffb82b50000	0x7ffb82b6afff	Memory Mapped File	rwx	-
wininet.dll	0x7ffb856f0000	0x7ffb85996fff	Memory Mapped File	rwx	-
esent.dll	0x7ffb85df0000	0x7ffb860d1fff	Memory Mapped File	rwx	-
iertutil.dll	0x7ffb88720000	0x7ffb88a95fff	Memory Mapped File	rwx	-
dwmapi.dll	0x7ffb8bf20000	0x7ffb8bf41fff	Memory Mapped File	rwx	-
wtsapi32.dll	0x7ffb8bf70000	0x7ffb8bf82fff	Memory Mapped File	rwx	-
uxtheme.dll	0x7ffb8c780000	0x7ffb8c815fff	Memory Mapped File	rwx	-
devobj.dll	0x7ffb8c820000	0x7ffb8c846fff	Memory Mapped File	rwx	-
winsta.dll	0x7ffb8d050000	0x7ffb8d0a7fff	Memory Mapped File	rwx	-
ntmarta.dll	0x7ffb8d250000	0x7ffb8d281fff	Memory Mapped File	rwx	-
userenv.dll	0x7ffb8d4c0000	0x7ffb8d4defff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x7ffb8dd00000	0x7ffb8dd6afff	Memory Mapped File	rwx	-
profapi.dll	0x7ffb8deb0000	0x7ffb8dec2fff	Memory Mapped File	rwx	-
powrprof.dll	0x7ffb8def0000	0x7ffb8df39fff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x7ffb8df40000	0x7ffb8df4efff	Memory Mapped File	rwx	-
shcore.dll	0x7ffb8e000000	0x7ffb8e0b2fff	Memory Mapped File	rwx	-
windows.storage.dll	0x7ffb8e120000	0x7ffb8e747fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb8e920000	0x7ffb8eafcfff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x7ffb8eb00000	0x7ffb8eb43fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb8eb50000	0x7ffb8ebecfff	Memory Mapped File	rwx	-
combase.dll	0x7ffb8ebf0000	0x7ffb8ee6bfff	Memory Mapped File	rwx	-
user32.dll	0x7ffb8ee70000	0x7ffb8efbdfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ffb8efc0000	0x7ffb8f0e5fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ffb8f100000	0x7ffb8f284fff	Memory Mapped File	rwx	-
For performance reasons, the remaining 17 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Success	Count	Logfile
Modify Memory	#12: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x868	address = 0x7ff74ec20000, size = 217088		1	Fn Data
Create Remote Thread	#12: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x868	address = 0x7ff74ec219a0		1	Fn

Host Behavior

File (14)

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\users\Public\sys	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN		14	Fn

Module (78)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x7ffb90a40000	1	Fn
Load	mpr.dll	base_address = 0x7ffb8d140000	1	Fn
Load	advapi32.dll	base_address = 0x7ffb8f2f0000	1	Fn
Load	ole32.dll	base_address = 0x7ffb90fb0000	1	Fn
Load	Shell32.dll	base_address = 0x7ffb8f500000	1	Fn
Load	Iphlpapi.dll	base_address = 0x7ffb8b580000	1	Fn
Get Address	Unknown module name	function = LoadLibraryA, address_out = 0x7ffb90a62080	1	Fn
Get Address	Unknown module name	function = GetLastError, address_out = 0x7ffb90a56060	1	Fn
Get Address	Unknown module name	function = VirtualFree, address_out = 0x7ffb90a5bc10	1	Fn
Get Address	Unknown module name	function = CryptExportKey, address_out = 0x7ffb8f307b50	1	Fn
Get Address	Unknown module name	function = DeleteFileW, address_out = 0x7ffb90a657a0	1	Fn
Get Address	Unknown module name	function = GetDriveTypeW, address_out = 0x7ffb90a658f0	1	Fn
Get Address	Unknown module name	function = GetCommandLineW, address_out = 0x7ffb90a60150	1	Fn
Get Address	Unknown module name	function = GetStartupInfoW, address_out = 0x7ffb90a5ed80	1	Fn
Get Address	Unknown module name	function = FindNextFileW, address_out = 0x7ffb90a65880	1	Fn
Get Address	Unknown module name	function = VirtualAlloc, address_out = 0x7ffb90a5baf0	1	Fn
Get Address	Unknown module name	function = GetUserNameA, address_out = 0x7ffb8f31ec40	1	Fn
Get Address	Unknown module name	function = ExitProcess, address_out = 0x7ffb90a5ef50	1	Fn
Get Address	Unknown module name	function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb90a836a0	1	Fn
Get Address	Unknown module name	function = CreateProcessA, address_out = 0x7ffb90a5d5b0	1	Fn
Get Address	Unknown module name	function = GetIpNetTable, address_out = 0x7ffb8b59f0b0	1	Fn
Get Address	Unknown module name	function = GetVersionExW, address_out = 0x7ffb90a5aa30	1	Fn
Get Address	Unknown module name	function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb90a83690	1	Fn
Get Address	Unknown module name	function = GetSystemDefaultLangID, address_out = 0x7ffb90a62ba0	1	Fn
Get Address	Unknown module name	function = GetUserNameW, address_out = 0x7ffb8f30da40	1	Fn
Get Address	Unknown module name	function = ReadFile, address_out = 0x7ffb90a65a90	1	Fn
Get Address	Unknown module name	function = RegQueryValueExA, address_out = 0x7ffb8f307dd0	1	Fn
Get Address	Unknown module name	function = CloseHandle, address_out = 0x7ffb90a65510	1	Fn
Get Address	Unknown module name	function = RegSetValueExW, address_out = 0x7ffb8f307850	1	Fn
Get Address	Unknown module name	function = RegCloseKey, address_out = 0x7ffb8f3072e0	1	Fn
Get Address	Unknown module name	function = CopyFileA, address_out = 0x7ffb90a7e430	1	Fn
Get Address	Unknown module name	function = SetFileAttributesW, address_out = 0x7ffb90a65b00	1	Fn
Get Address	Unknown module name	function = WinExec, address_out = 0x7ffb90a81e60	1	Fn
Get Address	Unknown module name	function = CryptDeriveKey, address_out = 0x7ffb8f3207a0	1	Fn
Get Address	Unknown module name	function = CryptGenKey, address_out = 0x7ffb8f30cab0	1	Fn
Get Address	Unknown module name	function = Sleep, address_out = 0x7ffb90a58f00	1	Fn
Get Address	Unknown module name	function = GetCurrentProcess, address_out = 0x7ffb90a56580	1	Fn
Get Address	Unknown module name	function = ShellExecuteW, address_out = 0x7ffb8f64abc0	1	Fn
Get Address	Unknown module name	function = GetFileSize, address_out = 0x7ffb90a65950	1	Fn
Get Address	Unknown module name	function = GlobalAlloc, address_out = 0x7ffb90a5b810	1	Fn
Get Address	Unknown module name	function = FindClose, address_out = 0x7ffb90a657c0	1	Fn
Get Address	Unknown module name	function = WaitForMultipleObjects, address_out = 0x7ffb90a656e0	1	Fn
Get Address	Unknown module name	function = GetModuleFileNameA, address_out = 0x7ffb90a60c70	1	Fn
Get Address	Unknown module name	function = ShellExecuteA, address_out = 0x7ffb8f707de0	1	Fn
Get Address	Unknown module name	function = GetModuleHandleA, address_out = 0x7ffb90a5e6d0	1	Fn
Get Address	Unknown module name	function = GetModuleFileNameW, address_out = 0x7ffb90a5eca0	1	Fn
Get Address	Unknown module name	function = CreateFileA, address_out = 0x7ffb90a65760	1	Fn
Get Address	Unknown module name	function = GetFileSizeEx, address_out = 0x7ffb90a65960	1	Fn
Get Address	Unknown module name	function = WriteFile, address_out = 0x7ffb90a65b80	1	Fn
Get Address	Unknown module name	function = GetLogicalDrives, address_out = 0x7ffb90a566d0	1	Fn
Get Address	Unknown module name	function = WNetEnumResourceW, address_out = 0x7ffb8d1427d0	1	Fn
Get Address	Unknown module name	function = RegOpenKeyExW, address_out = 0x7ffb8f306cb0	1	Fn
Get Address	Unknown module name	function = WNetCloseEnum, address_out = 0x7ffb8d142e20	1	Fn
Get Address	Unknown module name	function = GetWindowsDirectoryW, address_out = 0x7ffb90a62940	1	Fn
Get Address	Unknown module name	function = SetFileAttributesA, address_out = 0x7ffb90a65af0	1	Fn
Get Address	Unknown module name	function = RegOpenKeyExA, address_out = 0x7ffb8f307d70	1	Fn
Get Address	Unknown module name	function = SetFilePointer, address_out = 0x7ffb90a65b20	1	Fn
Get Address	Unknown module name	function = GetTickCount, address_out = 0x7ffb90a560a0	1	Fn
Get Address	Unknown module name	function = GetFileAttributesW, address_out = 0x7ffb90a65930	1	Fn
Get Address	Unknown module name	function = FindFirstFileW, address_out = 0x7ffb90a65840	1	Fn
Get Address	Unknown module name	function = CryptAcquireContextW, address_out = 0x7ffb8f3089e0	1	Fn
Get Address	Unknown module name	function = MoveFileExW, address_out = 0x7ffb90a63010	1	Fn
Get Address	Unknown module name	function = WNetOpenEnumW, address_out = 0x7ffb8d142f20	1	Fn
Get Address	Unknown module name	function = CoInitialize, address_out = 0x7ffb90fc3870	1	Fn
Get Address	Unknown module name	function = CryptDecrypt, address_out = 0x7ffb8f309140	1	Fn
Get Address	Unknown module name	function = CryptImportKey, address_out = 0x7ffb8f307b40	1	Fn
Get Address	Unknown module name	function = SetFilePointerEx, address_out = 0x7ffb90a65b30	1	Fn
Get Address	Unknown module name	function = CopyFileW, address_out = 0x7ffb90a65d70	1	Fn
Get Address	Unknown module name	function = FreeLibrary, address_out = 0x7ffb90a5eb90	1	Fn
Get Address	Unknown module name	function = CreateProcessW, address_out = 0x7ffb90a5dee0	1	Fn
Get Address	Unknown module name	function = CreateDirectoryW, address_out = 0x7ffb90a65740	1	Fn
Get Address	Unknown module name	function = CreateThread, address_out = 0x7ffb90a5bc20	1	Fn
Get Address	Unknown module name	function = CryptDestroyKey, address_out = 0x7ffb8f3086b0	1	Fn
Get Address	Unknown module name	function = CoCreateInstance, address_out = 0x7ffb8ec77000	1	Fn
Get Address	Unknown module name	function = CreateFileW, address_out = 0x7ffb90a65770	1	Fn
Get Address	Unknown module name	function = GetFileAttributesA, address_out = 0x7ffb90a65900	1	Fn
Get Address	Unknown module name	function = CryptEncrypt, address_out = 0x7ffb8f30d7e0	1	Fn
Get Address	Unknown module name	function = RegDeleteValueW, address_out = 0x7ffb8f3090b0	1	Fn

System (30)

Operation	Additional Information	Count	Logfile
Sleep	duration = 5000 milliseconds (5.000 seconds)	1	Fn
Sleep	duration = 9000 milliseconds (9.000 seconds)	14	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	14	Fn

Process #17: reg.exe

Information	Value
ID	#17
File Name	c:\windows\system32\reg.exe
Command Line	REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe" /f
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:50, Reason: Child Process
Unmonitor	End Time: 00:02:51, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x560
Parent PID	0x478 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 588 0x 2E0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000549e5e0000	0x549e5e0000	0x549e5fffff	Private Memory	rw	-
pagefile_0x000000549e5e0000	0x549e5e0000	0x549e5effff	Pagefile Backed Memory	rw	-
private_0x000000549e5f0000	0x549e5f0000	0x549e5f6fff	Private Memory	rw	-
pagefile_0x000000549e600000	0x549e600000	0x549e613fff	Pagefile Backed Memory	r	-
private_0x000000549e620000	0x549e620000	0x549e69ffff	Private Memory	rw	-
pagefile_0x000000549e6a0000	0x549e6a0000	0x549e6a3fff	Pagefile Backed Memory	r	-
pagefile_0x000000549e6b0000	0x549e6b0000	0x549e6b0fff	Pagefile Backed Memory	r	-
private_0x000000549e6c0000	0x549e6c0000	0x549e6c1fff	Private Memory	rw	-
private_0x000000549e6d0000	0x549e6d0000	0x549e74ffff	Private Memory	rw	-
private_0x000000549e750000	0x549e750000	0x549e756fff	Private Memory	rw	-
reg.exe.mui	0x549e760000	0x549e769fff	Memory Mapped File	r	-
private_0x000000549e780000	0x549e780000	0x549e87ffff	Private Memory	rw	-
locale.nls	0x549e880000	0x549e93dfff	Memory Mapped File	r	-
private_0x000000549ea10000	0x549ea10000	0x549ea1ffff	Private Memory	rw	-
sortdefault.nls	0x549ea20000	0x549ed56fff	Memory Mapped File	r	-
kernelbase.dll.mui	0x549ed60000	0x549ee3efff	Memory Mapped File	r	-
pagefile_0x00007df5ff0f0000	0x7df5ff0f0000	0x7ff5ff0effff	Pagefile Backed Memory	-	-
pagefile_0x00007ff6d22d0000	0x7ff6d22d0000	0x7ff6d23cffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff6d23d0000	0x7ff6d23d0000	0x7ff6d23f2fff	Pagefile Backed Memory	r	-
private_0x00007ff6d23fa000	0x7ff6d23fa000	0x7ff6d23fafff	Private Memory	rw	-
private_0x00007ff6d23fc000	0x7ff6d23fc000	0x7ff6d23fdfff	Private Memory	rw	-
private_0x00007ff6d23fe000	0x7ff6d23fe000	0x7ff6d23fffff	Private Memory	rw	-
reg.exe	0x7ff6d3310000	0x7ff6d3365fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb8e920000	0x7ffb8eafcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb8eb50000	0x7ffb8ebecfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ffb8efc0000	0x7ffb8f0e5fff	Memory Mapped File	rwx	-
advapi32.dll	0x7ffb8f2f0000	0x7ffb8f395fff	Memory Mapped File	rwx	-
nsi.dll	0x7ffb90a30000	0x7ffb90a37fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb90a40000	0x7ffb90aecfff	Memory Mapped File	rwx	-
sechost.dll	0x7ffb90af0000	0x7ffb90b4afff	Memory Mapped File	rwx	-
ws2_32.dll	0x7ffb90b50000	0x7ffb90bb8fff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb91480000	0x7ffb91641fff	Memory Mapped File	rwx	-

Host Behavior

File (6)

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	2	Fn
Open	STD_OUTPUT_HANDLE	-	3	Fn
Write	STD_OUTPUT_HANDLE	size = 39	1	Fn Data

Registry (4)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System	-	1	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	value_name = svchos	1	Fn
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	value_name = svchos, data = C:\Users\CIiHmnxMn6Ps\Desktop\eqBNr.exe, size = 80, type = REG_SZ	1	Fn

Module (1)

Operation	Module	Additional Information	Success	Count	Logfile
Get Handle	c:\windows\system32\reg.exe	base_address = 0x7ff6d3310000		1	Fn

Process #18: runtimebroker.exe

119

Information	Value
ID	#18
File Name	c:\windows\system32\runtimebroker.exe
Command Line	C:\Windows\System32\RuntimeBroker.exe -Embedding
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:50, Reason: Injection
Unmonitor	End Time: 00:04:54, Reason: Terminated by Timeout
Monitor Duration	00:02:04

OS Process Information

Information	Value
PID	0x818
Parent PID	0x23c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B58 0x 9F8 0x 870 0x 858 0x 854 0x 824 0x 820 0x 81C 0x 764 0x 938 0x 8B0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x0000007f3a550000	0x7f3a550000	0x7f3a55ffff	Pagefile Backed Memory	rw	-
private_0x0000007f3a560000	0x7f3a560000	0x7f3a560fff	Private Memory	rw	-
pagefile_0x0000007f3a570000	0x7f3a570000	0x7f3a583fff	Pagefile Backed Memory	r	-
private_0x0000007f3a590000	0x7f3a590000	0x7f3a60ffff	Private Memory	rw	-
pagefile_0x0000007f3a610000	0x7f3a610000	0x7f3a613fff	Pagefile Backed Memory	r	-
pagefile_0x0000007f3a620000	0x7f3a620000	0x7f3a621fff	Pagefile Backed Memory	r	-
private_0x0000007f3a630000	0x7f3a630000	0x7f3a631fff	Private Memory	rw	-
locale.nls	0x7f3a640000	0x7f3a6fdfff	Memory Mapped File	r	-
private_0x0000007f3a700000	0x7f3a700000	0x7f3a700fff	Private Memory	rw	-
pagefile_0x0000007f3a710000	0x7f3a710000	0x7f3a710fff	Pagefile Backed Memory	r	-
pagefile_0x0000007f3a720000	0x7f3a720000	0x7f3a720fff	Pagefile Backed Memory	r	-
pagefile_0x0000007f3a730000	0x7f3a730000	0x7f3a732fff	Pagefile Backed Memory	r	-
pagefile_0x0000007f3a740000	0x7f3a740000	0x7f3a740fff	Pagefile Backed Memory	rw	-
private_0x0000007f3a750000	0x7f3a750000	0x7f3a756fff	Private Memory	rw	-
private_0x0000007f3a760000	0x7f3a760000	0x7f3a7dffff	Private Memory	rw	-
pagefile_0x0000007f3a7e0000	0x7f3a7e0000	0x7f3a7e0fff	Pagefile Backed Memory	rw	-
private_0x0000007f3a800000	0x7f3a800000	0x7f3a8fffff	Private Memory	rw	-
private_0x0000007f3a900000	0x7f3a900000	0x7f3a97ffff	Private Memory	rw	-
private_0x0000007f3a980000	0x7f3a980000	0x7f3a9fffff	Private Memory	rw	-
private_0x0000007f3aa00000	0x7f3aa00000	0x7f3aa7ffff	Private Memory	rw	-
pagefile_0x0000007f3aa80000	0x7f3aa80000	0x7f3aaa9fff	Pagefile Backed Memory	rw	-
private_0x0000007f3aaf0000	0x7f3aaf0000	0x7f3aaf6fff	Private Memory	rw	-
private_0x0000007f3ab00000	0x7f3ab00000	0x7f3abfffff	Private Memory	rw	-
pagefile_0x0000007f3ac00000	0x7f3ac00000	0x7f3ad87fff	Pagefile Backed Memory	r	-
pagefile_0x0000007f3ad90000	0x7f3ad90000	0x7f3af10fff	Pagefile Backed Memory	r	-
pagefile_0x0000007f3af20000	0x7f3af20000	0x7f3c31ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x7f3c320000	0x7f3c656fff	Memory Mapped File	r	-
private_0x0000007f3c660000	0x7f3c660000	0x7f3c6dffff	Private Memory	rw	-
private_0x0000007f3c740000	0x7f3c740000	0x7f3c746fff	Private Memory	rw	-
private_0x0000007f3c750000	0x7f3c750000	0x7f3c7cffff	Private Memory	rw	-
private_0x0000007f3c800000	0x7f3c800000	0x7f3c8fffff	Private Memory	rw	-
private_0x0000007f3c900000	0x7f3c900000	0x7f3c9fffff	Private Memory	rw	-
private_0x0000007f3ca00000	0x7f3ca00000	0x7f3ca7ffff	Private Memory	rw	-
private_0x0000007f3ca80000	0x7f3ca80000	0x7f3cafffff	Private Memory	rw	-
pagefile_0x00007df5ffb90000	0x7df5ffb90000	0x7ff5ffb8ffff	Pagefile Backed Memory	-	-
private_0x00007ff67d588000	0x7ff67d588000	0x7ff67d589fff	Private Memory	rw	-
private_0x00007ff67d58a000	0x7ff67d58a000	0x7ff67d58bfff	Private Memory	rw	-
private_0x00007ff67d58c000	0x7ff67d58c000	0x7ff67d58dfff	Private Memory	rw	-
private_0x00007ff67d58e000	0x7ff67d58e000	0x7ff67d58ffff	Private Memory	rw	-
pagefile_0x00007ff67d590000	0x7ff67d590000	0x7ff67d68ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff67d690000	0x7ff67d690000	0x7ff67d6b2fff	Pagefile Backed Memory	r	-
private_0x00007ff67d6b4000	0x7ff67d6b4000	0x7ff67d6b4fff	Private Memory	rw	-
private_0x00007ff67d6b6000	0x7ff67d6b6000	0x7ff67d6b7fff	Private Memory	rw	-
private_0x00007ff67d6b8000	0x7ff67d6b8000	0x7ff67d6b9fff	Private Memory	rw	-
private_0x00007ff67d6ba000	0x7ff67d6ba000	0x7ff67d6bbfff	Private Memory	rw	-
private_0x00007ff67d6bc000	0x7ff67d6bc000	0x7ff67d6bdfff	Private Memory	rw	-
private_0x00007ff67d6be000	0x7ff67d6be000	0x7ff67d6bffff	Private Memory	rw	-
runtimebroker.exe	0x7ff67d8d0000	0x7ff67d8e5fff	Memory Mapped File	rwx	-
ntoskrnl.exe	0x7ff69dc40000	0x7ff69e491fff	Memory Mapped File	rwx	-
private_0x00007ff74ec20000	0x7ff74ec20000	0x7ff74ec54fff	Private Memory	rwx	-
windows.security.authentication.onlineid.dll	0x7ffb7d370000	0x7ffb7d422fff	Memory Mapped File	rwx	-
authbroker.dll	0x7ffb7e100000	0x7ffb7e125fff	Memory Mapped File	rwx	-
windows.internal.shell.broker.dll	0x7ffb7e190000	0x7ffb7e221fff	Memory Mapped File	rwx	-
msauserext.dll	0x7ffb7e380000	0x7ffb7e399fff	Memory Mapped File	rwx	-
wwapi.dll	0x7ffb7fbb0000	0x7ffb7fbc5fff	Memory Mapped File	rwx	-
windows.networking.connectivity.dll	0x7ffb7fbd0000	0x7ffb7fc7bfff	Memory Mapped File	rwx	-
tokenbroker.dll	0x7ffb81f00000	0x7ffb81fc5fff	Memory Mapped File	rwx	-
execmodelproxy.dll	0x7ffb821b0000	0x7ffb821c4fff	Memory Mapped File	rwx	-
execmodelclient.dll	0x7ffb82360000	0x7ffb823a2fff	Memory Mapped File	rwx	-
actxprxy.dll	0x7ffb82650000	0x7ffb82ab9fff	Memory Mapped File	rwx	-
idstore.dll	0x7ffb83230000	0x7ffb83256fff	Memory Mapped File	rwx	-
npmproxy.dll	0x7ffb84470000	0x7ffb8447dfff	Memory Mapped File	rwx	-
wininet.dll	0x7ffb856f0000	0x7ffb85996fff	Memory Mapped File	rwx	-
wlanapi.dll	0x7ffb85b60000	0x7ffb85bbefff	Memory Mapped File	rwx	-
windows.ui.immersive.dll	0x7ffb88560000	0x7ffb88716fff	Memory Mapped File	rwx	-
mrmcorer.dll	0x7ffb89b40000	0x7ffb89c4efff	Memory Mapped File	rwx	-
samlib.dll	0x7ffb8a510000	0x7ffb8a52bfff	Memory Mapped File	rwx	-
propsys.dll	0x7ffb8a850000	0x7ffb8a9d2fff	Memory Mapped File	rwx	-
mmdevapi.dll	0x7ffb8a9e0000	0x7ffb8aa51fff	Memory Mapped File	rwx	-
wintypes.dll	0x7ffb8ab60000	0x7ffb8ac90fff	Memory Mapped File	rwx	-
samcli.dll	0x7ffb8add0000	0x7ffb8ade7fff	Memory Mapped File	rwx	-
wkscli.dll	0x7ffb8af20000	0x7ffb8af35fff	Memory Mapped File	rwx	-
winnsi.dll	0x7ffb8b560000	0x7ffb8b56afff	Memory Mapped File	rwx	-
iphlpapi.dll	0x7ffb8b580000	0x7ffb8b5b7fff	Memory Mapped File	rwx	-
wtsapi32.dll	0x7ffb8bf70000	0x7ffb8bf82fff	Memory Mapped File	rwx	-
coremessaging.dll	0x7ffb8c060000	0x7ffb8c127fff	Memory Mapped File	rwx	-
sppc.dll	0x7ffb8c500000	0x7ffb8c524fff	Memory Mapped File	rwx	-
slc.dll	0x7ffb8c530000	0x7ffb8c555fff	Memory Mapped File	rwx	-
uxtheme.dll	0x7ffb8c780000	0x7ffb8c815fff	Memory Mapped File	rwx	-
devobj.dll	0x7ffb8c820000	0x7ffb8c846fff	Memory Mapped File	rwx	-
twinapi.appcore.dll	0x7ffb8c870000	0x7ffb8c95dfff	Memory Mapped File	rwx	-
mpr.dll	0x7ffb8d140000	0x7ffb8d15bfff	Memory Mapped File	rwx	-
netutils.dll	0x7ffb8d160000	0x7ffb8d16bfff	Memory Mapped File	rwx	-
rsaenh.dll	0x7ffb8d3d0000	0x7ffb8d402fff	Memory Mapped File	rwx	-
userenv.dll	0x7ffb8d4c0000	0x7ffb8d4defff	Memory Mapped File	rwx	-
cryptsp.dll	0x7ffb8d780000	0x7ffb8d796fff	Memory Mapped File	rwx	-
cryptbase.dll	0x7ffb8d8f0000	0x7ffb8d8fafff	Memory Mapped File	rwx	-
sspicli.dll	0x7ffb8dad0000	0x7ffb8dafbfff	Memory Mapped File	rwx	-
bcrypt.dll	0x7ffb8dcd0000	0x7ffb8dcf7fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x7ffb8dd00000	0x7ffb8dd6afff	Memory Mapped File	rwx	-
profapi.dll	0x7ffb8deb0000	0x7ffb8dec2fff	Memory Mapped File	rwx	-
msasn1.dll	0x7ffb8ded0000	0x7ffb8dee0fff	Memory Mapped File	rwx	-
powrprof.dll	0x7ffb8def0000	0x7ffb8df39fff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x7ffb8df40000	0x7ffb8df4efff	Memory Mapped File	rwx	-
shcore.dll	0x7ffb8e000000	0x7ffb8e0b2fff	Memory Mapped File	rwx	-
windows.storage.dll	0x7ffb8e120000	0x7ffb8e747fff	Memory Mapped File	rwx	-
crypt32.dll	0x7ffb8e750000	0x7ffb8e910fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7ffb8e920000	0x7ffb8eafcfff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x7ffb8eb00000	0x7ffb8eb43fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7ffb8eb50000	0x7ffb8ebecfff	Memory Mapped File	rwx	-
combase.dll	0x7ffb8ebf0000	0x7ffb8ee6bfff	Memory Mapped File	rwx	-
user32.dll	0x7ffb8ee70000	0x7ffb8efbdfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7ffb8efc0000	0x7ffb8f0e5fff	Memory Mapped File	rwx	-
gdi32.dll	0x7ffb8f100000	0x7ffb8f284fff	Memory Mapped File	rwx	-
shlwapi.dll	0x7ffb8f290000	0x7ffb8f2e0fff	Memory Mapped File	rwx	-
advapi32.dll	0x7ffb8f2f0000	0x7ffb8f395fff	Memory Mapped File	rwx	-
msctf.dll	0x7ffb8f3a0000	0x7ffb8f4fbfff	Memory Mapped File	rwx	-
shell32.dll	0x7ffb8f500000	0x7ffb90a24fff	Memory Mapped File	rwx	-
nsi.dll	0x7ffb90a30000	0x7ffb90a37fff	Memory Mapped File	rwx	-
kernel32.dll	0x7ffb90a40000	0x7ffb90aecfff	Memory Mapped File	rwx	-
sechost.dll	0x7ffb90af0000	0x7ffb90b4afff	Memory Mapped File	rwx	-
oleaut32.dll	0x7ffb90bc0000	0x7ffb90c7dfff	Memory Mapped File	rwx	-
clbcatq.dll	0x7ffb90e60000	0x7ffb90f04fff	Memory Mapped File	rwx	-
imm32.dll	0x7ffb90f70000	0x7ffb90fa5fff	Memory Mapped File	rwx	-
ole32.dll	0x7ffb90fb0000	0x7ffb910f0fff	Memory Mapped File	rwx	-
ntdll.dll	0x7ffb91480000	0x7ffb91641fff	Memory Mapped File	rwx	-

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Success	Count	Logfile
Modify Memory	#12: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x868	address = 0x7ff74ec20000, size = 217088		1	Fn Data
Create Remote Thread	#12: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x868	address = 0x7ff74ec219a0		1	Fn

Host Behavior

File (13)

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\users\Public\sys	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN		13	Fn

Module (78)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x7ffb90a40000	1	Fn
Load	mpr.dll	base_address = 0x7ffb8d140000	1	Fn
Load	advapi32.dll	base_address = 0x7ffb8f2f0000	1	Fn
Load	ole32.dll	base_address = 0x7ffb90fb0000	1	Fn
Load	Shell32.dll	base_address = 0x7ffb8f500000	1	Fn
Load	Iphlpapi.dll	base_address = 0x7ffb8b580000	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x7ffb90a62080	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x7ffb90a56060	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualFree, address_out = 0x7ffb90a5bc10	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptExportKey, address_out = 0x7ffb8f307b50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteFileW, address_out = 0x7ffb90a657a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDriveTypeW, address_out = 0x7ffb90a658f0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCommandLineW, address_out = 0x7ffb90a60150	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStartupInfoW, address_out = 0x7ffb90a5ed80	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindNextFileW, address_out = 0x7ffb90a65880	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address_out = 0x7ffb90a5baf0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameA, address_out = 0x7ffb8f31ec40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExitProcess, address_out = 0x7ffb90a5ef50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb90a836a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateProcessA, address_out = 0x7ffb90a5d5b0	1	Fn
Get Address	c:\windows\system32\iphlpapi.dll	function = GetIpNetTable, address_out = 0x7ffb8b59f0b0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExW, address_out = 0x7ffb90a5aa30	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb90a83690	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemDefaultLangID, address_out = 0x7ffb90a62ba0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameW, address_out = 0x7ffb8f30da40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x7ffb90a65a90	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x7ffb8f307dd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x7ffb90a65510	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegSetValueExW, address_out = 0x7ffb8f307850	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x7ffb8f3072e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileA, address_out = 0x7ffb90a7e430	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFileAttributesW, address_out = 0x7ffb90a65b00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WinExec, address_out = 0x7ffb90a81e60	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDeriveKey, address_out = 0x7ffb8f3207a0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptGenKey, address_out = 0x7ffb8f30cab0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Sleep, address_out = 0x7ffb90a58f00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x7ffb90a56580	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteW, address_out = 0x7ffb8f64abc0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSize, address_out = 0x7ffb90a65950	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x7ffb90a5b810	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindClose, address_out = 0x7ffb90a657c0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x7ffb90a656e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x7ffb90a60c70	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteA, address_out = 0x7ffb8f707de0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x7ffb90a5e6d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameW, address_out = 0x7ffb90a5eca0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x7ffb90a65760	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSizeEx, address_out = 0x7ffb90a65960	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x7ffb90a65b80	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLogicalDrives, address_out = 0x7ffb90a566d0	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetEnumResourceW, address_out = 0x7ffb8d1427d0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7ffb8f306cb0	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetCloseEnum, address_out = 0x7ffb8d142e20	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryW, address_out = 0x7ffb90a62940	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFileAttributesA, address_out = 0x7ffb90a65af0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x7ffb8f307d70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointer, address_out = 0x7ffb90a65b20	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTickCount, address_out = 0x7ffb90a560a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesW, address_out = 0x7ffb90a65930	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindFirstFileW, address_out = 0x7ffb90a65840	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7ffb8f3089e0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MoveFileExW, address_out = 0x7ffb90a63010	1	Fn
Get Address	c:\windows\system32\mpr.dll	function = WNetOpenEnumW, address_out = 0x7ffb8d142f20	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitialize, address_out = 0x7ffb90fc3870	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDecrypt, address_out = 0x7ffb8f309140	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptImportKey, address_out = 0x7ffb8f307b40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointerEx, address_out = 0x7ffb90a65b30	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileW, address_out = 0x7ffb90a65d70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibrary, address_out = 0x7ffb90a5eb90	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateProcessW, address_out = 0x7ffb90a5dee0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateDirectoryW, address_out = 0x7ffb90a65740	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateThread, address_out = 0x7ffb90a5bc20	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDestroyKey, address_out = 0x7ffb8f3086b0	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstance, address_out = 0x7ffb8ec77000	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileW, address_out = 0x7ffb90a65770	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesA, address_out = 0x7ffb90a65900	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptEncrypt, address_out = 0x7ffb8f30d7e0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegDeleteValueW, address_out = 0x7ffb8f3090b0	1	Fn

System (28)

Operation	Additional Information	Count	Logfile
Sleep	duration = 5000 milliseconds (5.000 seconds)	1	Fn
Sleep	duration = 9000 milliseconds (9.000 seconds)	13	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	13	Fn

Process #19: shellexperiencehost.exe

Information	Value
ID	#19
File Name	c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
Command Line	"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
Initial Working Directory	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\
Monitor	Start Time: 00:02:50, Reason: Injection
Unmonitor	End Time: 00:04:54, Reason: Terminated by Timeout
Monitor Duration	00:02:04
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x97c
Parent PID	0x23c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Low
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 744 0x AD0 0x AB8 0x AAC 0x AA8 0x AA4 0x AA0 0x A90 0x A88 0x A84 0x A78 0x A74 0x A64 0x A54 0x A50 0x A4C 0x A48 0x A44 0x A40 0x A28 0x A20 0x A1C 0x A14 0x A10 0x A0C 0x A08 0x A04 0x 9FC 0x 9F4 0x 9F0 0x 9EC 0x 9E4 0x 9E0 0x 9DC 0x 9D8 0x 9A8 0x 9A4 0x 9A0 0x 99C 0x 998 0x 994 0x 990 0x 988 0x 984 0x 980 0x 2CC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x000000d138de0000	0xd138de0000	0xd138deffff	Pagefile Backed Memory	rw	-
private_0x000000d138df0000	0xd138df0000	0xd138df0fff	Private Memory	rw	-
pagefile_0x000000d138e00000	0xd138e00000	0xd138e13fff	Pagefile Backed Memory	r	-
private_0x000000d138e20000	0xd138e20000	0xd138f1ffff	Private Memory	rw	-
pagefile_0x000000d138f20000	0xd138f20000	0xd138f23fff	Pagefile Backed Memory	r	-
private_0x000000d138f30000	0xd138f30000	0xd138f31fff	Private Memory	rw	-
private_0x000000d138f40000	0xd138f40000	0xd138f40fff	Private Memory	rw	-
locale.nls	0xd138f50000	0xd13900dfff	Memory Mapped File	r	-
pagefile_0x000000d139010000	0xd139010000	0xd139039fff	Pagefile Backed Memory	rw	-
pagefile_0x000000d139040000	0xd139040000	0xd139040fff	Pagefile Backed Memory	r	-
pagefile_0x000000d139050000	0xd139050000	0xd139050fff	Pagefile Backed Memory	rw	-
pagefile_0x000000d139060000	0xd139060000	0xd139060fff	Pagefile Backed Memory	rw	-
pagefile_0x000000d139070000	0xd139070000	0xd139070fff	Pagefile Backed Memory	rw	-
private_0x000000d139080000	0xd139080000	0xd139080fff	Private Memory	rw	-
private_0x000000d139090000	0xd139090000	0xd139090fff	Private Memory	rw	-
pagefile_0x000000d1390a0000	0xd1390a0000	0xd1390a0fff	Pagefile Backed Memory	rw	-
2504515037.pri	0xd1390b0000	0xd1390bbfff	Memory Mapped File	r	-
msxml6r.dll	0xd1390c0000	0xd1390c0fff	Memory Mapped File	r	-
private_0x000000d1390d0000	0xd1390d0000	0xd1390d6fff	Private Memory	rw	-
resources.en-us.pri	0xd1390e0000	0xd1390ecfff	Memory Mapped File	r	-
pagefile_0x000000d1390f0000	0xd1390f0000	0xd1390f1fff	Pagefile Backed Memory	rw	-
private_0x000000d139100000	0xd139100000	0xd1391fffff	Private Memory	rw	-
private_0x000000d139200000	0xd139200000	0xd1392fffff	Private Memory	rw	-
private_0x000000d139300000	0xd139300000	0xd1393fffff	Private Memory	rw	-
pagefile_0x000000d139400000	0xd139400000	0xd13940ffff	Pagefile Backed Memory	rw	-
pagefile_0x000000d139410000	0xd139410000	0xd13941ffff	Pagefile Backed Memory	rw	-
pagefile_0x000000d139420000	0xd139420000	0xd13942ffff	Pagefile Backed Memory	rw	-
windows.ui.xaml.dll.mui	0xd139430000	0xd139439fff	Memory Mapped File	r	-
tilecache_100_0_header.bin	0xd139440000	0xd139442fff	Memory Mapped File	rw	-
private_0x000000d139450000	0xd139450000	0xd139456fff	Private Memory	rw	-
~fontcache-system.dat	0xd139460000	0xd1394d5fff	Memory Mapped File	r	-
private_0x000000d1394e0000	0xd1394e0000	0xd1394e0fff	Private Memory	rw	-
pagefile_0x000000d1394f0000	0xd1394f0000	0xd1394f3fff	Pagefile Backed Memory	rw	-
private_0x000000d139500000	0xd139500000	0xd1395fffff	Private Memory	rw	-
pagefile_0x000000d139600000	0xd139600000	0xd139787fff	Pagefile Backed Memory	r	-
pagefile_0x000000d139790000	0xd139790000	0xd139910fff	Pagefile Backed Memory	r	-
pagefile_0x000000d139920000	0xd139920000	0xd13ad1ffff	Pagefile Backed Memory	r	-
windows.ui.xaml.resources.dll	0xd13ad20000	0xd13ae56fff	Memory Mapped File	r	-
kernelbase.dll.mui	0xd13ae60000	0xd13af3efff	Memory Mapped File	r	-
sortdefault.nls	0xd13af40000	0xd13b276fff	Memory Mapped File	r	-
private_0x000000d13b280000	0xd13b280000	0xd13b37ffff	Private Memory	rw	-
private_0x000000d13b380000	0xd13b380000	0xd13b47ffff	Private Memory	rw	-
private_0x000000d13b480000	0xd13b480000	0xd13b57ffff	Private Memory	rw	-
private_0x000000d13b580000	0xd13b580000	0xd13b67ffff	Private Memory	rw	-
private_0x000000d13b680000	0xd13b680000	0xd13b680fff	Private Memory	rw	-
pagefile_0x000000d13b690000	0xd13b690000	0xd13b693fff	Pagefile Backed Memory	rw	-
private_0x000000d13b6a0000	0xd13b6a0000	0xd13b6a6fff	Private Memory	rw	-
segmdl2.ttf	0xd13b6b0000	0xd13b6d3fff	Memory Mapped File	r	-
private_0x000000d13b6e0000	0xd13b6e0000	0xd13b6e0fff	Private Memory	rw	-
pagefile_0x000000d13b6f0000	0xd13b6f0000	0xd13b6f3fff	Pagefile Backed Memory	rw	-
private_0x000000d13b700000	0xd13b700000	0xd13b7fffff	Private Memory	rw	-
private_0x000000d13b800000	0xd13b800000	0xd13bffffff	Private Memory	-	-
private_0x000000d13c000000	0xd13c000000	0xd13c0fffff	Private Memory	rw	-
resources.pri	0xd13c100000	0xd13c1d3fff	Memory Mapped File	r	-
private_0x000000d13c1e0000	0xd13c1e0000	0xd13c2dffff	Private Memory	rw	-
private_0x000000d13c2e0000	0xd13c2e0000	0xd13c3dffff	Private Memory	rw	-
private_0x000000d13c3e0000	0xd13c3e0000	0xd13c3e0fff	Private Memory	rw	-
pagefile_0x000000d13c3f0000	0xd13c3f0000	0xd13c3f3fff	Pagefile Backed Memory	rw	-
private_0x000000d13c400000	0xd13c400000	0xd13c4fffff	Private Memory	rw	-
private_0x000000d13c500000	0xd13c500000	0xd13c5fffff	Private Memory	rw	-
private_0x000000d13c600000	0xd13c600000	0xd13c6fffff	Private Memory	rw	-
private_0x000000d13c700000	0xd13c700000	0xd13c7fffff	Private Memory	rw	-
private_0x000000d13c800000	0xd13c800000	0xd13c8fffff	Private Memory	rw	-
private_0x000000d13c900000	0xd13c900000	0xd13c9fffff	Private Memory	rw	-
private_0x000000d13ca00000	0xd13ca00000	0xd13cafffff	Private Memory	rw	-
private_0x000000d13cb00000	0xd13cb00000	0xd13cbfffff	Private Memory	rw	-
private_0x000000d13cd00000	0xd13cd00000	0xd13cdfffff	Private Memory	rw	-
private_0x000000d13cf00000	0xd13cf00000	0xd13cffffff	Private Memory	rw	-
private_0x000000d13d000000	0xd13d000000	0xd13d0fffff	Private Memory	rw	-
private_0x000000d13d300000	0xd13d300000	0xd13d3fffff	Private Memory	rw	-
private_0x000000d13d400000	0xd13d400000	0xd13d406fff	Private Memory	rw	-
segoeui.ttf	0xd13d410000	0xd13d4eefff	Memory Mapped File	r	-
private_0x000000d13d4f0000	0xd13d4f0000	0xd13d4f6fff	Private Memory	rw	-
private_0x000000d13d500000	0xd13d500000	0xd13d5fffff	Private Memory	rw	-
private_0x000000d13d600000	0xd13d600000	0xd13d6fffff	Private Memory	rw	-
~fontcache-fontface.dat	0xd13d700000	0xd13e6fffff	Memory Mapped File	r	-
~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat	0xd13e700000	0xd13eefffff	Memory Mapped File	r	-
private_0x000000d13ef00000	0xd13ef00000	0xd13f2fffff	Private Memory	rw	-
private_0x000000d13f300000	0xd13f300000	0xd13f3fffff	Private Memory	rw	-
private_0x000000d13f400000	0xd13f400000	0xd13f4fffff	Private Memory	rw	-
private_0x000000d13f500000	0xd13f500000	0xd13f5fffff	Private Memory	rw	-
tilecache_100_0_data.bin	0xd13f600000	0xd13f6fffff	Memory Mapped File	rw	-
pagefile_0x000000d13f700000	0xd13f700000	0xd13f9bffff	Pagefile Backed Memory	rw	-
private_0x000000d13f9c0000	0xd13f9c0000	0xd13fabffff	Private Memory	rw	-
private_0x000000d13fac0000	0xd13fac0000	0xd13fbbffff	Private Memory	rw	-
pagefile_0x000000d13fbc0000	0xd13fbc0000	0xd13fbf1fff	Pagefile Backed Memory	rw	-
private_0x000000d13fc00000	0xd13fc00000	0xd13fcfffff	Private Memory	rw	-
private_0x000000d13ff00000	0xd13ff00000	0xd13fffffff	Private Memory	rw	-
private_0x000000d140000000	0xd140000000	0xd14007ffff	Private Memory	rw	-
private_0x000000d140300000	0xd140300000	0xd1403fffff	Private Memory	rw	-
private_0x000000d140e00000	0xd140e00000	0xd140efffff	Private Memory	rw	-
private_0x000000d141000000	0xd141000000	0xd1410fffff	Private Memory	rw	-
private_0x000000d141170000	0xd141170000	0xd141176fff	Private Memory	rw	-
private_0x000000d141200000	0xd141200000	0xd1412fffff	Private Memory	rw	-
private_0x000000d141300000	0xd141300000	0xd1413fffff	Private Memory	rw	-
private_0x000000d141400000	0xd141400000	0xd1414fffff	Private Memory	rw	-
private_0x000000d141500000	0xd141500000	0xd1415fffff	Private Memory	rw	-
private_0x00007ff735544000	0x7ff735544000	0x7ff735545fff	Private Memory	rw	-
private_0x00007ff735546000	0x7ff735546000	0x7ff735547fff	Private Memory	rw	-
private_0x00007ff73554a000	0x7ff73554a000	0x7ff73554bfff	Private Memory	rw	-
private_0x00007ff735568000	0x7ff735568000	0x7ff735569fff	Private Memory	rw	-
private_0x00007ff73556a000	0x7ff73556a000	0x7ff73556bfff	Private Memory	rw	-
private_0x00007ff73556c000	0x7ff73556c000	0x7ff73556dfff	Private Memory	rw	-
private_0x00007ff73556e000	0x7ff73556e000	0x7ff73556ffff	Private Memory	rw	-
private_0x00007ff735574000	0x7ff735574000	0x7ff735575fff	Private Memory	rw	-
private_0x00007ff735576000	0x7ff735576000	0x7ff735577fff	Private Memory	rw	-
private_0x00007ff73557c000	0x7ff73557c000	0x7ff73557dfff	Private Memory	rw	-
private_0x00007ff73557e000	0x7ff73557e000	0x7ff73557ffff	Private Memory	rw	-
private_0x00007ff735580000	0x7ff735580000	0x7ff735581fff	Private Memory	rw	-
private_0x00007ff735582000	0x7ff735582000	0x7ff735583fff	Private Memory	rw	-
private_0x00007ff735584000	0x7ff735584000	0x7ff735585fff	Private Memory	rw	-
private_0x00007ff735586000	0x7ff735586000	0x7ff735587fff	Private Memory	rw	-
private_0x00007ff735588000	0x7ff735588000	0x7ff735589fff	Private Memory	rw	-
private_0x00007ff73558a000	0x7ff73558a000	0x7ff73558bfff	Private Memory	rw	-
private_0x00007ff73558c000	0x7ff73558c000	0x7ff73558dfff	Private Memory	rw	-
private_0x00007ff73558e000	0x7ff73558e000	0x7ff73558ffff	Private Memory	rw	-
pagefile_0x00007ff735590000	0x7ff735590000	0x7ff73568ffff	Pagefile Backed Memory	r	-
pagefile_0x00007ff735690000	0x7ff735690000	0x7ff7356b2fff	Pagefile Backed Memory	r	-
private_0x00007ff7356b3000	0x7ff7356b3000	0x7ff7356b4fff	Private Memory	rw	-
private_0x00007ff7356b5000	0x7ff7356b5000	0x7ff7356b5fff	Private Memory	rw	-
private_0x00007ff7356b6000	0x7ff7356b6000	0x7ff7356b7fff	Private Memory	rw	-
private_0x00007ff7356b8000	0x7ff7356b8000	0x7ff7356b9fff	Private Memory	rw	-
private_0x00007ff7356ba000	0x7ff7356ba000	0x7ff7356bbfff	Private Memory	rw	-
private_0x00007ff7356bc000	0x7ff7356bc000	0x7ff7356bdfff	Private Memory	rw	-
private_0x00007ff7356be000	0x7ff7356be000	0x7ff7356bffff	Private Memory	rw	-
shellexperiencehost.exe	0x7ff735ff0000	0x7ff7361ddfff	Memory Mapped File	rwx	-
private_0x00007ff74ec20000	0x7ff74ec20000	0x7ff74ec54fff	Private Memory	rwx	-
rtmediaframe.dll	0x7ffb7e010000	0x7ffb7e085fff	Memory Mapped File	rwx	-
windows.graphics.dll	0x7ffb7e230000	0x7ffb7e289fff	Memory Mapped File	rwx	-
windows.storage.applicationdata.dll	0x7ffb7e290000	0x7ffb7e2e2fff	Memory Mapped File	rwx	-
fontgroupsoverride.dll	0x7ffb7e2f0000	0x7ffb7e2f9fff	Memory Mapped File	rwx	-
windows.globalization.fontgroups.dll	0x7ffb7e300000	0x7ffb7e317fff	Memory Mapped File	rwx	-
notificationobjfactory.dll	0x7ffb7e320000	0x7ffb7e36dfff	Memory Mapped File	rwx	-
quickactionsdatamodel.dll	0x7ffb7e820000	0x7ffb7e84dfff	Memory Mapped File	rwx	-
windows.ui.actioncenter.dll	0x7ffb7e850000	0x7ffb7ea8cfff	Memory Mapped File	rwx	-
quickactions.dll	0x7ffb7ea90000	0x7ffb7eafcfff	Memory Mapped File	rwx	-
startui.dll	0x7ffb7eb00000	0x7ffb7f2a6fff	Memory Mapped File	rwx	-
staterepository.core.dll	0x7ffb7f450000	0x7ffb7f4e8fff	Memory Mapped File	rwx	-
windows.staterepository.dll	0x7ffb7f4f0000	0x7ffb7f781fff	Memory Mapped File	rwx	-
personax.dll	0x7ffb7fac0000	0x7ffb7faeafff	Memory Mapped File	rwx	-
veeventdispatcher.dll	0x7ffb7fe70000	0x7ffb7feb8fff	Memory Mapped File	rwx	-
dataexchange.dll	0x7ffb81dd0000	0x7ffb81e15fff	Memory Mapped File	rwx	-
actxprxy.dll	0x7ffb82650000	0x7ffb82ab9fff	Memory Mapped File	rwx	-
windows.shell.servicehostbuilder.dll	0x7ffb82b70000	0x7ffb82b81fff	Memory Mapped File	rwx	-
coreuicomponents.dll	0x7ffb82bb0000	0x7ffb82e10fff	Memory Mapped File	rwx	-
threadpoolwinrt.dll	0x7ffb83850000	0x7ffb83864fff	Memory Mapped File	rwx	-
msxml6.dll	0x7ffb84be0000	0x7ffb84e56fff	Memory Mapped File	rwx	-
urlmon.dll	0x7ffb85bc0000	0x7ffb85d56fff	Memory Mapped File	rwx	-
directmanipulation.dll	0x7ffb86cd0000	0x7ffb86d58fff	Memory Mapped File	rwx	-
For performance reasons, the remaining 52 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Success	Count	Logfile
Modify Memory	#12: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x868	address = 0x7ff74ec20000, size = 217088		1	Fn Data
Create Remote Thread	#12: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x868	address = 0x7ff74ec219a0		1	Fn

Process #20: searchui.exe

Information	Value
ID	#20
File Name	c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe
Command Line	"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
Initial Working Directory	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\
Monitor	Start Time: 00:02:51, Reason: Injection
Unmonitor	End Time: 00:03:13, Reason: Self Terminated
Monitor Duration	00:00:22

OS Process Information

Information	Value
PID	0xb0c
Parent PID	0x23c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Low
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 880 0x BC4 0x BC0 0x BBC 0x BB8 0x BA0 0x B9C 0x B98 0x B94 0x B90 0x B8C 0x B88 0x B84 0x B80 0x B7C 0x B70 0x B6C 0x B68 0x B5C 0x B54 0x B50 0x B48 0x B44 0x B40 0x B3C 0x B38 0x B34 0x B30 0x B2C 0x B28 0x B24 0x B20 0x B18 0x B14 0x B10 0x BF8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
pagefile_0x000000cf61400000	0xcf61400000	0xcf6140ffff	Pagefile Backed Memory	rw	-
pagefile_0x000000cf61410000	0xcf61410000	0xcf61410fff	Pagefile Backed Memory	r	-
pagefile_0x000000cf61420000	0xcf61420000	0xcf61433fff	Pagefile Backed Memory	r	-
private_0x000000cf61440000	0xcf61440000	0xcf6153ffff	Private Memory	rw	-
pagefile_0x000000cf61540000	0xcf61540000	0xcf61543fff	Pagefile Backed Memory	r	-
private_0x000000cf61550000	0xcf61550000	0xcf61551fff	Private Memory	rw	-
private_0x000000cf61560000	0xcf61560000	0xcf61560fff	Private Memory	rw	-
locale.nls	0xcf61570000	0xcf6162dfff	Memory Mapped File	r	-
private_0x000000cf61630000	0xcf61630000	0xcf61630fff	Private Memory	rw	-
pagefile_0x000000cf61640000	0xcf61640000	0xcf61640fff	Pagefile Backed Memory	rw	-
private_0x000000cf61650000	0xcf61650000	0xcf61656fff	Private Memory	rw	-
pagefile_0x000000cf61660000	0xcf61660000	0xcf61689fff	Pagefile Backed Memory	rw	-
counters.dat	0xcf61690000	0xcf61690fff	Memory Mapped File	r	-
pagefile_0x000000cf616a0000	0xcf616a0000	0xcf616a0fff	Pagefile Backed Memory	rw	-
pagefile_0x000000cf616b0000	0xcf616b0000	0xcf616b0fff	Pagefile Backed Memory	rw	-
resources.pri	0xcf616c0000	0xcf616e0fff	Memory Mapped File	r	-
pagefile_0x000000cf616f0000	0xcf616f0000	0xcf616f0fff	Pagefile Backed Memory	rw	-
private_0x000000cf61700000	0xcf61700000	0xcf617fffff	Private Memory	rw	-
private_0x000000cf61800000	0xcf61800000	0xcf618fffff	Private Memory	rw	-
private_0x000000cf61900000	0xcf61900000	0xcf619fffff	Private Memory	rw	-
shell32.dll.mui	0xcf61a00000	0xcf61a60fff	Memory Mapped File	r	-
2495906576.pri	0xcf61a70000	0xcf61a83fff	Memory Mapped File	r	-
app.xbf	0xcf61a90000	0xcf61a90fff	Memory Mapped File	r	-
pagefile_0x000000cf61aa0000	0xcf61aa0000	0xcf61aa0fff	Pagefile Backed Memory	rw	-
private_0x000000cf61ab0000	0xcf61ab0000	0xcf61ab0fff	Private Memory	rw	-
private_0x000000cf61ac0000	0xcf61ac0000	0xcf61ac0fff	Private Memory	rw	-
private_0x000000cf61ad0000	0xcf61ad0000	0xcf61ad6fff	Private Memory	rw	-
pagefile_0x000000cf61ae0000	0xcf61ae0000	0xcf61ae0fff	Pagefile Backed Memory	rw	-
mswsock.dll.mui	0xcf61af0000	0xcf61af2fff	Memory Mapped File	r	-
private_0x000000cf61b00000	0xcf61b00000	0xcf61bfffff	Private Memory	rw	-
pagefile_0x000000cf61c00000	0xcf61c00000	0xcf61d87fff	Pagefile Backed Memory	r	-
pagefile_0x000000cf61d90000	0xcf61d90000	0xcf61f10fff	Pagefile Backed Memory	r	-
pagefile_0x000000cf61f20000	0xcf61f20000	0xcf6331ffff	Pagefile Backed Memory	r	-
windows.ui.xaml.resources.dll	0xcf63320000	0xcf63456fff	Memory Mapped File	r	-
kernelbase.dll.mui	0xcf63460000	0xcf6353efff	Memory Mapped File	r	-
private_0x000000cf63540000	0xcf63540000	0xcf6363ffff	Private Memory	rw	-
private_0x000000cf63640000	0xcf63640000	0xcf6373ffff	Private Memory	rw	-
sortdefault.nls	0xcf63740000	0xcf63a76fff	Memory Mapped File	r	-
private_0x000000cf63a80000	0xcf63a80000	0xcf63b7ffff	Private Memory	rw	-
private_0x000000cf63b80000	0xcf63b80000	0xcf63c7ffff	Private Memory	rw	-
private_0x000000cf63c80000	0xcf63c80000	0xcf63d7ffff	Private Memory	rw	-
private_0x000000cf63d80000	0xcf63d80000	0xcf63e7ffff	Private Memory	rw	-
private_0x000000cf63e80000	0xcf63e80000	0xcf63e86fff	Private Memory	rw	-
resources.en-us.pri	0xcf63e90000	0xcf63ea5fff	Memory Mapped File	r	-
pagefile_0x000000cf63eb0000	0xcf63eb0000	0xcf63eb1fff	Pagefile Backed Memory	rw	-
crypt32.dll.mui	0xcf63ec0000	0xcf63ec9fff	Memory Mapped File	r	-
dictionary.xbf	0xcf63ed0000	0xcf63ed3fff	Memory Mapped File	r	-
reactivecat1themeresources.xbf	0xcf63ee0000	0xcf63ee4fff	Memory Mapped File	r	-
speechtextinputthemeresources.xbf	0xcf63ef0000	0xcf63ef1fff	Memory Mapped File	r	-
private_0x000000cf63f00000	0xcf63f00000	0xcf63ffffff	Private Memory	rw	-
private_0x000000cf64000000	0xcf64000000	0xcf640fffff	Private Memory	rw	-
private_0x000000cf64100000	0xcf64100000	0xcf641fffff	Private Memory	rw	-
private_0x000000cf64200000	0xcf64200000	0xcf642fffff	Private Memory	rw	-
private_0x000000cf64300000	0xcf64300000	0xcf643fffff	Private Memory	rw	-
private_0x000000cf64400000	0xcf64400000	0xcf644fffff	Private Memory	rw	-
private_0x000000cf64500000	0xcf64500000	0xcf645fffff	Private Memory	rw	-
private_0x000000cf64600000	0xcf64600000	0xcf64dfffff	Private Memory	-	-
private_0x000000cf64e00000	0xcf64e00000	0xcf64efffff	Private Memory	rw	-
private_0x000000cf64f00000	0xcf64f00000	0xcf64ffffff	Private Memory	rw	-
private_0x000000cf65000000	0xcf65000000	0xcf650fffff	Private Memory	rw	-
private_0x000000cf65100000	0xcf65100000	0xcf651fffff	Private Memory	rw	-
private_0x000000cf65200000	0xcf65200000	0xcf652fffff	Private Memory	rw	-
private_0x000000cf65300000	0xcf65300000	0xcf653fffff	Private Memory	rw	-
cortanawindow.xbf	0xcf65400000	0xcf65400fff	Memory Mapped File	r	-
chrome.xbf	0xcf65410000	0xcf65417fff	Memory Mapped File	r	-
pagefile_0x000000cf65420000	0xcf65420000	0xcf65421fff	Pagefile Backed Memory	rw	-
pagefile_0x000000cf65430000	0xcf65430000	0xcf65431fff	Pagefile Backed Memory	rw	-
msxml6r.dll	0xcf65440000	0xcf65440fff	Memory Mapped File	r	-
pagefile_0x000000cf65450000	0xcf65450000	0xcf65507fff	Pagefile Backed Memory	r	-
pagefile_0x000000cf65510000	0xcf65510000	0xcf65513fff	Pagefile Backed Memory	r	-
homeburgermenucontrol.xbf	0xcf65520000	0xcf65520fff	Memory Mapped File	r	-
greetingscontrol.xbf	0xcf65530000	0xcf65531fff	Memory Mapped File	r	-
hostedwebviewcontrol.xbf	0xcf65540000	0xcf65540fff	Memory Mapped File	r	-
speechtextinputcontrol.xbf	0xcf65550000	0xcf65551fff	Memory Mapped File	r	-
searchboxcontrol.xbf	0xcf65560000	0xcf65560fff	Memory Mapped File	r	-
~fontcache-system.dat	0xcf65570000	0xcf655e5fff	Memory Mapped File	r	-
private_0x000000cf655f0000	0xcf655f0000	0xcf655f6fff	Private Memory	rw	-
private_0x000000cf65600000	0xcf65600000	0xcf65606fff	Private Memory	rw	-
segoeui.ttf	0xcf65610000	0xcf656eefff	Memory Mapped File	r	-
windows.ui.xaml.dll.mui	0xcf656f0000	0xcf656f9fff	Memory Mapped File	r	-
private_0x000000cf65700000	0xcf65700000	0xcf657fffff	Private Memory	rw	-
private_0x000000cf65800000	0xcf65800000	0xcf658fffff	Private Memory	rw	-
private_0x000000cf65900000	0xcf65900000	0xcf659fffff	Private Memory	rw	-
private_0x000000cf65a00000	0xcf65a00000	0xcf65afffff	Private Memory	rw	-
~fontcache-fontface.dat	0xcf65b00000	0xcf66afffff	Memory Mapped File	r	-
private_0x000000cf66b00000	0xcf66b00000	0xcf66bfffff	Private Memory	rw	-
~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat	0xcf66c00000	0xcf673fffff	Memory Mapped File	r	-
private_0x000000cf67400000	0xcf67400000	0xcf674fffff	Private Memory	rw	-
private_0x000000cf67500000	0xcf67500000	0xcf675fffff	Private Memory	rw	-
private_0x000000cf67600000	0xcf67600000	0xcf67600fff	Private Memory	rw	-
private_0x000000cf67610000	0xcf67610000	0xcf67610fff	Private Memory	rw	-
pagefile_0x000000cf67620000	0xcf67620000	0xcf67623fff	Pagefile Backed Memory	rw	-
private_0x000000cf67630000	0xcf67630000	0xcf6772ffff	Private Memory	rw	-
private_0x000000cf67730000	0xcf67730000	0xd76772ffff	Private Memory	rw	-
private_0x000000d767730000	0xd767730000	0xd76774ffff	Private Memory	rw	-
private_0x000000d767750000	0xd767750000	0xd76779ffff	Private Memory	rw	-
private_0x000000d7677a0000	0xd7677a0000	0xd7677a0fff	Private Memory	rw	-
private_0x000000d7677b0000	0xd7677b0000	0xd7677b0fff	Private Memory	rw	-
pagefile_0x000000d7677c0000	0xd7677c0000	0xd7677c0fff	Pagefile Backed Memory	rw	-
pagefile_0x000000d7677d0000	0xd7677d0000	0xd7677d0fff	Pagefile Backed Memory	rw	-
private_0x000000d7677e0000	0xd7677e0000	0xd7677e0fff	Private Memory	rw	-
pagefile_0x000000d7677f0000	0xd7677f0000	0xd7677fffff	Pagefile Backed Memory	r	-
private_0x000000d767800000	0xd767800000	0xd7678fffff	Private Memory	rw	-
private_0x000000d767900000	0xd767900000	0xd7679fffff	Private Memory	rw	-
edgehtml.dll.mui	0xd767a00000	0xd767a5ffff	Memory Mapped File	r	-
pagefile_0x000000d767a60000	0xd767a60000	0xd767a6ffff	Pagefile Backed Memory	r	-
private_0x000000d767a70000	0xd767a70000	0xd767a76fff	Private Memory	rw	-
private_0x000000d767a80000	0xd767a80000	0xd767b7ffff	Private Memory	rw	-
private_0x000000d767b80000	0xd767b80000	0xd767c7ffff	Private Memory	rw	-
private_0x000000d767c80000	0xd767c80000	0xd767d7ffff	Private Memory	rw	-
private_0x000000d767d80000	0xd767d80000	0xd767e7ffff	Private Memory	rw	-
private_0x000000d767e80000	0xd767e80000	0xd767f7ffff	Private Memory	rw	-
private_0x000000d767f80000	0xd767f80000	0xd76807ffff	Private Memory	rw	-
private_0x000000d768080000	0xd768080000	0xd76809ffff	Private Memory	rw	-
private_0x000000d7680a0000	0xd7680a0000	0xd7680bffff	Private Memory	rw	-
private_0x000000d7680c0000	0xd7680c0000	0xd7680dffff	Private Memory	rwx	-
private_0x000000d7680e0000	0xd7680e0000	0xd7680fffff	Private Memory	rw	-
private_0x000000d768100000	0xd768100000	0xd7681fffff	Private Memory	rw	-
private_0x000000d768200000	0xd768200000	0xd76824ffff	Private Memory	rw	-
private_0x000000d768250000	0xd768250000	0xd76834ffff	Private Memory	rw	-
private_0x000000d768350000	0xd768350000	0xd76844ffff	Private Memory	rw	-
private_0x000000d768450000	0xd768450000	0xd76846ffff	Private Memory	rw	-
private_0x000000d768470000	0xd768470000	0xd76848ffff	Private Memory	rw	-
cortana.internal.search.winmd	0xd768490000	0xd7684a0fff	Memory Mapped File	rwx	-
cortana.search.winmd	0xd7684b0000	0xd7684b7fff	Memory Mapped File	rwx	-
private_0x000000d7684c0000	0xd7684c0000	0xd7684dffff	Private Memory	rw	-
windows.foundation.winmd	0xd7684e0000	0xd7684eefff	Memory Mapped File	rwx	-
windows.security.winmd	0xd7684f0000	0xd76850dfff	Memory Mapped File	rwx	-
private_0x000000d768510000	0xd768510000	0xd76860ffff	Private Memory	rw	-
private_0x000000d768610000	0xd768610000	0xd76862ffff	Private Memory	rw	-
windows.storage.winmd	0xd768630000	0xd76864afff	Memory Mapped File	rwx	-
private_0x000000d768650000	0xd768650000	0xd76866ffff	Private Memory	rw	-
chakra.dll.mui	0xd768670000	0xd768679fff	Memory Mapped File	r	-
private_0x000000d768680000	0xd768680000	0xd76869ffff	Private Memory	rw	-
private_0x000000d7686c0000	0xd7686c0000	0xd7686dffff	Private Memory	rw	-
private_0x000000d768720000	0xd768720000	0xd76873ffff	Private Memory	rw	-
private_0x000000d768740000	0xd768740000	0xd76875ffff	Private Memory	rw	-
private_0x000000d768760000	0xd768760000	0xd76885ffff	Private Memory	rw	-
private_0x000000d768880000	0xd768880000	0xd76889ffff	Private Memory	rw	-
private_0x000000d7688a0000	0xd7688a0000	0xd7688bffff	Private Memory	rw	-
private_0x000000d7688c0000	0xd7688c0000	0xd7688dffff	Private Memory	rw	-
private_0x000000d7688e0000	0xd7688e0000	0xd7688fffff	Private Memory	rw	-
private_0x000000d768900000	0xd768900000	0xd7689fffff	Private Memory	rw	-
private_0x000000d768a00000	0xd768a00000	0xd768afffff	Private Memory	rw	-
private_0x000000d768b00000	0xd768b00000	0xd768bfffff	Private Memory	rw	-
private_0x000000d768c00000	0xd768c00000	0xd768cfffff	Private Memory	rw	-
private_0x000000d768d00000	0xd768d00000	0xd768d1ffff	Private Memory	rw	-
private_0x000000d768d20000	0xd768d20000	0xd768d3ffff	Private Memory	rw	-
private_0x000000d768d40000	0xd768d40000	0xd768d5ffff	Private Memory	rw	-
For performance reasons, the remaining 255 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Success	Count	Logfile
Modify Memory	#12: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x868	address = 0x7ff74ec20000, size = 217088		1	Fn Data
Create Remote Thread	#12: c:\users\ciihmnxmn6ps\desktop\eqbnr.exe	0x868	address = 0x7ff74ec219a0		1	Fn

Host Behavior

File (3)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\users\Public\sys	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN	1	Fn
Create	C:\users\Public\sys	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN	1	Fn
Create	C:\users\Public\PUBLIC	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn

Module (78)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x7ffb90a40000	1	Fn
Load	mpr.dll	base_address = 0x7ffb8d140000	1	Fn
Load	advapi32.dll	base_address = 0x7ffb8f2f0000	1	Fn
Load	ole32.dll	base_address = 0x7ffb90fb0000	1	Fn
Load	Shell32.dll	base_address = 0x7ffb8f500000	1	Fn
Load	Iphlpapi.dll	base_address = 0x7ffb8b580000	1	Fn
Get Address	Unknown module name	function = LoadLibraryA, address_out = 0x7ffb90a62080	1	Fn
Get Address	Unknown module name	function = GetLastError, address_out = 0x7ffb90a56060	1	Fn
Get Address	Unknown module name	function = VirtualFree, address_out = 0x7ffb90a5bc10	1	Fn
Get Address	Unknown module name	function = CryptExportKey, address_out = 0x7ffb8f307b50	1	Fn
Get Address	Unknown module name	function = DeleteFileW, address_out = 0x7ffb90a657a0	1	Fn
Get Address	Unknown module name	function = GetDriveTypeW, address_out = 0x7ffb90a658f0	1	Fn
Get Address	Unknown module name	function = GetCommandLineW, address_out = 0x7ffb90a60150	1	Fn
Get Address	Unknown module name	function = GetStartupInfoW, address_out = 0x7ffb90a5ed80	1	Fn
Get Address	Unknown module name	function = FindNextFileW, address_out = 0x7ffb90a65880	1	Fn
Get Address	Unknown module name	function = VirtualAlloc, address_out = 0x7ffb90a5baf0	1	Fn
Get Address	Unknown module name	function = GetUserNameA, address_out = 0x7ffb8f31ec40	1	Fn
Get Address	Unknown module name	function = ExitProcess, address_out = 0x7ffb90a5ef50	1	Fn
Get Address	Unknown module name	function = Wow64RevertWow64FsRedirection, address_out = 0x7ffb90a836a0	1	Fn
Get Address	Unknown module name	function = CreateProcessA, address_out = 0x7ffb90a5d5b0	1	Fn
Get Address	Unknown module name	function = GetIpNetTable, address_out = 0x7ffb8b59f0b0	1	Fn
Get Address	Unknown module name	function = GetVersionExW, address_out = 0x7ffb90a5aa30	1	Fn
Get Address	Unknown module name	function = Wow64DisableWow64FsRedirection, address_out = 0x7ffb90a83690	1	Fn
Get Address	Unknown module name	function = GetSystemDefaultLangID, address_out = 0x7ffb90a62ba0	1	Fn
Get Address	Unknown module name	function = GetUserNameW, address_out = 0x7ffb8f30da40	1	Fn
Get Address	Unknown module name	function = ReadFile, address_out = 0x7ffb90a65a90	1	Fn
Get Address	Unknown module name	function = RegQueryValueExA, address_out = 0x7ffb8f307dd0	1	Fn
Get Address	Unknown module name	function = CloseHandle, address_out = 0x7ffb90a65510	1	Fn
Get Address	Unknown module name	function = RegSetValueExW, address_out = 0x7ffb8f307850	1	Fn
Get Address	Unknown module name	function = RegCloseKey, address_out = 0x7ffb8f3072e0	1	Fn
Get Address	Unknown module name	function = CopyFileA, address_out = 0x7ffb90a7e430	1	Fn
Get Address	Unknown module name	function = SetFileAttributesW, address_out = 0x7ffb90a65b00	1	Fn
Get Address	Unknown module name	function = WinExec, address_out = 0x7ffb90a81e60	1	Fn
Get Address	Unknown module name	function = CryptDeriveKey, address_out = 0x7ffb8f3207a0	1	Fn
Get Address	Unknown module name	function = CryptGenKey, address_out = 0x7ffb8f30cab0	1	Fn
Get Address	Unknown module name	function = Sleep, address_out = 0x7ffb90a58f00	1	Fn
Get Address	Unknown module name	function = GetCurrentProcess, address_out = 0x7ffb90a56580	1	Fn
Get Address	Unknown module name	function = ShellExecuteW, address_out = 0x7ffb8f64abc0	1	Fn
Get Address	Unknown module name	function = GetFileSize, address_out = 0x7ffb90a65950	1	Fn
Get Address	Unknown module name	function = GlobalAlloc, address_out = 0x7ffb90a5b810	1	Fn
Get Address	Unknown module name	function = FindClose, address_out = 0x7ffb90a657c0	1	Fn
Get Address	Unknown module name	function = WaitForMultipleObjects, address_out = 0x7ffb90a656e0	1	Fn
Get Address	Unknown module name	function = GetModuleFileNameA, address_out = 0x7ffb90a60c70	1	Fn
Get Address	Unknown module name	function = ShellExecuteA, address_out = 0x7ffb8f707de0	1	Fn
Get Address	Unknown module name	function = GetModuleHandleA, address_out = 0x7ffb90a5e6d0	1	Fn
Get Address	Unknown module name	function = GetModuleFileNameW, address_out = 0x7ffb90a5eca0	1	Fn
Get Address	Unknown module name	function = CreateFileA, address_out = 0x7ffb90a65760	1	Fn
Get Address	Unknown module name	function = GetFileSizeEx, address_out = 0x7ffb90a65960	1	Fn
Get Address	Unknown module name	function = WriteFile, address_out = 0x7ffb90a65b80	1	Fn
Get Address	Unknown module name	function = GetLogicalDrives, address_out = 0x7ffb90a566d0	1	Fn
Get Address	Unknown module name	function = WNetEnumResourceW, address_out = 0x7ffb8d1427d0	1	Fn
Get Address	Unknown module name	function = RegOpenKeyExW, address_out = 0x7ffb8f306cb0	1	Fn
Get Address	Unknown module name	function = WNetCloseEnum, address_out = 0x7ffb8d142e20	1	Fn
Get Address	Unknown module name	function = GetWindowsDirectoryW, address_out = 0x7ffb90a62940	1	Fn
Get Address	Unknown module name	function = SetFileAttributesA, address_out = 0x7ffb90a65af0	1	Fn
Get Address	Unknown module name	function = RegOpenKeyExA, address_out = 0x7ffb8f307d70	1	Fn
Get Address	Unknown module name	function = SetFilePointer, address_out = 0x7ffb90a65b20	1	Fn
Get Address	Unknown module name	function = GetTickCount, address_out = 0x7ffb90a560a0	1	Fn
Get Address	Unknown module name	function = GetFileAttributesW, address_out = 0x7ffb90a65930	1	Fn
Get Address	Unknown module name	function = FindFirstFileW, address_out = 0x7ffb90a65840	1	Fn
Get Address	Unknown module name	function = CryptAcquireContextW, address_out = 0x7ffb8f3089e0	1	Fn
Get Address	Unknown module name	function = MoveFileExW, address_out = 0x7ffb90a63010	1	Fn
Get Address	Unknown module name	function = WNetOpenEnumW, address_out = 0x7ffb8d142f20	1	Fn
Get Address	Unknown module name	function = CoInitialize, address_out = 0x7ffb90fc3870	1	Fn
Get Address	Unknown module name	function = CryptDecrypt, address_out = 0x7ffb8f309140	1	Fn
Get Address	Unknown module name	function = CryptImportKey, address_out = 0x7ffb8f307b40	1	Fn
Get Address	Unknown module name	function = SetFilePointerEx, address_out = 0x7ffb90a65b30	1	Fn
Get Address	Unknown module name	function = CopyFileW, address_out = 0x7ffb90a65d70	1	Fn
Get Address	Unknown module name	function = FreeLibrary, address_out = 0x7ffb90a5eb90	1	Fn
Get Address	Unknown module name	function = CreateProcessW, address_out = 0x7ffb90a5dee0	1	Fn
Get Address	Unknown module name	function = CreateDirectoryW, address_out = 0x7ffb90a65740	1	Fn
Get Address	Unknown module name	function = CreateThread, address_out = 0x7ffb90a5bc20	1	Fn
Get Address	Unknown module name	function = CryptDestroyKey, address_out = 0x7ffb8f3086b0	1	Fn
Get Address	Unknown module name	function = CoCreateInstance, address_out = 0x7ffb8ec77000	1	Fn
Get Address	Unknown module name	function = CreateFileW, address_out = 0x7ffb90a65770	1	Fn
Get Address	Unknown module name	function = GetFileAttributesA, address_out = 0x7ffb90a65900	1	Fn
Get Address	Unknown module name	function = CryptEncrypt, address_out = 0x7ffb8f30d7e0	1	Fn
Get Address	Unknown module name	function = RegDeleteValueW, address_out = 0x7ffb8f3090b0	1	Fn

System (6)

Operation	Additional Information	Count	Logfile
Sleep	duration = 5000 milliseconds (5.000 seconds)	1	Fn
Get Info	type = Operating System	2	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	3	Fn

Notifications (2/3)

Monitored Processes

Behavior Information - Grouped by Category

Before

After