Bad Rabbit Ransomware | Grouped Behavior

Monitored Processes

Behavior Information - Grouped by Category

Process #1: ifzkkpwij.exe

(Host: 9, Network: 0)

Information	Value
ID	#1
File Name	c:\users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ifzkkpwij.exe"
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:11, Reason: Analysis Target
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:39

OS Process Information

Information	Value
PID	0x948
Parent PID	0x55c (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 94C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000190000	0x00190000	0x001cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000490000	0x00490000	0x0050ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000620000	0x00620000	0x0071ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000840000	0x00840000	0x0084ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000850000	0x00850000	0x009d7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009e0000	0x009e0000	0x00b60fff	Pagefile Backed Memory	Readable	Region Actions
ifzkkpwij.exe	0x00ff0000	0x01001fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000001010000	0x01010000	0x0240ffff	Pagefile Backed Memory	Readable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74f40000	0x75b89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76070000	0x760c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\windows\infpub.dat	401.13 KB (410760 bytes)	MD5: 1d724f95c61f1055f0d02c2154bbccd3 SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907 SHA256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648		File Actions Show Properties Download
c:\windows\infpub.dat	401.13 KB (410760 bytes)	MD5: c4f26ed277b51ef45fa180be597d96e8 SHA1: e9efc622924fb965d4a14bdb6223834d9a9007e7 SHA256: 14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958		File Actions Show Properties Download

Host Behavior

File (5)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ifzkkpwij.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\infpub.dat	desired_access = GENERIC_WRITE	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ifzkkpwij.exe	type = size	1	Fn
Read	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ifzkkpwij.exe	size = 441899, size_out = 441899	1	Fn Data
Write	C:\Windows\infpub.dat	size = 410760	1	Fn Data

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\system32\rundll32.exe	os_pid = 0x960, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE		1	Fn

Module (2)

Operation	Module	Additional Information	Success	Count	Logfile
Get Handle	c:\users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe	base_address = 0xff0000		1	Fn
Get Filename	c:\users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ifzkkpwij.exe, size = 780		1	Fn

System (1)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = System Directory, result_out = C:\Windows\system32		1	Fn

Process #2: rundll32.exe

(Host: 1167, Network: 25)

Information	Value
ID	#2
File Name	c:\windows\syswow64\rundll32.exe
Command Line	C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:14, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:36

OS Process Information

Information	Value
PID	0x960
Parent PID	0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 964 0x 968 0x 9AC 0x 9C8 0x 9CC 0x 9D0 0x 9DC 0x A00 0x A04 0x A08 0x A0C 0x A10 0x A14 0x A18

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00031fff	Pagefile Backed Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00090fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000affff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000000a0000	0x000a0000	0x000a6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000affff	Private Memory	Readable, Writable	Region Actions Download Dump
excellr.cab	0x000a0000	0x000affff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
excelmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
excelmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
powerpointmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
powerpointmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
pptlr.cab	0x000a0000	0x000aafff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
publishermui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
publishermui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
publr.cab	0x000a0000	0x000affff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
outlklr.cab	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
outlookmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
outlookmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
wordlr.cab	0x000a0000	0x000a6fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
wordmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
wordmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.cab	0x000a0000	0x000a3fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.cab	0x000a0000	0x000a2fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.cab	0x000a0000	0x000a6fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proofing.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proofing.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
office32mui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
office32mui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
owow32lr.cab	0x000a0000	0x000abfff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
inflr.cab	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
infopathmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
infopathmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
visiolr.cab	0x000a0000	0x000a8fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
visiomui.xml	0x000a0000	0x000a2fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
visiomui.xml	0x000a0000	0x000a2fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
onenotemui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
onenotemui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
onotelr.cab	0x000a0000	0x000a5fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
projectmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
projectmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
projlr.cab	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
groovelr.cab	0x000a0000	0x000a7fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
groovemui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
groovemui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
branding.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
officelr.cab	0x000a0000	0x000a9fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
officemui.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
officemui.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
officemuiset.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
officemuiset.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a2fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a2fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
accessmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
accessmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000000b0000	0x000b0000	0x000b6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x001cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001dffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x00230000	0x0026bfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00230000	0x0026bfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00390000	0x003f6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000400000	0x00400000	0x004fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000550000	0x00550000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x006e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x00870fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000880000	0x00880000	0x00bc2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000bd0000	0x00bd0000	0x00caefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d00000	0x00d00000	0x00d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d40000	0x00d40000	0x00da7fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000db0000	0x00db0000	0x00e5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000de0000	0x00de0000	0x00e1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e20000	0x00e20000	0x00e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e60000	0x00e60000	0x00e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ea0000	0x00ea0000	0x00edffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ee0000	0x00ee0000	0x00f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f20000	0x00f20000	0x00f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f70000	0x00f70000	0x00faffff	Private Memory	Readable, Writable	Region Actions
rundll32.exe	0x00fb0000	0x00fbdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000fc0000	0x00fc0000	0x023bffff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000023c0000	0x023c0000	0x0257ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000023c0000	0x023c0000	0x0251ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000023c0000	0x023c0000	0x024bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024e0000	0x024e0000	0x0251ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002540000	0x02540000	0x0257ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02580000	0x0284efff	Memory Mapped File	Readable	Region Actions
branding.xml	0x02850000	0x028e1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
private_0x0000000002870000	0x02870000	0x028affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000028b0000	0x028b0000	0x028effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002900000	0x02900000	0x0293ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002960000	0x02960000	0x0299ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029c0000	0x029c0000	0x029fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a60000	0x02a60000	0x02a9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a80000	0x02a80000	0x02abffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002ad0000	0x02ad0000	0x02b0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002b40000	0x02b40000	0x02b7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b90000	0x02b90000	0x02bcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bf0000	0x02bf0000	0x02c2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c40000	0x02c40000	0x02c7ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002c80000	0x02c80000	0x03072fff	Pagefile Backed Memory	Readable	Region Actions
publr.cab	0x03240000	0x03bbffff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
owow32lr.cab	0x03240000	0x0350bfff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
projlr.cab	0x03240000	0x03a21fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
groovelr.cab	0x03240000	0x03627fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
dwmapi.dll	0x743f0000	0x74402fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74410000	0x7448ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x746f0000	0x7472bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74760000	0x7479afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x747a0000	0x747b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x747c0000	0x74803fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x747c0000	0x747c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x747d0000	0x747e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x74800000	0x7480afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
adsldpc.dll	0x74810000	0x74843fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x74830000	0x74873fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsauth.dll	0x74850000	0x7485afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x74860000	0x7486efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpsapi.dll	0x74870000	0x74885fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
adsldpc.dll	0x74880000	0x748b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browcli.dll	0x74890000	0x7489cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x748a0000	0x748aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x748b0000	0x748c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsauth.dll	0x748c0000	0x748cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x748d0000	0x748d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x748d0000	0x748defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x748e0000	0x748f0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpsapi.dll	0x748e0000	0x748f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x74900000	0x74911fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browcli.dll	0x74900000	0x7490cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x74910000	0x7491efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74920000	0x74926fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74920000	0x74938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x74930000	0x7494bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x74940000	0x74948fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
infpub.dat	0x74950000	0x749b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
netapi32.dll	0x74950000	0x74960fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x74970000	0x74981fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74990000	0x74996fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x749a0000	0x749bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74f40000	0x75b89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x75fd0000	0x75fd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x75fd0000	0x75fd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76070000	0x760c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x760d0000	0x761ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x760d0000	0x761ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76280000	0x762c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76280000	0x762c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x762f0000	0x76324fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x762f0000	0x76324fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x76870000	0x76899fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76f40000	0x76f4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76f40000	0x76f4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 76 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	Actions
c:\windows\cscc.dat	205.70 KB (210632 bytes)	MD5: edb72f4a46c39452d1a5414f7d26454a SHA1: 08f94684e83a27f2414f439975b7f8a6d61fc056 SHA256: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6	File Actions Show Properties Download
c:\windows\dispci.exe	139.50 KB (142848 bytes)	MD5: b14d8faf7f0cbcfad051cefe5f39645f SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add SHA256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93	File Actions Show Properties Download
c:\windows\41d0.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\windows\41d0.tmp	60.87 KB (62328 bytes)	MD5: 347ac3b6b791054de3e5720a7144a977 SHA1: 413eba3973a15c1a6429d9f170f3e8287f98c21c SHA256: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c	File Actions Show Properties Download
c:\windows\41d0.tmp	60.87 KB (62328 bytes)	MD5: c7ca77d847f1802502ef3b9228d388e4 SHA1: 80ab09116d877b924dfec5b6e8eb6d3dde35869e SHA256: fdef2f6da8c5e8002fa5822e8e4fea278fba66c22df9e13b61c8a95c2f9d585f	File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excellr.cab	10.00 MB (10485760 bytes)	MD5: 87cf3392dfc386ebd494fa4e72b747fc SHA1: f940f7e3770462a4809bad3e995ae46d522190ef SHA256: fa125a9e042003f5443f6c8ac5eb108cd7a5483eab39e1b3b5c059d60215d9e7	File Actions Show Properties Download
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excelmui.xml	1.56 KB (1602 bytes)	MD5: a20a768a81afee200bf6db18a3056541 SHA1: 3592d4d77e481c9b7eaa614deeb36e72a994218e SHA256: 448403a1b7ca253b91174d36a3881cc183d2ffeaaa3eed0496d802539538c114	File Actions Show Properties Download
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\setup.xml	2.28 KB (2338 bytes)	MD5: a5cfdf621750a94cbc0f0719a533eaf4 SHA1: 6e282e3fb7afc487422d73271a729e7e4718a328 SHA256: dfe114759d655205b57f759e89f6da508d36aa1a4a84cee2fc6d743ef2655d40	File Actions Show Properties Download
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\powerpointmui.xml	1.46 KB (1490 bytes)	MD5: 380dcda4098e62f1f5664921cf6cdd6c SHA1: 0c64f4559ed2f12cf42ee1ff2dd14d806e16ce87 SHA256: 12744847431c8b2fc23c7e47dc6ec275419958ebdbcb39af589eda58dce9ead3	File Actions Show Properties Download
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\pptlr.cab	10.00 MB (10485760 bytes)	MD5: 43425a50ee06e30dd272c3ff17bb0427 SHA1: 230a74cfbf7ae520dd726174711e0d3533f60fff SHA256: 752cc8c341f4e4d0a6036607a12df396047a4e9f3a461be21dadea54f5de67a3	File Actions Show Properties Download
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\setup.xml	1.88 KB (1922 bytes)	MD5: be16f68fd043d935ad963ea4c3d736bc SHA1: 3693091b6827d78dd9414a6f485abb53b8edfbca SHA256: e21fac606118ecf75d5a4d1966574895104dd3024f7122339edbabb634cf5d13	File Actions Show Properties Download
c:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publishermui.xml	1.46 KB (1490 bytes)	MD5: cf6fa18c52894350bea091528fc31218 SHA1: 7057c7772d2b3290ddea402ff765e67901afaa63 SHA256: 8f2a61e71446971c5f5010abf0d324222993e7f79e0b3a3a8d6719eb9f3f2546	File Actions Show Properties Download
c:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publr.cab	9.50 MB (9958434 bytes)	MD5: 85a68488be13ebc093b067ea1475ccf4 SHA1: 3fc88da1570badea2c61a9517e06e1a41e51035b SHA256: 7cda2a6ea0faca19b16802165b3a6add583fe06141ee843e5b8c10f89a9106bb	File Actions Show Properties Download
c:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\setup.xml	1.61 KB (1650 bytes)	MD5: 146cee28b00dbf679ed697b6f33d6fc0 SHA1: 4b22431fa5e445f6f630e7f8a6b668125c4d3ec3 SHA256: a32fc1e86edbf4a24426684c8700693b511c649ddd36e25090018e00f37e7300	File Actions Show Properties Download
c:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlklr.cab	10.00 MB (10485760 bytes)	MD5: ea9b20690debbe698df7bcdee8af861e SHA1: 383953c3903f3def7f4a8dfc961b632bc747f58a SHA256: 7a63a991eeae97834d4ee1911ccded08b7f9f47167bb73717551bedd1f3b3071	File Actions Show Properties Download
c:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlookmui.xml	3.16 KB (3234 bytes)	MD5: 3db069e923ed265020abbe0aeeb20516 SHA1: dde8ecfc4f9d094feb2e9b831193fcc4cddb98da SHA256: 73c778eb6570c7c49aa0c5fc4b3b246f6bc335819cacd7f68716be0384068d9a	File Actions Show Properties Download
c:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\setup.xml	4.14 KB (4242 bytes)	MD5: 4bde0423f361b421519b65c28bde6cc2 SHA1: 4e05353ba59608761c42ab503768718fd4ea9d0e SHA256: 87f2dc684dbabea1b50206f66acef5d1164deb93327b6cb03201e9f0b4e4735a	File Actions Show Properties Download
c:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\setup.xml	2.41 KB (2466 bytes)	MD5: 2c56ebeae266b0945b278f8cb01732c8 SHA1: b29ffe456e5fb9ed0f8e90effbf30fc96862b153 SHA256: ffe497bab3fb4bd8401b6ded8d9f23d3bd07ac5d3ee0489ffa4f06254a053264	File Actions Show Properties Download
c:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordlr.cab	10.00 MB (10485760 bytes)	MD5: 8ab2632c2d433efc3b75df58f9d73dae SHA1: 2d627a56bd4283688e4c69c4b418010b0c7d1820 SHA256: 0a0c05a8af443700679eef4db9d19a12a22e19342bc56351be4738eb7f17f3d9	File Actions Show Properties Download
c:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordmui.xml	1.80 KB (1842 bytes)	MD5: 5b5f9cedbc03caf54b38039ff2b1487b SHA1: fea2f54353593e4d88887393b651fdbb3ba79324 SHA256: 425d33325b790e9ad234441f1a2adc245d397f19f07bbf53c6b53282c443cb8a	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.cab	10.00 MB (10485760 bytes)	MD5: b7ed442d187f7892bc057b6004e83599 SHA1: cf0239dd6407ffb1bfaff75c154e5b6ff261be74 SHA256: e50f152da6840a55a0f185499b2381bac2668aa38a61d70ac191cc8f456025e0	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.xml	1.36 KB (1394 bytes)	MD5: 15153c4f2a05f30d0283700f557c85d2 SHA1: 49e02205a4b52d394ff129472c75f31f24be11bd SHA256: 5135fa2425ba2cdff867dc297ca432bcaef9bf0c3755c1304e4a661767f36607	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.cab	10.00 MB (10485760 bytes)	MD5: 01522cc818e3cb5c1f88f0af6b71d2a9 SHA1: 89ab8491fb830a0e1f96fa654820c80e3853e31a SHA256: 72245180f2d45a7ff7fad89fda1cd0bf4aea2bc5f1467c58b56ecb83c86c146f	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.xml	1.47 KB (1506 bytes)	MD5: 3b30045ad6c97ff866342decbf09ab28 SHA1: 4bba2d45d8bca9bc168ca55f74d02c80eaaf6828 SHA256: a44f1691b44e6bd338b74ddaad4a6be3ec62789882a1cf42a53d6a97ba611c09	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.cab	10.00 MB (10485760 bytes)	MD5: 0335234c7c545ba002aeb3df922f7686 SHA1: 04a74035ae437f4fc5aaad4eb15931f65853e82b SHA256: 669e004f14ac15858414dffdc0d4002a2fc54621f1b1ce33ae0c72ff26edd29a	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.xml	1.47 KB (1506 bytes)	MD5: d4ea0313aa839edf612c9ee1b33b92c5 SHA1: 54de0ac01c3d5567499e29454eedaa473ed79d93 SHA256: 882b5924b55e8ee500f7aff61a11abea43771ea12cc474a714ccfb8255ab2343	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proofing.xml	0.83 KB (850 bytes)	MD5: f570a344598fb3126736a6ed636f069d SHA1: 8333909319182a2e880bb757ec6498650fa81889 SHA256: 1fd1b9d62a4c31ce9bbccc238b5c2968b64a6124a8c6fe1934ea7820326e0614	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\setup.xml	5.78 KB (5922 bytes)	MD5: aad695e82a73aba6565adf1251f3bb6b SHA1: 0d863f3a8d023547553c16663170df3dc63c2a79 SHA256: fa6379ddcc35d29cd142c0a68bc6fb0289ced7fcea8bd8328a544e7d3d5472c4	File Actions Show Properties Download
c:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\office32mui.xml	1.39 KB (1426 bytes)	MD5: 5c46b16a535150be984a13005a582bb1 SHA1: ea8a7e2020fe6c3fb672596a0d13c548e6660dae SHA256: f2f29f4820305a8e6f1d233b87212df1f9deb506b6050090b4a5cca29f7872d9	File Actions Show Properties Download
c:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\owow32lr.cab	2.79 MB (2928994 bytes)	MD5: 53dff27d197fac5fec615fd204378274 SHA1: 724edbe96e984e05486c8f051f3f3cd7b4f50252 SHA256: 034a8515267cffff2909d9d2c241aa7b63d1f1b9298f5c97b928830fc4003e4c	File Actions Show Properties Download
c:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\setup.xml	2.35 KB (2402 bytes)	MD5: 938647548a6e4b74ea13e78465570a88 SHA1: 72117b74130db120ea4631d81f05ba317719856f SHA256: bc8e71a789537b982077972a1d3cf2d5cf548e2c0d584e262198198d53398f23	File Actions Show Properties Download
c:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\inflr.cab	10.00 MB (10485760 bytes)	MD5: b1942518b15f0af4b81329b96a4cd97b SHA1: cd1bcdf2dcea0c11a73203fb61387fb5b20a33ec SHA256: eea2e87a37f7f432cb7761a90407d1ec10abb4311e59d8361e55a214cc97e546	File Actions Show Properties Download
c:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\infopathmui.xml	1.24 KB (1266 bytes)	MD5: 180f8b1fde6c589a1c9e529a8dedfb42 SHA1: 885f800cd0d0904b4dac55a6c9b840ac34ca1b09 SHA256: 614c51f1e9a2760f1f308724e5520d61749aaf8e3e282244bad26a4031e1aa47	File Actions Show Properties Download
c:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\setup.xml	1.85 KB (1890 bytes)	MD5: fe2c346594a0317e1cd552fbb55709fa SHA1: e2afd9514e47e3708d68d5d7e0cb22cf348cde99 SHA256: 18d690cf2acfd0f7b7cfcd994563e5ed40e2e1fae7466a8a6b8a372205c62195	File Actions Show Properties Download
c:\msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\setup.xml	6.14 KB (6290 bytes)	MD5: f11d38f5e08ff6023b55931f8836aee0 SHA1: 728d5d4529be7a2e640df048a134f345c46b20d4 SHA256: 88745aa40fb3f942c8df5b10a58eb80f95f8fdac2afb828962b8de98949dd55c	File Actions Show Properties Download
c:\msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\visiolr.cab	6.43 MB (6737708 bytes)	MD5: 8a0831714fbd219ad2cc0411a7666ae3 SHA1: 3aa7f94dc84e5db74d8a202deb652c5811f18a2d SHA256: c5ba50319cf18e9e9c71ca4c724a6ea66676c9138efe8cd2b2ce59c920c7c8f7	File Actions Show Properties Download

Host Behavior

File (118)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Windows\infpub.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\infpub.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\infpub.dat	desired_access = GENERIC_WRITE	1	Fn
Create	C:\Windows\cscc.dat	desired_access = GENERIC_WRITE	1	Fn
Create	C:\Windows\dispci.exe	desired_access = GENERIC_WRITE	1	Fn
Create	C:\Windows\41D0.tmp	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN	2	Fn
Create	C:\BOOTSECT.BAK	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create Temp File	C:\Windows\41D0.tmp	path = C:\Windows\	1	Fn
Create Pipe	\device\namedpipe\{2fdfcf81-bd74-41c3-9115-f628925cc568}	open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1	2	Fn
Get Info	C:\Windows\infpub.dat	type = size	1	Fn
Get Info	C:\Windows\infpub.dat	type = size	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab	type = size, size_out = 16972987	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml	type = size, size_out = 1565	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 2296	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml	type = size, size_out = 1450	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab	type = size, size_out = 70361744	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 1886	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml	type = size, size_out = 1450	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab	type = size, size_out = 9958388	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 1608	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab	type = size, size_out = 14819276	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml	type = size, size_out = 3186	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 4207	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 2424	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab	type = size, size_out = 43806141	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml	type = size, size_out = 1800	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab	type = size, size_out = 11482605	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml	type = size, size_out = 1347	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab	type = size, size_out = 13642474	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml	type = size, size_out = 1457	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab	type = size, size_out = 21064532	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml	type = size, size_out = 1458	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml	type = size, size_out = 811	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 5884	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml	type = size, size_out = 1383	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab	type = size, size_out = 2928955	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 2362	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab	type = size, size_out = 18874884	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml	type = size, size_out = 1231	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 1852	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 6241	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab	type = size, size_out = 50823389	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml	type = size, size_out = 9503	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml	type = size, size_out = 1606	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab	type = size, size_out = 17456632	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 1988	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml	type = size, size_out = 1452	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab	type = size, size_out = 8265165	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 1872	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab	type = size, size_out = 4095519	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml	type = size, size_out = 913	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 1452	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml	type = size, size_out = 596341	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab	type = size, size_out = 14127746	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml	type = size, size_out = 5557	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml	type = size, size_out = 819	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 9352	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml	type = size, size_out = 1349	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab	type = size, size_out = 28016276	1	Fn
Read	C:\Windows\infpub.dat	size = 410760, size_out = 410760	1	Fn Data
Read	-	size = 82, size_out = 82	1	Fn Data
Write	C:\Windows\infpub.dat	size = 410760	1	Fn Data
Write	C:\Windows\cscc.dat	size = 210632	1	Fn Data
Write	C:\Windows\dispci.exe	size = 142848	1	Fn Data
Write	C:\Windows\41D0.tmp	size = 62328	2	Fn Data
Delete	C:\Windows\infpub.dat	-	1	Fn
Delete	C:\Windows\41D0.tmp	-	1	Fn

Registry (9)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}	value_name = LowerFilters, data = 1632268, type = REG_MULTI_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}	value_name = UpperFilters, data = 99, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl	value_name = DumpFilters, data = 1632268, type = REG_MULTI_SZ	1	Fn
Write Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}	value_name = LowerFilters, data = 1632268, size = 44, type = REG_MULTI_SZ	1	Fn
Write Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}	value_name = UpperFilters, data = 1632268, size = 12, type = REG_MULTI_SZ	1	Fn
Write Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl	value_name = DumpFilters, data = 1632268, size = 36, type = REG_MULTI_SZ	1	Fn

Process (6)

Operation	Process	Additional Information	Count	Logfile
Create	C:\Windows\system32\cmd.exe	os_pid = 0x974, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Windows\system32\cmd.exe	os_pid = 0x998, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Windows\system32\cmd.exe	os_pid = 0x9b0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Windows\41D0.tmp	os_pid = 0x9d4, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Windows\system32\cmd.exe	os_pid = 0xa38, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Windows\system32\cmd.exe	os_pid = 0xa84, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn

Module (412)

Operation	Module	Additional Information	Count	Logfile
Load	KERNEL32.dll	base_address = 0x76600000	1	Fn
Load	USER32.dll	base_address = 0x74ca0000	1	Fn
Load	ADVAPI32.dll	base_address = 0x74ea0000	1	Fn
Load	SHELL32.dll	base_address = 0x74f40000	1	Fn
Load	ole32.dll	base_address = 0x76710000	1	Fn
Load	CRYPT32.dll	base_address = 0x760d0000	1	Fn
Load	SHLWAPI.dll	base_address = 0x76070000	1	Fn
Load	IPHLPAPI.DLL	base_address = 0x749a0000	1	Fn
Load	WS2_32.dll	base_address = 0x762f0000	1	Fn
Load	MPR.dll	base_address = 0x74970000	1	Fn
Load	NETAPI32.dll	base_address = 0x74950000	1	Fn
Load	DHCPSAPI.DLL	base_address = 0x748e0000	1	Fn
Load	msvcrt.dll	base_address = 0x76a40000	1	Fn
Load	iphlpapi.dll	base_address = 0x749a0000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x76600000	3	Fn
Get Filename	-	process_name = c:\windows\syswow64\rundll32.exe, file_name_orig = C:\Windows\infpub.dat, size = 780	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address_out = 0x76611462	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempFileNameW, address_out = 0x7663d1b6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = PeekNamedPipe, address_out = 0x76694821	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x7661103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address_out = 0x766940fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x766134b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address_out = 0x7669414b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address_out = 0x76617a2f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address_out = 0x766941df	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x766189b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalAlloc, address_out = 0x7661588e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameExW, address_out = 0x7663bb9e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalFree, address_out = 0x76615558	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x76617a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x76614950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisableThreadLibraryCalls, address_out = 0x766148e5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResumeThread, address_out = 0x766143ef	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexW, address_out = 0x7661424c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindResourceW, address_out = 0x76615971	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x766154ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x7661dd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x766117ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x76611986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SizeofResource, address_out = 0x76615ac9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x7662d802	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocalTime, address_out = 0x76615aa6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x76638baf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LockResource, address_out = 0x76615959	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x7663896c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x7663735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x766111f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x766149d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address_out = 0x7661435f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address_out = 0x76613509	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x7661170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetExitCodeProcess, address_out = 0x7662174d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x76611245	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x76fa2c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x76fb1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x76f922b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x766111a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x76f92270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x7661110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x7661192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemInfo, address_out = 0x766149ca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x7661183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileMappingW, address_out = 0x76611909	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x76614442	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address_out = 0x766159e2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address_out = 0x76611b48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x7661469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushViewOfFile, address_out = 0x7663b909	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x76615371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x766116c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x76611136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointerEx, address_out = 0x7662c807	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x7662ce2e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address_out = 0x7661418b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address_out = 0x76611826	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MapViewOfFile, address_out = 0x766118f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x76614435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x76612d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalAlloc, address_out = 0x7661168c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeZoneInformation, address_out = 0x7661465a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemDefaultLCID, address_out = 0x766132a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x76f9e026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x76611856	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x76611222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x76613ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address_out = 0x76611ae5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x7661492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x76611282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x7661186e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x76611809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x766134c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x7661196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x76611410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x76613f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersion, address_out = 0x76614467	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x766111c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x76614173	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatW, address_out = 0x7663828e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x76614220	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x766134d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x766110ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemDirectoryW, address_out = 0x76615063	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x766114e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x766114c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadResource, address_out = 0x7661594c	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = ExitWindowsEx, address_out = 0x74d01497	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address_out = 0x74cb7d2f	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperW, address_out = 0x74cbf350	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = wsprintfW, address_out = 0x74cde061	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = wsprintfA, address_out = 0x74ccae5f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegFlushKey, address_out = 0x74ec773f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CloseServiceHandle, address_out = 0x74eb369c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenSCManagerW, address_out = 0x74eaca64	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x74eb46ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyW, address_out = 0x74eb2459	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = QueryServiceStatus, address_out = 0x74eb2a86	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = StartServiceW, address_out = 0x74ea7974	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CreateProcessAsUserW, address_out = 0x74eac592	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = DeleteService, address_out = 0x74ec715c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address_out = 0x74efdb3a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = DuplicateTokenEx, address_out = 0x74eaca24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetTokenInformation, address_out = 0x74ea9a92	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = DuplicateToken, address_out = 0x74eac7e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address_out = 0x74eb431c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x74eb0e0c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address_out = 0x74eb432c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address_out = 0x74eb0e24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetThreadToken, address_out = 0x74eac7ce	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CredEnumerateW, address_out = 0x74ee7481	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CredFree, address_out = 0x74eab2ec	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address_out = 0x74eb415e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address_out = 0x74eb4620	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDuplicateKey, address_out = 0x74ee31a8	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDuplicateHash, address_out = 0x74ee3198	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address_out = 0x74ec779b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGenRandom, address_out = 0x74eadfc8	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGetKeyParam, address_out = 0x74ec77cb	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptSetKeyParam, address_out = 0x74ec77b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDeriveKey, address_out = 0x74ee3188	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x74eadf36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x74eadf66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address_out = 0x74eac51a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x74eadf4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address_out = 0x74eac532	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x74eae124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x74eadf14	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGetHashParam, address_out = 0x74eadf7e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptSetHashParam, address_out = 0x74ee3248	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x74eb418e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CheckTokenMembership, address_out = 0x74eadf04	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = FreeSid, address_out = 0x74eb412e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AllocateAndInitializeSid, address_out = 0x74eb40e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address_out = 0x74eb41b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address_out = 0x74eb4304	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x74eb14d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x74eb469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x74eb468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CreateServiceW, address_out = 0x74ec712c	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = CommandLineToArgvW, address_out = 0x74f59ee8	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateGuid, address_out = 0x767515d5	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoTaskMemFree, address_out = 0x76766f41	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = StringFromCLSID, address_out = 0x7672eb17	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptStringToBinaryW, address_out = 0x76105f65	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptImportPublicKeyInfo, address_out = 0x760e6c0e	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptBinaryToStringW, address_out = 0x7610a546	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address_out = 0x760dd718	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameW, address_out = 0x7608bb71	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrChrW, address_out = 0x76084640	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpW, address_out = 0x76088277	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpIW, address_out = 0x7608a147	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrToIntW, address_out = 0x760850be	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendW, address_out = 0x760881ef	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrW, address_out = 0x7607e52d	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address_out = 0x7608c39c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address_out = 0x760846e9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x7608a1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCatW, address_out = 0x760ae105	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x760845bf	1	Fn
Get Address	c:\windows\infpub.dat	function = GetAdaptersInfo, address_out = 0x749a9263	1	Fn
Get Address	c:\windows\infpub.dat	function = GetIpNetTable, address_out = 0x749ae52a	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 18, address_out = 0x762f6989	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 10, address_out = 0x762f3084	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 52, address_out = 0x76307673	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 12, address_out = 0x762fb131	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 14, address_out = 0x762f2d57	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 115, address_out = 0x762f3ab2	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 4, address_out = 0x762f6bdd	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 11, address_out = 0x762f311b	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 9, address_out = 0x762f2d8b	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 23, address_out = 0x762f3eb8	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 3, address_out = 0x762f3918	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 19, address_out = 0x762f6f01	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 16, address_out = 0x762f6b0e	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 151, address_out = 0x762f6a8a	1	Fn
Get Address	c:\windows\infpub.dat	function = WNetOpenEnumW, address_out = 0x74972f06	1	Fn
Get Address	c:\windows\infpub.dat	function = WNetEnumResourceW, address_out = 0x74973058	1	Fn
Get Address	c:\windows\infpub.dat	function = WNetCancelConnection2W, address_out = 0x74978cd1	1	Fn
Get Address	c:\windows\infpub.dat	function = WNetAddConnection2W, address_out = 0x74974744	1	Fn
Get Address	c:\windows\infpub.dat	function = WNetCloseEnum, address_out = 0x74972dd6	1	Fn
Get Address	c:\windows\infpub.dat	function = NetApiBufferFree, address_out = 0x749413d2	1	Fn
Get Address	c:\windows\infpub.dat	function = NetWkstaGetInfo, address_out = 0x74955570	1	Fn
Get Address	c:\windows\infpub.dat	function = NetServerEnum, address_out = 0x74902f61	1	Fn
Get Address	c:\windows\infpub.dat	function = NetServerGetInfo, address_out = 0x74923cfa	1	Fn
Get Address	c:\windows\syswow64\netapi32.dll	function = DhcpEnumSubnetClients, address_out = 0x748e77b5	1	Fn
Get Address	c:\windows\syswow64\netapi32.dll	function = DhcpEnumSubnets, address_out = 0x748e6b7c	1	Fn
Get Address	c:\windows\syswow64\netapi32.dll	function = DhcpRpcFreeMemory, address_out = 0x748e79ed	1	Fn
Get Address	c:\windows\syswow64\netapi32.dll	function = DhcpGetSubnetInfo, address_out = 0x748e7003	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = memcpy, address_out = 0x76a49910	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = srand, address_out = 0x76a4f757	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = memset, address_out = 0x76a49790	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = memmove, address_out = 0x76a49e5a	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = free, address_out = 0x76a49894	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = malloc, address_out = 0x76a49cee	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = sprintf, address_out = 0x76a5d354	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = rand, address_out = 0x76a4c070	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address_out = 0x7661195e	2	Fn
Get Address	c:\windows\infpub.dat	function = GetExtendedTcpTable, address_out = 0x749b1a8a	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab	filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab, protection = PAGE_READWRITE, maximum_size = 16973021	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml	filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml, protection = PAGE_READWRITE, maximum_size = 1602	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 2338	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml	filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml, protection = PAGE_READWRITE, maximum_size = 1490	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab	filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab, protection = PAGE_READWRITE, maximum_size = 70361778	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 1922	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml	filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml, protection = PAGE_READWRITE, maximum_size = 1490	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab	filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab, protection = PAGE_READWRITE, maximum_size = 9958434	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 1650	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab	filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab, protection = PAGE_READWRITE, maximum_size = 14819314	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml	filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml, protection = PAGE_READWRITE, maximum_size = 3234	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 4242	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 2466	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab	filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab, protection = PAGE_READWRITE, maximum_size = 43806175	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml	filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml, protection = PAGE_READWRITE, maximum_size = 1842	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab, protection = PAGE_READWRITE, maximum_size = 11482642	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml, protection = PAGE_READWRITE, maximum_size = 1394	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab, protection = PAGE_READWRITE, maximum_size = 13642514	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml, protection = PAGE_READWRITE, maximum_size = 1506	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab, protection = PAGE_READWRITE, maximum_size = 21064566	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml, protection = PAGE_READWRITE, maximum_size = 1506	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml, protection = PAGE_READWRITE, maximum_size = 850	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 5922	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml	filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml, protection = PAGE_READWRITE, maximum_size = 1426	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab	filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab, protection = PAGE_READWRITE, maximum_size = 2928994	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 2402	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab	filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab, protection = PAGE_READWRITE, maximum_size = 18874918	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml	filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml, protection = PAGE_READWRITE, maximum_size = 1266	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 1890	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 6290	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab	filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab, protection = PAGE_READWRITE, maximum_size = 50823423	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml	filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml, protection = PAGE_READWRITE, maximum_size = 9538	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml	filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml, protection = PAGE_READWRITE, maximum_size = 1650	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab	filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab, protection = PAGE_READWRITE, maximum_size = 17456666	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 2034	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml	filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml, protection = PAGE_READWRITE, maximum_size = 1490	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab	filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab, protection = PAGE_READWRITE, maximum_size = 8265202	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 1922	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab	filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab, protection = PAGE_READWRITE, maximum_size = 4095554	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml	filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml, protection = PAGE_READWRITE, maximum_size = 962	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 1490	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml	filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml, protection = PAGE_READWRITE, maximum_size = 596386	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab	filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab, protection = PAGE_READWRITE, maximum_size = 14127794	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml	filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml, protection = PAGE_READWRITE, maximum_size = 5602	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml	filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml, protection = PAGE_READWRITE, maximum_size = 866	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 9394	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml	filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml, protection = PAGE_READWRITE, maximum_size = 1394	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab	filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab, protection = PAGE_READWRITE, maximum_size = 28016310	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn

Service (2)

Operation	Additional Information	Success	Count	Logfile
Create	service_name = cscc		1	Fn
Open Manager	database_name = SERVICES_ACTIVE_DATABASE		1	Fn

System (414)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = XDUWTFONO	1	Fn
Get Computer Name	result_out = XDUWTFONO, type = ComputerNamePhysicalNetBIOS	1	Fn
Sleep	duration = 0 milliseconds (0.000 seconds)	269	Fn
Sleep	duration = 2000 milliseconds (2.000 seconds)	1	Fn
Sleep	duration = 500 milliseconds (0.500 seconds)	29	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Sleep	duration = 300000 milliseconds (300.000 seconds)	1	Fn
Sleep	duration = 900000 milliseconds (900.000 seconds)	1	Fn
Sleep	duration = 840000 milliseconds (840.000 seconds)	1	Fn
Sleep	duration = 10000 milliseconds (10.000 seconds)	2	Fn
Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Sleep	duration = 180000 milliseconds (180.000 seconds)	1	Fn
Get Time	type = Ticks, time = 79919	2	Fn
Get Time	type = Ticks, time = 82337	2	Fn
Get Time	type = Local Time, time = 2017-10-26 02:16:43 (Local Time)	1	Fn
Get Time	type = Ticks, time = 83975	1	Fn
Get Time	type = Ticks, time = 93943	1	Fn
Power Control	type = SHUTDOWN_RESTART, reason = SHTDN_REASON_FLAG_PLANNED	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Get Info	type = Hardware Information	95	Fn

Mutex (1)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = 9A1966663AD6FDE5		1	Fn

Environment (6)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	name = ComSpec, result_out = C:\Windows\system32\cmd.exe		6	Fn

Network Behavior

TCP Sessions (9)

Information	Value
Total Data Sent	0.00 KB (0 bytes)
Total Data Received	0.00 KB (0 bytes)
Contacted Host Count	8
Contacted Hosts	192.168.0.0:445, 192.168.0.0:139, 192.168.0.1:445, 192.168.0.1:139, 192.168.0.2:445, 192.168.0.2:139, 192.168.0.3:445, 192.168.0.3:139

TCP Session #1

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.0
Remote Port	445
Local Address	0.0.0.0
Local Port	1728
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.0, remote_port = 445	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #2

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.0
Remote Port	139
Local Address	0.0.0.0
Local Port	2752
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.0, remote_port = 139	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #3

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.1
Remote Port	445
Local Address	0.0.0.0
Local Port	3008
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.1, remote_port = 445	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #4

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.1
Remote Port	139
Local Address	0.0.0.0
Local Port	3264
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.1, remote_port = 139	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #5

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.2
Remote Port	445
Local Address	0.0.0.0
Local Port	3520
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.2, remote_port = 445	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #6

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.2
Remote Port	139
Local Address	0.0.0.0
Local Port	3776
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.2, remote_port = 139	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #7

Information	Value
Handle	0x27c
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	192.168.0.1
Remote Port	445
Local Address	-
Local Port	-
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Success	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM		1	Fn
Connect	remote_address = 192.168.0.1, remote_port = 445		1	Fn

TCP Session #8

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.3
Remote Port	445
Local Address	0.0.0.0
Local Port	4288
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.3, remote_port = 445	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #9

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.3
Remote Port	139
Local Address	0.0.0.0
Local Port	4544
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Success	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM		1	Fn
Connect	remote_address = 192.168.0.3, remote_port = 139		1	Fn

Process #3: cmd.exe

(Host: 57, Network: 0)

Information	Value
ID	#3
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c schtasks /Delete /F /TN rhaegal
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:15, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:35

OS Process Information

Information	Value
PID	0x974
Parent PID	0x960 (c:\windows\syswow64\rundll32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 978

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000b0000	0x000b0000	0x001affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls