﻿"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"10:34:10.4539934 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:10.4552303 a.m.","cmd.exe","4604","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","CreationTime: 28/07/2011 5:37:00 p.m., LastAccessTime: 29/07/2011 10:30:45 a.m., LastWriteTime: 22/03/2011 1:05:27 p.m., ChangeTime: 28/07/2011 5:37:00 p.m., FileAttributes: N"
"10:34:10.4553378 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS",""
"10:34:10.4562057 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:10.4563838 a.m.","cmd.exe","4604","QueryDirectory","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Filter: temp.exe, 1: temp.exe"
"10:34:10.4579744 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"10:34:11.1382006 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:11.1382713 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:11.1383805 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 0, Length: 512, Priority: Normal"
"10:34:11.1461149 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp2.exe","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
"10:34:11.1485478 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp2.exe","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a"
"10:34:11.1570353 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp2.exe","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
"10:34:11.1588045 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:11.2129282 a.m.","cmd.exe","4604","QueryAttributeTagFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Attributes: N, ReparseTag: 0x0"
"10:34:11.2131956 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:11.2132329 a.m.","cmd.exe","4604","FileSystemControl","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Control: IOCTL_LMR_DISABLE_LOCAL_BUFFERING"
"10:34:11.2133101 a.m.","cmd.exe","4604","FileSystemControl","\\vboxsvr\DataShared\temp\temp.exe","INVALID DEVICE REQUEST","Control: FSCTL_LMR_GET_HINT_SIZE"
"10:34:11.2133426 a.m.","cmd.exe","4604","QueryStandardInformationFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","AllocationSize: 4,313,088, EndOfFile: 4,312,397, NumberOfLinks: 1, DeletePending: False, Directory: False"
"10:34:11.2134488 a.m.","cmd.exe","4604","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","CreationTime: 28/07/2011 5:37:00 p.m., LastAccessTime: 29/07/2011 10:30:45 a.m., LastWriteTime: 22/03/2011 1:05:27 p.m., ChangeTime: 28/07/2011 5:37:00 p.m., FileAttributes: N"
"10:34:11.2136183 a.m.","cmd.exe","4604","QueryStreamInformationFile","\\vboxsvr\DataShared\temp\temp.exe","NOT IMPLEMENTED",""
"10:34:11.2137939 a.m.","cmd.exe","4604","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","CreationTime: 28/07/2011 5:37:00 p.m., LastAccessTime: 29/07/2011 10:30:45 a.m., LastWriteTime: 22/03/2011 1:05:27 p.m., ChangeTime: 28/07/2011 5:37:00 p.m., FileAttributes: N"
"10:34:11.2139539 a.m.","cmd.exe","4604","QueryEaInformationFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","EaSize: 0"
"10:34:11.2164158 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 4,312,397, OpenResult: Created"
"10:34:11.2183571 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:11.2184009 a.m.","cmd.exe","4604","FileSystemControl","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Control: IOCTL_LMR_DISABLE_LOCAL_BUFFERING"
"10:34:11.2184360 a.m.","cmd.exe","4604","QueryAttributeInformationVolume","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","FileSystemAttributes: , MaximumComponentNameLength: 255, FileSystemName: VBoxSharedFolderFS"
"10:34:11.2184560 a.m.","cmd.exe","4604","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","CreationTime: 29/07/2011 10:34:11 a.m., LastAccessTime: 29/07/2011 10:34:11 a.m., LastWriteTime: 29/07/2011 10:34:11 a.m., ChangeTime: 29/07/2011 10:34:11 a.m., FileAttributes: N"
"10:34:11.2186086 a.m.","cmd.exe","4604","QueryAttributeInformationVolume","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","FileSystemAttributes: , MaximumComponentNameLength: 255, FileSystemName: VBoxSharedFolderFS"
"10:34:11.2186320 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:11.2186584 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:11.2190971 a.m.","cmd.exe","4604","DeviceIoControl","\\vboxsvr\DataShared\temp\temp.exe","INVALID DEVICE REQUEST","Control: 0x140410 (Device:0x14 Function:260 Method: 0)"
"10:34:11.2191223 a.m.","cmd.exe","4604","SetEndOfFileInformationFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","EndOfFile: 4,312,397"
"10:34:11.2193876 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:11.2194088 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:11.2194284 a.m.","cmd.exe","4604","<Unknown>","\\vboxsvr\DataShared\temp\temp.exe","NOT IMPLEMENTED",""
"10:34:11.2195476 a.m.","cmd.exe","4604","<Unknown>","\\vboxsvr\DataShared\temp\temp2.exe","NOT IMPLEMENTED",""
"10:34:11.2221383 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","INVALID PARAMETER","Offset: 0, Length: 4,294,966,605, Priority: Normal"
"10:34:11.2270184 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","INVALID PARAMETER","Offset: 524,288, Length: 523,597, Priority: Normal"
"10:34:11.2309227 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 1,048,576, Length: 524,288, Priority: Normal"
"10:34:11.2348270 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 1,572,864, Length: 524,288, Priority: Normal"
"10:34:11.2367791 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 2,097,152, Length: 524,288, Priority: Normal"
"10:34:11.2397071 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 2,621,440, Length: 524,288, Priority: Normal"
"10:34:11.2660604 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 3,145,728, Length: 524,288, Priority: Normal"
"10:34:11.2680125 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 3,670,016, Length: 524,288, Priority: Normal"
"10:34:11.2865576 a.m.","cmd.exe","4604","ReadFile","C:\Windows\System32\kernel32.dll","SUCCESS","Offset: 1,111,040, Length: 8,192, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"10:34:11.2913528 a.m.","cmd.exe","4604","SetDispositionInformationFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Delete: True"
"10:34:11.2973835 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS",""
"10:34:11.2975625 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS",""
"10:34:11.2977546 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS",""
"10:34:11.3003041 a.m.","cmd.exe","4604","QueryDirectory","\\vboxsvr\DataShared\temp","NO MORE FILES",""
"10:34:11.3010224 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp","SUCCESS",""
"10:34:12.9424910 a.m.","cmd.exe","4604","CreateFile","C:\my\commands","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:12.9427993 a.m.","cmd.exe","4604","QueryDirectory","C:\my\commands\xcopy.*","NO SUCH FILE","Filter: xcopy.*"
"10:34:12.9432441 a.m.","cmd.exe","4604","CloseFile","C:\my\commands","SUCCESS",""
"10:34:12.9437010 a.m.","cmd.exe","4604","CreateFile","C:\my\commands","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:12.9438011 a.m.","cmd.exe","4604","QueryDirectory","C:\my\commands\xcopy","NO SUCH FILE","Filter: xcopy"
"10:34:12.9438831 a.m.","cmd.exe","4604","CloseFile","C:\my\commands","SUCCESS",""
"10:34:12.9444055 a.m.","cmd.exe","4604","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:12.9445169 a.m.","cmd.exe","4604","QueryDirectory","C:\Windows\System32\xcopy.*","SUCCESS","Filter: xcopy.*, 1: xcopy.exe"
"10:34:12.9449153 a.m.","cmd.exe","4604","CloseFile","C:\Windows\System32","SUCCESS",""
"10:34:12.9455599 a.m.","cmd.exe","4604","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:12.9456883 a.m.","cmd.exe","4604","QueryDirectory","C:\Windows\System32\xcopy.COM","NO SUCH FILE","Filter: xcopy.COM"
"10:34:12.9457867 a.m.","cmd.exe","4604","CloseFile","C:\Windows\System32","SUCCESS",""
"10:34:12.9460589 a.m.","cmd.exe","4604","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:12.9460936 a.m.","cmd.exe","4604","QueryDirectory","C:\Windows\System32\xcopy.EXE","SUCCESS","Filter: xcopy.EXE, 1: xcopy.exe"
"10:34:12.9461825 a.m.","cmd.exe","4604","CloseFile","C:\Windows\System32","SUCCESS",""
"10:34:12.9512932 a.m.","cmd.exe","4604","CreateFile","C:\my\commands","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:12.9515521 a.m.","cmd.exe","4604","QueryBasicInformationFile","C:\my\commands","SUCCESS","CreationTime: 16/06/2011 10:34:09 p.m., LastAccessTime: 29/07/2011 10:32:02 a.m., LastWriteTime: 29/07/2011 10:32:02 a.m., ChangeTime: 29/07/2011 10:32:02 a.m., FileAttributes: D"
"10:34:12.9516960 a.m.","cmd.exe","4604","CloseFile","C:\my\commands","SUCCESS",""
"10:34:12.9522921 a.m.","cmd.exe","4604","CreateFile","C:\Windows\System32\xcopy.exe","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:12.9529476 a.m.","cmd.exe","4604","CreateFileMapping","C:\Windows\System32\xcopy.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:12.9532714 a.m.","cmd.exe","4604","CreateFileMapping","C:\Windows\System32\xcopy.exe","SUCCESS","SyncType: SyncTypeOther"
"10:34:12.9535003 a.m.","cmd.exe","4604","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcopy.exe","NAME NOT FOUND","Desired Access: Query Value, Enumerate Sub Keys"
"10:34:12.9537032 a.m.","cmd.exe","4604","QuerySecurityFile","C:\Windows\System32\xcopy.exe","SUCCESS","Information: Label"
"10:34:12.9552873 a.m.","cmd.exe","4604","QueryNameInformationFile","C:\Windows\System32\xcopy.exe","SUCCESS","Name: \Windows\System32\xcopy.exe"
"10:34:12.9588230 a.m.","cmd.exe","4604","Process Create","C:\Windows\system32\xcopy.exe","SUCCESS","PID: 4996, Command line: xcopy  d:\temp\temp.exe d:\temp\temp2.exe"
"10:34:12.9588894 a.m.","xcopy.exe","4996","Process Start","","SUCCESS","Parent PID: 4604"
"10:34:12.9589496 a.m.","xcopy.exe","4996","Thread Create","","SUCCESS","Thread ID: 3328"
"10:34:12.9591209 a.m.","cmd.exe","4604","QuerySecurityFile","C:\Windows\System32\xcopy.exe","SUCCESS","Information: Owner, Group, DACL, SACL, Label"
"10:34:12.9592548 a.m.","cmd.exe","4604","QueryBasicInformationFile","C:\Windows\System32\xcopy.exe","SUCCESS","CreationTime: 14/07/2009 11:25:32 a.m., LastAccessTime: 14/07/2009 11:25:32 a.m., LastWriteTime: 14/07/2009 1:39:58 p.m., ChangeTime: 17/06/2011 5:50:31 p.m., FileAttributes: A"
"10:34:12.9594256 a.m.","cmd.exe","4604","RegOpenKey","HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","SUCCESS","Desired Access: Query Value"
"10:34:12.9597391 a.m.","cmd.exe","4604","RegQueryValue","HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Windows\system32\xcopy.exe","NAME NOT FOUND","Length: 16"
"10:34:12.9598566 a.m.","cmd.exe","4604","RegCloseKey","HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","SUCCESS",""
"10:34:12.9599788 a.m.","cmd.exe","4604","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\xcopy.exe","NAME NOT FOUND","Desired Access: Query Value"
"10:34:12.9601184 a.m.","cmd.exe","4604","RegOpenKey","HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide","SUCCESS","Desired Access: Read"
"10:34:12.9602606 a.m.","cmd.exe","4604","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest","NAME NOT FOUND","Length: 20"
"10:34:12.9603243 a.m.","cmd.exe","4604","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide","SUCCESS",""
"10:34:12.9620831 a.m.","cmd.exe","4604","CloseFile","C:\Windows\System32\xcopy.exe","SUCCESS",""
"10:34:13.0434123 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\xcopy.exe","SUCCESS","Image Base: 0xff9d0000, Image Size: 0xf000"
"10:34:13.0438762 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\ntdll.dll","SUCCESS","Image Base: 0x779a0000, Image Size: 0x1a9000"
"10:34:13.0442677 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\Prefetch\XCOPY.EXE-41E6513F.pf","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: None, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0443739 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\Prefetch\XCOPY.EXE-41E6513F.pf","SUCCESS","AllocationSize: 12,288, EndOfFile: 11,738, NumberOfLinks: 1, DeletePending: False, Directory: False"
"10:34:13.0444671 a.m.","xcopy.exe","4996","ReadFile","C:\Windows\Prefetch\XCOPY.EXE-41E6513F.pf","SUCCESS","Offset: 0, Length: 11,738, Priority: Normal"
"10:34:13.0447146 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\Prefetch\XCOPY.EXE-41E6513F.pf","SUCCESS",""
"10:34:13.0451503 a.m.","xcopy.exe","4996","CreateFile","C:","SUCCESS","Desired Access: Read Attributes, Write Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Complete If Oplocked, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0452942 a.m.","xcopy.exe","4996","QueryInformationVolume","C:","SUCCESS","VolumeCreationTime: 17/06/2011 5:45:58 p.m., VolumeSerialNumber: 3CD6-DF01, SupportsObjects: True, VolumeLabel: "
"10:34:13.0453874 a.m.","xcopy.exe","4996","FileSystemControl","C:","SUCCESS","Control: FSCTL_FILE_PREFETCH"
"10:34:13.0457074 a.m.","xcopy.exe","4996","CreateFile","C:\Windows","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Complete If Oplocked, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0458227 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0459606 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows","SUCCESS","IndexNumber: 0x1000000000270"
"10:34:13.0460538 a.m.","xcopy.exe","4996","FileSystemControl","C:\Windows","END OF FILE","Control: FSCTL_FILE_PREFETCH"
"10:34:13.0462345 a.m.","xcopy.exe","4996","CloseFile","C:\Windows","SUCCESS",""
"10:34:13.0463728 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\Globalization","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Complete If Oplocked, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0464751 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\Globalization","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0464981 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\Globalization","SUCCESS","IndexNumber: 0x1000000000711"
"10:34:13.0465202 a.m.","xcopy.exe","4996","FileSystemControl","C:\Windows\Globalization","SUCCESS","Control: FSCTL_FILE_PREFETCH"
"10:34:13.0465670 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\Globalization","SUCCESS",""
"10:34:13.0467539 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\Globalization\Sorting","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Complete If Oplocked, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0468090 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\Globalization\Sorting","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0468298 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\Globalization\Sorting","SUCCESS","IndexNumber: 0x100000000072b"
"10:34:13.0468506 a.m.","xcopy.exe","4996","FileSystemControl","C:\Windows\Globalization\Sorting","SUCCESS","Control: FSCTL_FILE_PREFETCH"
"10:34:13.0468753 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\Globalization\Sorting","SUCCESS",""
"10:34:13.0470175 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Complete If Oplocked, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0470548 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0470751 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32","SUCCESS","IndexNumber: 0x1000000000909"
"10:34:13.0470964 a.m.","xcopy.exe","4996","FileSystemControl","C:\Windows\System32","END OF FILE","Control: FSCTL_FILE_PREFETCH"
"10:34:13.0473274 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32","SUCCESS",""
"10:34:13.0483323 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\ntdll.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0486068 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\ntdll.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0486961 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\ntdll.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0487758 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\ntdll.dll","SUCCESS","IndexNumber: 0x10000000063f4"
"10:34:13.0488534 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ntdll.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0489219 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\ntdll.dll","SUCCESS","AllocationSize: 1,732,608, EndOfFile: 1,731,936, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0490585 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ntdll.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0493008 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\kernel32.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0494742 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\kernel32.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0495124 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\kernel32.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0495328 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\kernel32.dll","SUCCESS","IndexNumber: 0x200000001ea11"
"10:34:13.0495527 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\kernel32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0495692 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\kernel32.dll","SUCCESS","AllocationSize: 1,163,264, EndOfFile: 1,162,752, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0496342 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\kernel32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0497656 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\apisetschema.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0498232 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\apisetschema.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0498449 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\apisetschema.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0498631 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\apisetschema.dll","SUCCESS","IndexNumber: 0x1000000005ca5"
"10:34:13.0498822 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\apisetschema.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0498986 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\apisetschema.dll","SUCCESS","AllocationSize: 8,192, EndOfFile: 6,656, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0499472 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\apisetschema.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0500894 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\KernelBase.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0501479 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\KernelBase.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0501830 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\KernelBase.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0502086 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\KernelBase.dll","SUCCESS","IndexNumber: 0x200000001eaff"
"10:34:13.0502294 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\KernelBase.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0502459 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\KernelBase.dll","SUCCESS","AllocationSize: 421,888, EndOfFile: 421,888, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0505168 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\KernelBase.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0506543 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\locale.nls","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0507869 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\locale.nls","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0508090 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\locale.nls","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0508381 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\locale.nls","SUCCESS","IndexNumber: 0x1000000006203"
"10:34:13.0508650 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\locale.nls","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0508823 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\locale.nls","SUCCESS","AllocationSize: 421,888, EndOfFile: 419,880, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0509382 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\locale.nls","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0511389 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\xcopy.exe","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0512703 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\xcopy.exe","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0512924 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\xcopy.exe","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0513111 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\xcopy.exe","SUCCESS","IndexNumber: 0x1000000006882"
"10:34:13.0513306 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\xcopy.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0513470 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\xcopy.exe","SUCCESS","AllocationSize: 45,056, EndOfFile: 43,008, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0513822 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\xcopy.exe","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0514550 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\advapi32.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0514550 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\advapi32.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0514667 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\advapi32.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0514953 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\advapi32.dll","SUCCESS","IndexNumber: 0x1000000005c6f"
"10:34:13.0515243 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\advapi32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0515508 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\advapi32.dll","SUCCESS","AllocationSize: 880,640, EndOfFile: 877,056, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0516254 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\advapi32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0517866 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\msvcrt.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0519505 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\msvcrt.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0519795 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\msvcrt.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0519995 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\msvcrt.dll","SUCCESS","IndexNumber: 0x1000000006308"
"10:34:13.0520190 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\msvcrt.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0520355 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\msvcrt.dll","SUCCESS","AllocationSize: 634,880, EndOfFile: 634,880, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0520819 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\msvcrt.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0522353 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\sechost.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0523116 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\sechost.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0523285 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\sechost.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0523571 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\sechost.dll","SUCCESS","IndexNumber: 0x1000000006587"
"10:34:13.0523866 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\sechost.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0524126 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\sechost.dll","SUCCESS","AllocationSize: 114,688, EndOfFile: 113,664, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0524768 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\sechost.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0526697 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\rpcrt4.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0528145 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\rpcrt4.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0528383 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\rpcrt4.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0528635 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\rpcrt4.dll","SUCCESS","IndexNumber: 0x100000000653b"
"10:34:13.0528826 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\rpcrt4.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0528990 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\rpcrt4.dll","SUCCESS","AllocationSize: 1,220,608, EndOfFile: 1,219,584, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0529558 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\rpcrt4.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0531310 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\ulib.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0532844 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\ulib.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0533065 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\ulib.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0533252 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\ulib.dll","SUCCESS","IndexNumber: 0x10000000066d4"
"10:34:13.0533443 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ulib.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0533612 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\ulib.dll","SUCCESS","AllocationSize: 147,456, EndOfFile: 146,944, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0534236 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ulib.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0535710 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\user32.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0536824 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\user32.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0537045 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\user32.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0537232 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\user32.dll","SUCCESS","IndexNumber: 0x10000000066f2"
"10:34:13.0537422 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\user32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0537669 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\user32.dll","SUCCESS","AllocationSize: 1,011,712, EndOfFile: 1,008,128, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0538229 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\user32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0539542 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\gdi32.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0540882 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\gdi32.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0541103 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\gdi32.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0541285 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\gdi32.dll","SUCCESS","IndexNumber: 0x1000000006062"
"10:34:13.0541480 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\gdi32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0541641 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\gdi32.dll","SUCCESS","AllocationSize: 405,504, EndOfFile: 403,968, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0542000 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\gdi32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0545919 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\lpk.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0547484 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\lpk.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0548213 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\lpk.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0548846 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\lpk.dll","SUCCESS","IndexNumber: 0x1000000006216"
"10:34:13.0549453 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\lpk.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0549990 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\lpk.dll","SUCCESS","AllocationSize: 45,056, EndOfFile: 41,984, NumberOfLinks: 4, DeletePending: False, Directory: False"
"10:34:13.0551178 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\lpk.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0613007 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\usp10.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0614424 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\usp10.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0614689 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\usp10.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0614888 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\usp10.dll","SUCCESS","IndexNumber: 0x10000000066fb"
"10:34:13.0615100 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\usp10.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0615278 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\usp10.dll","SUCCESS","AllocationSize: 802,816, EndOfFile: 800,256, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0615876 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\usp10.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0618413 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\ifsutil.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0620112 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\ifsutil.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0620602 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\ifsutil.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0620892 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\ifsutil.dll","SUCCESS","IndexNumber: 0x10000000060cb"
"10:34:13.0621187 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ifsutil.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0621452 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\ifsutil.dll","SUCCESS","AllocationSize: 184,320, EndOfFile: 180,736, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0622267 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ifsutil.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0623754 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\cfgmgr32.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0624759 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\cfgmgr32.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0624980 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\cfgmgr32.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0625167 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\cfgmgr32.dll","SUCCESS","IndexNumber: 0x1000000005d4f"
"10:34:13.0625358 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\cfgmgr32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0625527 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\cfgmgr32.dll","SUCCESS","AllocationSize: 208,896, EndOfFile: 207,872, NumberOfLinks: 4, DeletePending: False, Directory: False"
"10:34:13.0626177 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\cfgmgr32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0628284 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\setupapi.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0630577 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\setupapi.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0630842 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\setupapi.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0631050 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\setupapi.dll","SUCCESS","IndexNumber: 0x10000000065ad"
"10:34:13.0631266 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\setupapi.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0631791 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\setupapi.dll","SUCCESS","AllocationSize: 1,900,544, EndOfFile: 1,900,544, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0632220 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\setupapi.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0633590 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\oleaut32.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0635935 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\oleaut32.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0636933 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\oleaut32.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0637830 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\oleaut32.dll","SUCCESS","IndexNumber: 0x200000000e885"
"10:34:13.0638684 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\oleaut32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0639417 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\oleaut32.dll","SUCCESS","AllocationSize: 864,256, EndOfFile: 861,696, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0643010 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\oleaut32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0644302 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\ole32.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0645334 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\ole32.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0645560 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\ole32.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0645746 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\ole32.dll","SUCCESS","IndexNumber: 0x1000000006417"
"10:34:13.0645937 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ole32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0646101 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\ole32.dll","SUCCESS","AllocationSize: 2,088,960, EndOfFile: 2,086,912, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0646583 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ole32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0647679 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\devobj.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0649075 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\devobj.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0649310 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\devobj.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0649492 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\devobj.dll","SUCCESS","IndexNumber: 0x1000000005f2f"
"10:34:13.0649687 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\devobj.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0649851 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\devobj.dll","SUCCESS","AllocationSize: 94,208, EndOfFile: 93,184, NumberOfLinks: 4, DeletePending: False, Directory: False"
"10:34:13.0650337 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\devobj.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0651200 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\imm32.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0651200 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\imm32.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0651304 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\imm32.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0651590 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\imm32.dll","SUCCESS","IndexNumber: 0x10000000060df"
"10:34:13.0651880 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\imm32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0652145 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\imm32.dll","SUCCESS","AllocationSize: 167,936, EndOfFile: 167,424, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0652695 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\imm32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0654191 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\msctf.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0655184 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\System32\msctf.dll","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0655400 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\System32\msctf.dll","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0655587 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\System32\msctf.dll","SUCCESS","IndexNumber: 0x10000000062a3"
"10:34:13.0655778 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\msctf.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0655942 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\msctf.dll","SUCCESS","AllocationSize: 1,069,056, EndOfFile: 1,067,008, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0656493 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\msctf.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0657802 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\Globalization\Sorting\SortDefault.nls","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0658318 a.m.","xcopy.exe","4996","SetBasicInformationFile","C:\Windows\Globalization\Sorting\SortDefault.nls","SUCCESS","CreationTime: 1/01/1601 11:59:59 a.m., LastAccessTime: 1/01/1601 11:59:59 a.m., LastWriteTime: 1/01/1601 11:59:59 a.m., ChangeTime: 1/01/1601 11:59:59 a.m., FileAttributes: n/a"
"10:34:13.0658530 a.m.","xcopy.exe","4996","QueryAttributeTagFile","C:\Windows\Globalization\Sorting\SortDefault.nls","SUCCESS","Attributes: A, ReparseTag: 0x0"
"10:34:13.0658713 a.m.","xcopy.exe","4996","QueryFileInternalInformationFile","C:\Windows\Globalization\Sorting\SortDefault.nls","SUCCESS","IndexNumber: 0x10000000046c8"
"10:34:13.0658899 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\Globalization\Sorting\SortDefault.nls","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0659059 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\Globalization\Sorting\SortDefault.nls","SUCCESS","AllocationSize: 2,945,024, EndOfFile: 2,944,004, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.0659411 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\Globalization\Sorting\SortDefault.nls","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0662801 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\locale.nls","SUCCESS",""
"10:34:13.0665051 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\Globalization\Sorting\SortDefault.nls","SUCCESS",""
"10:34:13.0666711 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ntdll.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0669529 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ntdll.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0669919 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\kernel32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0670877 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\kernel32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0671254 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\apisetschema.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0672091 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\apisetschema.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0677900 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\KernelBase.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0678772 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\KernelBase.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0679136 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\xcopy.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0679873 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\xcopy.exe","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0680319 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\advapi32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0681490 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\advapi32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0681854 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\msvcrt.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0682591 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\msvcrt.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0683059 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\sechost.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0683904 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\sechost.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0684260 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\rpcrt4.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0684295 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\rpcrt4.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0685192 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ulib.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0688218 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ulib.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0688912 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\user32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0689935 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\user32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0690477 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\gdi32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0691469 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\gdi32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0691860 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\lpk.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0692896 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\lpk.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0693286 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\usp10.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0694201 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\usp10.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0694582 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ifsutil.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0695991 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ifsutil.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0696411 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\cfgmgr32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0697335 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\cfgmgr32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0697751 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\setupapi.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0698674 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\setupapi.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0699073 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\oleaut32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0700044 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\oleaut32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0701713 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ole32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0702741 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ole32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0703135 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\devobj.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0703929 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\devobj.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0704319 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\imm32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0705264 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\imm32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0705650 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\msctf.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0706872 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\msctf.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0709174 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\ntdll.dll","SUCCESS",""
"10:34:13.0712322 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\kernel32.dll","SUCCESS",""
"10:34:13.0714069 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\apisetschema.dll","SUCCESS",""
"10:34:13.0715638 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\KernelBase.dll","SUCCESS",""
"10:34:13.0717064 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\xcopy.exe","SUCCESS",""
"10:34:13.0718374 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\advapi32.dll","SUCCESS",""
"10:34:13.0719050 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\msvcrt.dll","SUCCESS",""
"10:34:13.0719817 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\sechost.dll","SUCCESS",""
"10:34:13.0720463 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\rpcrt4.dll","SUCCESS",""
"10:34:13.0721126 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\ulib.dll","SUCCESS",""
"10:34:13.0721781 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\user32.dll","SUCCESS",""
"10:34:13.0722444 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\gdi32.dll","SUCCESS",""
"10:34:13.0723086 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\lpk.dll","SUCCESS",""
"10:34:13.0724278 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\usp10.dll","SUCCESS",""
"10:34:13.0725197 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\ifsutil.dll","SUCCESS",""
"10:34:13.0725926 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\cfgmgr32.dll","SUCCESS",""
"10:34:13.0726654 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\setupapi.dll","SUCCESS",""
"10:34:13.0727404 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\oleaut32.dll","SUCCESS",""
"10:34:13.0728314 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\ole32.dll","SUCCESS",""
"10:34:13.0729012 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\devobj.dll","SUCCESS",""
"10:34:13.0729701 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\imm32.dll","SUCCESS",""
"10:34:13.0730399 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\msctf.dll","SUCCESS",""
"10:34:13.0731106 a.m.","xcopy.exe","4996","CloseFile","C:","SUCCESS",""
"10:34:13.0742972 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options","SUCCESS","Desired Access: Query Value, Enumerate Sub Keys"
"10:34:13.0744259 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisableUserModeCallbackFilter","NAME NOT FOUND","Length: 1,024"
"10:34:13.0745234 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","REPARSE","Desired Access: Read"
"10:34:13.0745612 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS","Desired Access: Read"
"10:34:13.0746474 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\System\CurrentControlSet\Control\SESSION MANAGER\CWDIllegalInDLLSearch","NAME NOT FOUND","Length: 1,024"
"10:34:13.0747103 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\System\CurrentControlSet\Control\SESSION MANAGER","SUCCESS",""
"10:34:13.0755973 a.m.","xcopy.exe","4996","CreateFile","C:\my\commands","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0764838 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\kernel32.dll","SUCCESS","Image Base: 0x77570000, Image Size: 0x11f000"
"10:34:13.0786263 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\KernelBase.dll","SUCCESS","Image Base: 0x7fefd6d0000, Image Size: 0x6c000"
"10:34:13.0851625 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\SafeBoot\Option","REPARSE","Desired Access: Query Value, Set Value"
"10:34:13.0853549 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\SafeBoot\Option","NAME NOT FOUND","Desired Access: Query Value, Set Value"
"10:34:13.0854148 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Srp\GP\DLL","REPARSE","Desired Access: Read"
"10:34:13.0854872 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Srp\GP\DLL","NAME NOT FOUND","Desired Access: Read"
"10:34:13.0855448 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","SUCCESS","Desired Access: Query Value"
"10:34:13.0857586 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled","NAME NOT FOUND","Length: 80"
"10:34:13.0857759 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers","SUCCESS",""
"10:34:13.0858106 a.m.","xcopy.exe","4996","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers","NAME NOT FOUND","Desired Access: Query Value"
"10:34:13.0865939 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\advapi32.dll","SUCCESS","Image Base: 0x7fefed60000, Image Size: 0xdb000"
"10:34:13.0872780 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\msvcrt.dll","SUCCESS","Image Base: 0x7fefdd20000, Image Size: 0x9f000"
"10:34:13.0881802 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\sechost.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0882964 a.m.","xcopy.exe","4996","QueryBasicInformationFile","C:\Windows\System32\sechost.dll","SUCCESS","CreationTime: 14/07/2009 11:20:52 a.m., LastAccessTime: 14/07/2009 11:20:52 a.m., LastWriteTime: 14/07/2009 1:41:53 p.m., ChangeTime: 17/06/2011 5:50:13 p.m., FileAttributes: A"
"10:34:13.0888578 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\sechost.dll","SUCCESS",""
"10:34:13.0891179 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\sechost.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.0895319 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\sechost.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.0896151 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\sechost.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.0900816 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\sechost.dll","SUCCESS","Image Base: 0x7fefefa0000, Image Size: 0x1f000"
"10:34:13.0901068 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\sechost.dll","SUCCESS",""
"10:34:13.0908329 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\rpcrt4.dll","SUCCESS","Image Base: 0x7fefec30000, Image Size: 0x12d000"
"10:34:13.1449535 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\ulib.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.1455180 a.m.","xcopy.exe","4996","QueryBasicInformationFile","C:\Windows\System32\ulib.dll","SUCCESS","CreationTime: 14/07/2009 11:25:05 a.m., LastAccessTime: 14/07/2009 11:25:05 a.m., LastWriteTime: 14/07/2009 1:41:55 p.m., ChangeTime: 17/06/2011 5:50:20 p.m., FileAttributes: A"
"10:34:13.1457222 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\ulib.dll","SUCCESS",""
"10:34:13.1463274 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\ulib.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.1469057 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ulib.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.1472130 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ulib.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.1482743 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\ulib.dll","SUCCESS","Image Base: 0x7fef2240000, Image Size: 0x28000"
"10:34:13.1483055 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\ulib.dll","SUCCESS",""
"10:34:13.1511282 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\user32.dll","SUCCESS","Image Base: 0x778a0000, Image Size: 0xfa000"
"10:34:13.1525193 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\gdi32.dll","SUCCESS","Image Base: 0x7fefd8e0000, Image Size: 0x67000"
"10:34:13.1533942 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\lpk.dll","SUCCESS","Image Base: 0x7fefd740000, Image Size: 0xe000"
"10:34:13.1559701 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\usp10.dll","SUCCESS","Image Base: 0x7fefdc50000, Image Size: 0xc9000"
"10:34:13.1569234 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\ifsutil.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.1571302 a.m.","xcopy.exe","4996","QueryBasicInformationFile","C:\Windows\System32\ifsutil.dll","SUCCESS","CreationTime: 21/11/2010 3:23:48 p.m., LastAccessTime: 21/11/2010 3:23:48 p.m., LastWriteTime: 21/11/2010 3:23:48 p.m., ChangeTime: 17/06/2011 5:49:36 p.m., FileAttributes: A"
"10:34:13.1572035 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\ifsutil.dll","SUCCESS",""
"10:34:13.1574198 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\ifsutil.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.1578646 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ifsutil.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.1580645 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\ifsutil.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.1586176 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\ifsutil.dll","SUCCESS","Image Base: 0x7fef2270000, Image Size: 0x30000"
"10:34:13.1586415 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\ifsutil.dll","SUCCESS",""
"10:34:13.1596412 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\cfgmgr32.dll","SUCCESS","Image Base: 0x7fefd590000, Image Size: 0x36000"
"10:34:13.1602880 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\setupapi.dll","SUCCESS","Image Base: 0x7fefefc0000, Image Size: 0x1d7000"
"10:34:13.1611477 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\oleaut32.dll","SUCCESS","Image Base: 0x7fefd950000, Image Size: 0xd7000"
"10:34:13.1616419 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\ole32.dll","SUCCESS","Image Base: 0x7fefda40000, Image Size: 0x203000"
"10:34:13.1635455 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\devobj.dll","SUCCESS","Image Base: 0x7fefd610000, Image Size: 0x1a000"
"10:34:13.1672893 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions","REPARSE","Desired Access: Read"
"10:34:13.1674042 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions","SUCCESS","Desired Access: Read"
"10:34:13.1674745 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions\(Default)","SUCCESS","Type: REG_SZ, Length: 36, Data: 00060101.00060101"
"10:34:13.1683159 a.m.","xcopy.exe","4996","RegOpenKey","HKLM","SUCCESS","Desired Access: Maximum Allowed, Granted Access: Read"
"10:34:13.1684083 a.m.","xcopy.exe","4996","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"10:34:13.1684278 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics","NAME NOT FOUND","Desired Access: Read"
"10:34:13.1688986 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","REPARSE","Desired Access: Query Value"
"10:34:13.1689233 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Session Manager","SUCCESS","Desired Access: Query Value"
"10:34:13.1689567 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\System\CurrentControlSet\Control\SESSION MANAGER\SafeDllSearchMode","NAME NOT FOUND","Length: 16"
"10:34:13.1711563 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.1713068 a.m.","xcopy.exe","4996","QueryBasicInformationFile","C:\Windows\System32\imm32.dll","SUCCESS","CreationTime: 14/07/2009 11:38:08 a.m., LastAccessTime: 14/07/2009 11:38:08 a.m., LastWriteTime: 14/07/2009 1:41:09 p.m., ChangeTime: 17/06/2011 5:49:38 p.m., FileAttributes: A"
"10:34:13.1715734 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\imm32.dll","SUCCESS",""
"10:34:13.1719193 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\imm32.dll","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.1724773 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\imm32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.1724946 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\imm32.dll","SUCCESS","AllocationSize: 167,936, EndOfFile: 167,424, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.1725306 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\imm32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.1727829 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\imm32.dll","SUCCESS",""
"10:34:13.1730057 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.1731224 a.m.","xcopy.exe","4996","QueryBasicInformationFile","C:\Windows\System32\imm32.dll","SUCCESS","CreationTime: 14/07/2009 11:38:08 a.m., LastAccessTime: 14/07/2009 11:38:08 a.m., LastWriteTime: 14/07/2009 1:41:09 p.m., ChangeTime: 17/06/2011 5:49:38 p.m., FileAttributes: A"
"10:34:13.1731449 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\imm32.dll","SUCCESS",""
"10:34:13.1732641 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\imm32.dll","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.1736729 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\imm32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.1736894 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\System32\imm32.dll","SUCCESS","AllocationSize: 167,936, EndOfFile: 167,424, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.1737232 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\imm32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.1740471 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\imm32.dll","SUCCESS",""
"10:34:13.1743002 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.1743978 a.m.","xcopy.exe","4996","QueryBasicInformationFile","C:\Windows\System32\imm32.dll","SUCCESS","CreationTime: 14/07/2009 11:38:08 a.m., LastAccessTime: 14/07/2009 11:38:08 a.m., LastWriteTime: 14/07/2009 1:41:09 p.m., ChangeTime: 17/06/2011 5:49:38 p.m., FileAttributes: A"
"10:34:13.1744173 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\imm32.dll","SUCCESS",""
"10:34:13.1745291 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\System32\imm32.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.1748387 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\imm32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.1749089 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\System32\imm32.dll","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.1761917 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\imm32.dll","SUCCESS","Image Base: 0x7fefee40000, Image Size: 0x2e000"
"10:34:13.1762519 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\System32\imm32.dll","SUCCESS",""
"10:34:13.1778997 a.m.","xcopy.exe","4996","Load Image","C:\Windows\System32\msctf.dll","SUCCESS","Image Base: 0x7fefee90000, Image Size: 0x109000"
"10:34:13.1791153 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Error Message Instrument","REPARSE","Desired Access: Read"
"10:34:13.1792003 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Error Message Instrument","NAME NOT FOUND","Desired Access: Read"
"10:34:13.1793616 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize","SUCCESS","Desired Access: Read"
"10:34:13.1794487 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles","NAME NOT FOUND","Length: 20"
"10:34:13.1795272 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize","SUCCESS",""
"10:34:13.1802234 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32","SUCCESS","Desired Access: Read"
"10:34:13.1802915 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32\xcopy","NAME NOT FOUND","Length: 172"
"10:34:13.1803283 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32","SUCCESS",""
"10:34:13.1804410 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility","NAME NOT FOUND","Desired Access: Read"
"10:34:13.1810675 a.m.","xcopy.exe","4996","RegOpenKey","HKCU","SUCCESS","Desired Access: Maximum Allowed, Granted Access: All Access"
"10:34:13.1812708 a.m.","xcopy.exe","4996","RegOpenKey","HKCU\Control Panel\Desktop\MuiCached\MachineLanguageConfiguration","NAME NOT FOUND","Desired Access: Read"
"10:34:13.1814134 a.m.","xcopy.exe","4996","RegCloseKey","HKCU","SUCCESS",""
"10:34:13.1815079 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Policies\Microsoft\MUI\Settings","NAME NOT FOUND","Desired Access: Read"
"10:34:13.1816232 a.m.","xcopy.exe","4996","RegOpenKey","HKCU","SUCCESS","Desired Access: Maximum Allowed, Granted Access: All Access"
"10:34:13.1817095 a.m.","xcopy.exe","4996","RegOpenKey","HKCU\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND","Desired Access: Read"
"10:34:13.1818079 a.m.","xcopy.exe","4996","RegOpenKey","HKCU\Control Panel\Desktop\LanguageConfiguration","SUCCESS","Desired Access: Read"
"10:34:13.1819206 a.m.","xcopy.exe","4996","RegEnumValue","HKCU\Control Panel\Desktop\LanguageConfiguration","NO MORE ENTRIES","Index: 0, Length: 512"
"10:34:13.1819887 a.m.","xcopy.exe","4996","RegCloseKey","HKCU\Control Panel\Desktop\LanguageConfiguration","SUCCESS",""
"10:34:13.1820433 a.m.","xcopy.exe","4996","RegCloseKey","HKCU","SUCCESS",""
"10:34:13.1821049 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Policies\Microsoft\MUI\Settings","NAME NOT FOUND","Desired Access: Read"
"10:34:13.1821370 a.m.","xcopy.exe","4996","RegOpenKey","HKCU","SUCCESS","Desired Access: Maximum Allowed, Granted Access: All Access"
"10:34:13.1821651 a.m.","xcopy.exe","4996","RegOpenKey","HKCU\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND","Desired Access: Read"
"10:34:13.1821899 a.m.","xcopy.exe","4996","RegOpenKey","HKCU\Control Panel\Desktop","SUCCESS","Desired Access: Read"
"10:34:13.1822159 a.m.","xcopy.exe","4996","RegQueryValue","HKCU\Control Panel\Desktop\PreferredUILanguages","NAME NOT FOUND","Length: 12"
"10:34:13.1822675 a.m.","xcopy.exe","4996","RegCloseKey","HKCU\Control Panel\Desktop","SUCCESS",""
"10:34:13.1822887 a.m.","xcopy.exe","4996","RegCloseKey","HKCU","SUCCESS",""
"10:34:13.1823130 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Policies\Microsoft\MUI\Settings","NAME NOT FOUND","Desired Access: Read"
"10:34:13.1823446 a.m.","xcopy.exe","4996","RegOpenKey","HKCU","SUCCESS","Desired Access: Maximum Allowed, Granted Access: All Access"
"10:34:13.1823719 a.m.","xcopy.exe","4996","RegOpenKey","HKCU\Control Panel\Desktop\MuiCached","SUCCESS","Desired Access: Read"
"10:34:13.1824175 a.m.","xcopy.exe","4996","RegQueryValue","HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages","BUFFER OVERFLOW","Length: 12"
"10:34:13.1824413 a.m.","xcopy.exe","4996","RegQueryValue","HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages","SUCCESS","Type: REG_MULTI_SZ, Length: 12, Data: en-US"
"10:34:13.1824677 a.m.","xcopy.exe","4996","RegCloseKey","HKCU\Control Panel\Desktop\MuiCached","SUCCESS",""
"10:34:13.1824890 a.m.","xcopy.exe","4996","RegCloseKey","HKCU","SUCCESS",""
"10:34:13.1831796 a.m.","xcopy.exe","4996","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"10:34:13.1832043 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows","SUCCESS","Desired Access: Read"
"10:34:13.1832554 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
"10:34:13.1832901 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows","SUCCESS",""
"10:34:13.1858267 a.m.","xcopy.exe","4996","ReadFile","C:\Windows\System32\ulib.dll","SUCCESS","Offset: 133,632, Length: 1,024, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"10:34:13.1999096 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\CustomLocale","REPARSE","Desired Access: Read"
"10:34:13.2003496 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\CustomLocale","SUCCESS","Desired Access: Read"
"10:34:13.2005754 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\System\CurrentControlSet\Control\Nls\CustomLocale\en-NZ","NAME NOT FOUND","Length: 532"
"10:34:13.2008685 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\System\CurrentControlSet\Control\Nls\CustomLocale","SUCCESS",""
"10:34:13.2009569 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\ExtendedLocale","REPARSE","Desired Access: Read"
"10:34:13.2010315 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\ExtendedLocale","SUCCESS","Desired Access: Read"
"10:34:13.2011204 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\System\CurrentControlSet\Control\Nls\ExtendedLocale\en-NZ","NAME NOT FOUND","Length: 532"
"10:34:13.2011819 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\System\CurrentControlSet\Control\Nls\ExtendedLocale","SUCCESS",""
"10:34:13.2015643 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\Locale","REPARSE","Desired Access: Read"
"10:34:13.2017104 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\Locale","SUCCESS","Desired Access: Read"
"10:34:13.2017915 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts","REPARSE","Desired Access: Read"
"10:34:13.2018136 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts","SUCCESS","Desired Access: Read"
"10:34:13.2018682 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\Language Groups","REPARSE","Desired Access: Read"
"10:34:13.2019024 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\System\CurrentControlSet\Control\Nls\Language Groups","SUCCESS","Desired Access: Read"
"10:34:13.2019722 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\System\CurrentControlSet\Control\Nls\Locale\00001409","SUCCESS","Type: REG_SZ, Length: 4, Data: 1"
"10:34:13.2020290 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1","SUCCESS","Type: REG_SZ, Length: 4, Data: 1"
"10:34:13.2026169 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\System\CurrentControlSet\Control\Nls\Locale\00001409","SUCCESS","Type: REG_SZ, Length: 4, Data: 1"
"10:34:13.2026438 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1","SUCCESS","Type: REG_SZ, Length: 4, Data: 1"
"10:34:13.2033686 a.m.","xcopy.exe","4996","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"10:34:13.2034540 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\SOFTWARE\Microsoft\OLE","SUCCESS","Desired Access: Read"
"10:34:13.2042348 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap","NAME NOT FOUND","Length: 144"
"10:34:13.2042959 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\SOFTWARE\Microsoft\OLE","SUCCESS",""
"10:34:13.2043804 a.m.","xcopy.exe","4996","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"10:34:13.2044342 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\SOFTWARE\Microsoft\OLE","SUCCESS","Desired Access: Read"
"10:34:13.2044880 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate","NAME NOT FOUND","Length: 144"
"10:34:13.2261566 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\SOFTWARE\Microsoft\OLE","SUCCESS",""
"10:34:13.2267965 a.m.","xcopy.exe","4996","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"10:34:13.2268307 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Microsoft\OLE\Tracing","NAME NOT FOUND","Desired Access: Read"
"10:34:13.2288938 a.m.","xcopy.exe","4996","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"10:34:13.2289498 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\SOFTWARE\Microsoft\OLEAUT","NAME NOT FOUND","Desired Access: Query Value"
"10:34:13.2290026 a.m.","xcopy.exe","4996","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"10:34:13.2290208 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\SOFTWARE\Microsoft\OLEAUT","NAME NOT FOUND","Desired Access: Query Value"
"10:34:13.2302035 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Microsoft\Windows\Windows Error Reporting\WMR","SUCCESS","Desired Access: Query Value"
"10:34:13.2303396 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"10:34:13.2303622 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR","SUCCESS",""
"10:34:13.2304085 a.m.","xcopy.exe","4996","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"10:34:13.2304289 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Microsoft\Windows\CurrentVersion\Setup","SUCCESS","Desired Access: Read"
"10:34:13.2305395 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath","NAME NOT FOUND","Length: 144"
"10:34:13.2415825 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup","SUCCESS",""
"10:34:13.2634267 a.m.","xcopy.exe","4996","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"10:34:13.2634996 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Microsoft\Windows\CurrentVersion","SUCCESS","Desired Access: Read"
"10:34:13.2636587 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath","SUCCESS","Type: REG_EXPAND_SZ, Length: 34, Data: %SystemRoot%\inf"
"10:34:13.2640770 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion","SUCCESS",""
"10:34:13.2648491 a.m.","xcopy.exe","4996","ReadFile","C:\Windows\System32\ifsutil.dll","SUCCESS","Offset: 173,056, Length: 5,632, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"10:34:13.2880606 a.m.","xcopy.exe","4996","ReadFile","C:\Windows\System32\ifsutil.dll","SUCCESS","Offset: 144,384, Length: 27,648, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"10:34:13.3503791 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\System\CurrentControlSet\Control\WMI\Security\6b1db052-734f-4e23-af5e-6cd8ae459f98","NAME NOT FOUND","Length: 524"
"10:34:13.3515050 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\xcopy.exe","SUCCESS","Name: \Windows\System32\xcopy.exe"
"10:34:13.3541807 a.m.","xcopy.exe","4996","CreateFile","C:\Windows\Globalization\Sorting\SortDefault.nls","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Disallow Exclusive, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.3542544 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\Globalization\Sorting\SortDefault.nls","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"10:34:13.3543441 a.m.","xcopy.exe","4996","QueryStandardInformationFile","C:\Windows\Globalization\Sorting\SortDefault.nls","SUCCESS","AllocationSize: 2,945,024, EndOfFile: 2,944,004, NumberOfLinks: 2, DeletePending: False, Directory: False"
"10:34:13.3545101 a.m.","xcopy.exe","4996","CreateFileMapping","C:\Windows\Globalization\Sorting\SortDefault.nls","SUCCESS","SyncType: SyncTypeOther"
"10:34:13.3546922 a.m.","xcopy.exe","4996","CloseFile","C:\Windows\Globalization\Sorting\SortDefault.nls","SUCCESS",""
"10:34:13.3585909 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.3592632 a.m.","xcopy.exe","4996","QueryBasicInformationFile","\\vboxsvr\DataShared\","SUCCESS","CreationTime: 21/06/2011 12:00:00 p.m., LastAccessTime: 28/07/2011 12:20:30 p.m., LastWriteTime: 21/06/2011 12:00:00 p.m., ChangeTime: 21/06/2011 12:00:00 p.m., FileAttributes: D"
"10:34:13.3592979 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\","SUCCESS",""
"10:34:13.3602031 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.3607832 a.m.","xcopy.exe","4996","QueryBasicInformationFile","\\vboxsvr\DataShared\","SUCCESS","CreationTime: 21/06/2011 12:00:00 p.m., LastAccessTime: 28/07/2011 12:20:30 p.m., LastWriteTime: 21/06/2011 12:00:00 p.m., ChangeTime: 21/06/2011 12:00:00 p.m., FileAttributes: D"
"10:34:13.3608048 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\","SUCCESS",""
"10:34:13.3619216 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.3621115 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Filter: temp.exe, 1: temp.exe"
"10:34:13.3625272 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp","SUCCESS",""
"10:34:13.3633995 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.3635698 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Filter: temp.exe, 1: temp.exe"
"10:34:13.3639470 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp","SUCCESS",""
"10:34:13.3644785 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.3646840 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","Filter: temp, 1: temp"
"10:34:13.3649380 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\","SUCCESS",""
"10:34:13.3658666 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.3661298 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp\temp2.exe","NO SUCH FILE","Filter: temp2.exe"
"10:34:13.3684357 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp","SUCCESS",""
"10:34:13.3804520 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.3807502 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp\temp2.exe","NO SUCH FILE","Filter: temp2.exe"
"10:34:13.3824674 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp","SUCCESS",""
"10:34:13.3843107 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:13.3847356 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp\temp2.exe","NO SUCH FILE","Filter: temp2.exe"
"10:34:13.3855783 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp","SUCCESS",""
"10:34:13.3862386 a.m.","xcopy.exe","4996","ReadFile","C:\Windows\System32\ulib.dll","SUCCESS","Offset: 41,984, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"10:34:13.3878907 a.m.","xcopy.exe","4996","ReadFile","C:\Windows\System32\ulib.dll","SUCCESS","Offset: 41,984, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"10:34:16.2707398 a.m.","xcopy.exe","4996","ReadFile","C:\Windows\System32\ulib.dll","SUCCESS","Offset: 82,944, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"10:34:16.2834510 a.m.","xcopy.exe","4996","ReadFile","C:\Windows\System32\ulib.dll","SUCCESS","Offset: 74,752, Length: 26,112, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"10:34:16.3039079 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:16.3044221 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","Filter: temp, 1: temp"
"10:34:16.3050143 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\","SUCCESS",""
"10:34:16.3062290 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:16.3064969 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp\*","SUCCESS","Filter: *, 1: ."
"10:34:16.3072109 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","0: .., 1: DelicHea_1, 2: ._DelicIta_1, 3: cdarc, 4: Dev_Mar12.sql, 5: Migration3 List with TWINS code.xls, 6: Audio Conference File - May Final.csv, 7: ._DelicRom, 8: xpdf-3.02pl5-win32.zip, 9: DIRDEBIT.CSV, 10: affected.txt, 11: dnn56sql.zip, 12: TZC1103011.csv, 13: DelicRom_1, 14: LIVE_Calendar_p9_Autumn2011.pdf, 15: certreq.txt, 16: SCAN5375_000.pdf, 17: south island new.xls, 18: map_northharbour.png, 19: TWINS_invdiagnos_39B0R4N39.pdf, 20: temp2.txt, 21: vpe.xls, 22: Monthly payers 201011 renewals.csv, 23: kennel.key.pem, 24: TZC1102262.csv"
"10:34:16.3074741 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp","SUCCESS",""
"10:34:16.3085232 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:16.3087538 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp\*","SUCCESS","Filter: *, 1: ."
"10:34:16.3091657 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","0: .., 1: DelicHea_1, 2: ._DelicIta_1, 3: cdarc, 4: Dev_Mar12.sql, 5: Migration3 List with TWINS code.xls, 6: Audio Conference File - May Final.csv, 7: ._DelicRom, 8: xpdf-3.02pl5-win32.zip, 9: DIRDEBIT.CSV, 10: affected.txt, 11: dnn56sql.zip, 12: TZC1103011.csv, 13: DelicRom_1, 14: LIVE_Calendar_p9_Autumn2011.pdf, 15: certreq.txt, 16: SCAN5375_000.pdf, 17: south island new.xls, 18: map_northharbour.png, 19: TWINS_invdiagnos_39B0R4N39.pdf, 20: temp2.txt, 21: vpe.xls, 22: Monthly payers 201011 renewals.csv, 23: kennel.key.pem, 24: TZC1102262.csv"
"10:34:16.3098532 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","0: AOF_FestivalFlyer-page002.jpg, 1: TWINS Audio Conferencing v01.pdf, 2: spotless_may_buggytwins.pdf, 3: Twins_6.9.10_xCaseReports.pdf, 4: reg_test_w7.CSV, 5: Delicious_76, 6: clsid_5083_w7.reg, 7: twins_error_log_to_20110503.dbf, 8: hotspots.DBF, 9: Junk2.pdf, 10: csl_test_phones.csv, 11: temp.txt, 12: email.pdf, 13: spotless_may_newtwins.pdf, 14: ind2.DBF, 15: holcim channel activity data3a.xls, 16: TWINS Broadband v01.pdf, 17: ._DelicHea_1, 18: AOF_FestivalFlyer-page003.png, 19: callexp_0800a.csv, 20: DelicSmaCap_1, 21: ._Delicious_76, 22: Missing_export_lines.csv~, 23: AOF_FestivalFlyer-page002.rgb"
"10:34:16.3102608 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","0: DeutzBarPlan_v1_a4.pdf, 1: cov-part2.log, 2: .mtoolsrc, 3: tfrfixed45_20100919030000950.csv, 4: frfox_v1321.csv, 5: vfptemp, 6: MVNO Billing Issues 1bc Register 1.0.xls, 7: zjames_before.csv, 8: aamxcli_20110311.zip, 9: opera_11.01.1190_i386.deb, 10: aamxcli_20110411.zip, 11: SupperRoomPlan_v1a_a4.pdf, 12: ._DelicBolIta, 13: kennel.key_pp.pem, 14: AOF_FestivalFlyer-page003.rgb, 15: ._DelicBol, 16: aamxsql_20110330.zip, 17: typelib_7805_w7.reg, 18: hotspots.BAK, 19: AOF_FestivalFlyer-page003.jpg, 20: agingsum_o.pdf, 21: athologo.png, 22: ._Delicious_76_1, 23: CSL.DNNModules.Etailer.BulkLoad_01.03.00.zip"
"10:34:16.3112544 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","0: aamxcli_20110330.zip, 1: es2500c, 2: callexp_b.csv, 3: supper_a3.pdf, 4: Woosh_496674_june.csv, 5: WF_WCF_Samples.exe, 6: DelicBolIta, 7: accessable_oco_icons.png, 8: Stanford-coelos_ascendit_hodie.pdf, 9: tw6106..txt, 10: twins_history.html, 11: blakes7_logo_32x32.png, 12: temp.idx, 13: Twins_6.10.x_xCase_20110317.pdf, 14: AOF_FestivalFlyer-page002.png, 15: csl_test_masteritems.csv, 16: Test_Mar14.sql, 17: Stanford-c-a-h-print.pdf, 18: changes_since_6.10.0, 19: twins_history2.html, 20: 94770280 2011-02-28.pdf, 21: tcnz_ebill2cdr_20110407.zip, 22: ncafixed29_20100906000003020.csv, 23: temp.exe"
"10:34:16.3136873 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:16.3138949 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp\temp2.exe","NO SUCH FILE","Filter: temp2.exe"
"10:34:16.3151357 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp","SUCCESS",""
"10:34:16.3171108 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\System","SUCCESS","Desired Access: Query Value"
"10:34:16.3177988 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo","NAME NOT FOUND","Length: 20"
"10:34:16.3179050 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\System","SUCCESS",""
"10:34:16.3194132 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Non-Directory File, Open Reparse Point, Disallow Exclusive, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:16.5579849 a.m.","xcopy.exe","4996","QueryAttributeTagFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Attributes: N, ReparseTag: 0x0"
"10:34:16.5581947 a.m.","xcopy.exe","4996","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:16.5582753 a.m.","xcopy.exe","4996","FileSystemControl","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Control: IOCTL_LMR_DISABLE_LOCAL_BUFFERING"
"10:34:16.5588836 a.m.","xcopy.exe","4996","FileSystemControl","\\vboxsvr\DataShared\temp\temp.exe","INVALID DEVICE REQUEST","Control: FSCTL_LMR_GET_HINT_SIZE"
"10:34:16.5589195 a.m.","xcopy.exe","4996","QueryStandardInformationFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","AllocationSize: 4,313,088, EndOfFile: 4,312,397, NumberOfLinks: 1, DeletePending: False, Directory: False"
"10:34:16.5591792 a.m.","xcopy.exe","4996","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","CreationTime: 28/07/2011 5:37:00 p.m., LastAccessTime: 29/07/2011 10:30:45 a.m., LastWriteTime: 22/03/2011 1:05:27 p.m., ChangeTime: 28/07/2011 5:37:00 p.m., FileAttributes: N"
"10:34:16.5594948 a.m.","xcopy.exe","4996","QueryStreamInformationFile","\\vboxsvr\DataShared\temp\temp.exe","NOT IMPLEMENTED",""
"10:34:16.5603944 a.m.","xcopy.exe","4996","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","CreationTime: 28/07/2011 5:37:00 p.m., LastAccessTime: 29/07/2011 10:30:45 a.m., LastWriteTime: 22/03/2011 1:05:27 p.m., ChangeTime: 28/07/2011 5:37:00 p.m., FileAttributes: N"
"10:34:16.5626860 a.m.","xcopy.exe","4996","QueryEaInformationFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","EaSize: 0"
"10:34:16.5669544 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 4,312,397, OpenResult: Created"
"10:34:16.5699258 a.m.","xcopy.exe","4996","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:16.5700714 a.m.","xcopy.exe","4996","FileSystemControl","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Control: IOCTL_LMR_DISABLE_LOCAL_BUFFERING"
"10:34:16.5701039 a.m.","xcopy.exe","4996","QueryAttributeInformationVolume","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","FileSystemAttributes: , MaximumComponentNameLength: 255, FileSystemName: VBoxSharedFolderFS"
"10:34:16.5701252 a.m.","xcopy.exe","4996","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","CreationTime: 29/07/2011 10:34:16 a.m., LastAccessTime: 29/07/2011 10:34:16 a.m., LastWriteTime: 29/07/2011 10:34:16 a.m., ChangeTime: 29/07/2011 10:34:16 a.m., FileAttributes: N"
"10:34:16.5705010 a.m.","xcopy.exe","4996","QueryAttributeInformationVolume","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","FileSystemAttributes: , MaximumComponentNameLength: 255, FileSystemName: VBoxSharedFolderFS"
"10:34:16.5706194 a.m.","xcopy.exe","4996","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:16.5706966 a.m.","xcopy.exe","4996","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:16.5709337 a.m.","xcopy.exe","4996","DeviceIoControl","\\vboxsvr\DataShared\temp\temp.exe","INVALID DEVICE REQUEST","Control: 0x140410 (Device:0x14 Function:260 Method: 0)"
"10:34:16.5709731 a.m.","xcopy.exe","4996","SetEndOfFileInformationFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","EndOfFile: 4,312,397"
"10:34:16.5719186 a.m.","xcopy.exe","4996","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:16.5719447 a.m.","xcopy.exe","4996","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:34:16.5719663 a.m.","xcopy.exe","4996","<Unknown>","\\vboxsvr\DataShared\temp\temp.exe","NOT IMPLEMENTED",""
"10:34:16.5725529 a.m.","xcopy.exe","4996","<Unknown>","\\vboxsvr\DataShared\temp\temp2.exe","NOT IMPLEMENTED",""
"10:34:16.5727085 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\System","SUCCESS","Desired Access: Query Value"
"10:34:16.5729205 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize","NAME NOT FOUND","Length: 20"
"10:34:16.5729365 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount","NAME NOT FOUND","Length: 20"
"10:34:16.5729543 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\System","SUCCESS",""
"10:34:16.5745072 a.m.","xcopy.exe","4996","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 0, Length: 524,288, Priority: Normal"
"10:34:16.5767394 a.m.","xcopy.exe","4996","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 524,288, Length: 524,288, Priority: Normal"
"10:34:16.5796678 a.m.","xcopy.exe","4996","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 1,048,576, Length: 524,288, Priority: Normal"
"10:34:16.5844214 a.m.","xcopy.exe","4996","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 1,572,864, Length: 524,288, Priority: Normal"
"10:34:16.5904044 a.m.","xcopy.exe","4996","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 2,097,152, Length: 524,288, Priority: Normal"
"10:34:16.5991888 a.m.","xcopy.exe","4996","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 2,621,440, Length: 524,288, Priority: Normal"
"10:34:16.6086677 a.m.","xcopy.exe","4996","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 3,145,728, Length: 524,288, Priority: Normal"
"10:34:16.6126019 a.m.","xcopy.exe","4996","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 3,670,016, Length: 524,288, Priority: Normal"
"10:34:16.6538660 a.m.","xcopy.exe","4996","WriteFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Offset: 0, Length: 524,288, Priority: Normal"
"10:34:16.6697129 a.m.","xcopy.exe","4996","WriteFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Offset: 524,288, Length: 524,288, Priority: Normal"
"10:34:16.6713937 a.m.","xcopy.exe","4996","WriteFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Offset: 1,048,576, Length: 524,288, Priority: Normal"
"10:34:16.6731382 a.m.","xcopy.exe","4996","WriteFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Offset: 1,572,864, Length: 524,288, Priority: Normal"
"10:34:16.6749074 a.m.","xcopy.exe","4996","WriteFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Offset: 2,097,152, Length: 524,288, Priority: Normal"
"10:34:16.6765838 a.m.","xcopy.exe","4996","WriteFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Offset: 2,621,440, Length: 524,288, Priority: Normal"
"10:34:16.6778016 a.m.","xcopy.exe","4996","WriteFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Offset: 3,145,728, Length: 524,288, Priority: Normal"
"10:34:16.6807616 a.m.","xcopy.exe","4996","WriteFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Offset: 3,670,016, Length: 524,288, Priority: Normal"
"10:34:16.6822391 a.m.","xcopy.exe","4996","ReadFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS","Offset: 4,194,304, Length: 118,093, Priority: Normal"
"10:34:16.6826665 a.m.","xcopy.exe","4996","WriteFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Offset: 4,194,304, Length: 118,093, Priority: Normal"
"10:34:16.6841049 a.m.","xcopy.exe","4996","SetBasicInformationFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","CreationTime: 1/01/1601 12:00:00 p.m., LastAccessTime: 1/01/1601 12:00:00 p.m., LastWriteTime: 22/03/2011 1:05:27 p.m., ChangeTime: 28/07/2011 5:37:00 p.m., FileAttributes: n/a"
"10:34:16.6846650 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp\temp.exe","SUCCESS",""
"10:34:16.6851874 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS",""
"10:34:16.6873646 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:16.6886920 a.m.","xcopy.exe","4996","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","CreationTime: 29/07/2011 10:34:16 a.m., LastAccessTime: 29/07/2011 10:34:16 a.m., LastWriteTime: 22/03/2011 1:05:27 p.m., ChangeTime: 29/07/2011 10:34:16 a.m., FileAttributes: N"
"10:34:16.6888641 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS",""
"10:34:16.6904781 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Desired Access: Write Attributes, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:16.6917657 a.m.","xcopy.exe","4996","SetBasicInformationFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","CreationTime: 1/01/1601 12:00:00 p.m., LastAccessTime: 1/01/1601 12:00:00 p.m., LastWriteTime: 1/01/1601 12:00:00 p.m., ChangeTime: 1/01/1601 12:00:00 p.m., FileAttributes: N"
"10:34:16.6919083 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS",""
"10:34:16.6933810 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:16.6935440 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Filter: temp2.exe, 1: temp2.exe"
"10:34:16.6939918 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp","SUCCESS",""
"10:34:16.6947604 a.m.","xcopy.exe","4996","CreateFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","Desired Access: Write Attributes, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:34:16.6956704 a.m.","xcopy.exe","4996","SetBasicInformationFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS","CreationTime: 1/01/1601 12:00:00 p.m., LastAccessTime: 1/01/1601 12:00:00 p.m., LastWriteTime: 1/01/1601 12:00:00 p.m., ChangeTime: 1/01/1601 12:00:00 p.m., FileAttributes: AN"
"10:34:16.6958082 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp\temp2.exe","SUCCESS",""
"10:34:16.6959630 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","0: kennel.cert.pem, 1: Acmsgr.xlsx, 2: callexp_nca_b.csv, 3: MessageExchange-Send-Responses.zip, 4: AOF_FestivalFlyer-page001.png, 5: athologo.emf, 6: commsreport.csv, 7: franken_Nov26.sql, 8: Letterhead template.odt, 9: test.xls, 10: dnn56web.zip, 11: kennel.keycert.pem, 12: TWINS TOLL CDR v01.pdf, 13: ._DelicSmaCap_1, 14: twins_error_log_to_20110503.FPT, 15: athologo.eps, 16: carroll_getfirstline.png, 17: 9I0XMWNP.pdf, 18: service_install.zip, 19: franreport.pdf, 20: AOF2011_Registration_Form.pdf, 21: ._DelicRom_1, 22: kennel.certkey.pem, 23: TWINS_invstate2_36D0V21G7.pdf"
"10:34:16.6963527 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","0: DIRDEBIT3.CSV, 1: test.DBF, 2: DelicSmaCap, 3: callexp_mob.csv, 4: BYRD-JUS.pdf, 5: ff2011-06-21.csv, 6: hotspot.DBF, 7: ._DelicIta, 8: txt, 9: interface_F26_xp.reg, 10: g3977.png, 11: callexp_0800b.csv, 12: twins_error_log.dbf, 13: athologo2.png, 14: dgtime201011.csv, 15: WF_WCF_Samples, 16: Widor_Surrexit_a_mortuis.pdf, 17: Stanford_cover.pdf, 18: Test.pdf, 19: csl_test_phones.ods, 20: IND2.xls, 21: tw_changes_since_6.9.14.csv, 22: AOF_FestivalFlyer-page004.rgb, 23: csl_test_importmap.csv, 24: DIRDEBIT1.CSV"
"10:34:16.6967048 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","0: DelicIta_1, 1: scorpio_on_black_142x100.jpg, 2: csl_test_customer.csv, 3: tcnz_ebill2cdr_201103230.zip, 4: south island new.DBF, 5: HLStaging_Tables.sql, 6: TZC1102261.csv, 7: Prod_Dec12.sql, 8: Juncke.pdf, 9: Test_Inv94770280.pdf, 10: crmsearch.prg, 11: athologoimage001.gif, 12: hotspot.FPT, 13: twins_inv_441857.pdf, 14: tw69history.txt, 15: map_auckregion.png, 16: temp1, 17: Audio Conference File June2011- Final.csv, 18: AOF_FestivalFlyer-page004.png, 19: hotspots.FPT, 20: ._DelicBol_1, 21: callexp_nca_a.csv, 22: masteritem_report_bands.csv, 23: ._DelicHea"
"10:34:16.6970407 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","0: Windows_7_Professional_with_Service_Pack_1_64_bit_English_X17-24281.IMG:Zone.Identifier, 1: delicious_76_2, 2: HLStaging_LogProcs.sql, 3: deutz_output.pdf, 4: .~lock.accessabletest.docx#, 5: AOF_FestivalFlyer-page004.jpg, 6: tcnz_ebill2cdr_apr06a.zip, 7: FoxtrotCSL.pem, 8: Xcase_Feb07.sql, 9: MessageExchangeExample_MoH..xml, 10: XCase_Mar10.sql, 11: IND - Channel definition.xls, 12: Widor_Mass_Perusal_Score-booklet.pdf, 13: cov_icomquee.log, 14: XCase_Mar12.sql, 15: Missing_export_lines.csv, 16: DelicBol, 17: kennel.der.crt, 18: Prod_Mar10.sql, 19: aging.dbf, 20: holcim channel activity data3.xls, 21: win7, 22: reg_mon_xp.ods"
"10:34:16.6974088 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","0: changes_since_6.10.0.csv, 1: csl_test_mapset.csv, 2: Newsletter Number 4 2011.pdf, 3: mvno_data_events_2011_cdr.csv, 4: dirdebit1.pdf, 5: Example.ai, 6: Mig1 and 2 list.xlsx, 7: Dev_Mar10.sql, 8: twins_error_10054.csv, 9: TZC1102252.csv, 10: reg_mon_w7.csv, 11: clsid_5083_xp.reg, 12: accessable_oco_icons.svg, 13: interface_F26_w7.reg, 14: holcim channel activity data3a.csv, 15: twins_inv_442399.pdf, 16: typelib_7805_xp.reg, 17: DelicRom, 18: twins_error_log.FPT, 19: DIRDEBIT2.CSV, 20: DelicBolIta_1, 21: AOF_FestivalFlyer-page001.rgb, 22: tcnz_ebill2cdr_20110405.zip, 23: VersionComparison.pdf"
"10:34:16.6977482 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","0: gnuwin, 1: cov-part1.log, 2: Test2.pdf, 3: iis_kennel.cer, 4: Delicious_76_1, 5: Dev_Feb07.sql, 6: DelicIta, 7: hotspot.BAK, 8: HLStaging_RequestProcs.sql, 9: blakes7_logo_32x32.ico, 10: TZC1103012.csv, 11: DelicHea, 12: synewopn.dbf, 13: DelicBol_1, 14: aamx_scripts.zip, 15: blakes7_logo_100x100.png, 16: AOF_FestivalFlyer-page001.jpg, 17: ff2011-06-21 - Fixed.csv, 18: Issue Log 20101006.xlsx, 19: newsletterheader_ATHO.jpg, 20: Invoice detail spec 3.0  TG.docx, 21: ._DelicBolIta_1, 22: spotless_may_oldtwins.pdf, 23: Twins_6_10_16_changelog.csv, 24: Elevate.zip"
"10:34:16.6980781 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","SUCCESS","0: athologo-notext.png, 1: Audio Conf June Fixed.csv, 2: ._DelicSmaCap, 3: reg_mon_xp.CSV, 4: soapUI-x64-no-bundle-4_0_0.exe, 5: aamx_sql_20110411.zip, 6: South - Channel definition.xls"
"10:34:16.6983044 a.m.","xcopy.exe","4996","QueryDirectory","\\vboxsvr\DataShared\temp","NO MORE FILES",""
"10:34:16.6985143 a.m.","xcopy.exe","4996","CloseFile","\\vboxsvr\DataShared\temp","SUCCESS",""
"10:34:16.7036259 a.m.","xcopy.exe","4996","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize","SUCCESS","Desired Access: Read"
"10:34:16.7038444 a.m.","xcopy.exe","4996","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles","NAME NOT FOUND","Length: 20"
"10:34:16.7039892 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize","SUCCESS",""
"10:34:16.7050470 a.m.","xcopy.exe","4996","Thread Exit","","SUCCESS","Thread ID: 3328, User Time: 0.0000000, Kernel Time: 0.1718750"
"10:34:16.7065539 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\kernel32.dll","SUCCESS","Name: \Windows\System32\kernel32.dll"
"10:34:16.7068955 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\user32.dll","SUCCESS","Name: \Windows\System32\user32.dll"
"10:34:16.7071036 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\ntdll.dll","SUCCESS","Name: \Windows\System32\ntdll.dll"
"10:34:16.7075302 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\xcopy.exe","SUCCESS","Name: \Windows\System32\xcopy.exe"
"10:34:16.7077014 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\ulib.dll","SUCCESS","Name: \Windows\System32\ulib.dll"
"10:34:16.7077851 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\ifsutil.dll","SUCCESS","Name: \Windows\System32\ifsutil.dll"
"10:34:16.7078467 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\cfgmgr32.dll","SUCCESS","Name: \Windows\System32\cfgmgr32.dll"
"10:34:16.7079060 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\devobj.dll","SUCCESS","Name: \Windows\System32\devobj.dll"
"10:34:16.7079750 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\KernelBase.dll","SUCCESS","Name: \Windows\System32\KernelBase.dll"
"10:34:16.7080478 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\lpk.dll","SUCCESS","Name: \Windows\System32\lpk.dll"
"10:34:16.7081076 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\gdi32.dll","SUCCESS","Name: \Windows\System32\gdi32.dll"
"10:34:16.7081805 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\oleaut32.dll","SUCCESS","Name: \Windows\System32\oleaut32.dll"
"10:34:16.7082459 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\ole32.dll","SUCCESS","Name: \Windows\System32\ole32.dll"
"10:34:16.7083313 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\usp10.dll","SUCCESS","Name: \Windows\System32\usp10.dll"
"10:34:16.7084037 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\msvcrt.dll","SUCCESS","Name: \Windows\System32\msvcrt.dll"
"10:34:16.7084770 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\rpcrt4.dll","SUCCESS","Name: \Windows\System32\rpcrt4.dll"
"10:34:16.7085550 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\advapi32.dll","SUCCESS","Name: \Windows\System32\advapi32.dll"
"10:34:16.7086196 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\imm32.dll","SUCCESS","Name: \Windows\System32\imm32.dll"
"10:34:16.7086885 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\msctf.dll","SUCCESS","Name: \Windows\System32\msctf.dll"
"10:34:16.7087648 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\sechost.dll","SUCCESS","Name: \Windows\System32\sechost.dll"
"10:34:16.7088303 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\setupapi.dll","SUCCESS","Name: \Windows\System32\setupapi.dll"
"10:34:16.7088971 a.m.","xcopy.exe","4996","QueryNameInformationFile","C:\Windows\System32\apisetschema.dll","SUCCESS","Name: \Windows\System32\apisetschema.dll"
"10:34:16.7096067 a.m.","xcopy.exe","4996","Process Exit","","SUCCESS","Exit Status: 0, User Time: 0.0000000 seconds, Kernel Time: 0.1875000 seconds, Private Bytes: 851,968, Peak Private Bytes: 5,095,424, Working Set: 3,784,704, Peak Working Set: 7,942,144"
"10:34:16.7102640 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options","SUCCESS",""
"10:34:16.7103255 a.m.","xcopy.exe","4996","CloseFile","C:\my\commands","SUCCESS",""
"10:34:16.7115212 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions","SUCCESS",""
"10:34:16.7115567 a.m.","xcopy.exe","4996","RegCloseKey","HKLM","SUCCESS",""
"10:34:16.7115992 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\System\CurrentControlSet\Control\SESSION MANAGER","SUCCESS",""
"10:34:16.7116621 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\System\CurrentControlSet\Control\Nls\Locale","SUCCESS",""
"10:34:16.7116829 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts","SUCCESS",""
"10:34:16.7117076 a.m.","xcopy.exe","4996","RegCloseKey","HKLM\System\CurrentControlSet\Control\Nls\Language Groups","SUCCESS",""
"10:37:44.3066681 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:37:44.3130773 a.m.","cmd.exe","4604","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","CreationTime: 28/07/2011 5:34:20 p.m., LastAccessTime: 28/07/2011 5:34:25 p.m., LastWriteTime: 28/07/2011 5:34:20 p.m., ChangeTime: 28/07/2011 5:34:20 p.m., FileAttributes: N"
"10:37:44.3132550 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS",""
"10:37:44.3141021 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:37:44.3142942 a.m.","cmd.exe","4604","QueryDirectory","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Filter: temp.txt, 1: temp.txt"
"10:37:44.3155045 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"10:37:44.3171545 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:37:44.3172274 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:37:44.3173210 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Offset: 0, Length: 512, Priority: Normal"
"10:37:44.3719068 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:37:44.3731068 a.m.","cmd.exe","4604","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","CreationTime: 28/07/2011 5:21:00 p.m., LastAccessTime: 28/07/2011 5:21:08 p.m., LastWriteTime: 28/07/2011 5:21:00 p.m., ChangeTime: 28/07/2011 5:21:00 p.m., FileAttributes: N"
"10:37:44.3732650 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS",""
"10:37:44.3743224 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
"10:37:44.3767323 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:37:44.3767757 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS",""
"10:37:44.3782548 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"10:37:44.3833365 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:37:44.3834705 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:37:44.3835078 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS",""
"10:37:46.2616887 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:37:46.2631275 a.m.","cmd.exe","4604","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","CreationTime: 28/07/2011 5:21:00 p.m., LastAccessTime: 28/07/2011 5:21:08 p.m., LastWriteTime: 28/07/2011 5:21:00 p.m., ChangeTime: 28/07/2011 5:21:00 p.m., FileAttributes: N"
"10:37:46.2632940 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS",""
"10:37:46.2644779 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Desired Access: Generic Write, Read Attributes, Disposition: OpenIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: Created"
"10:37:46.2656684 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:37:46.2657156 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:37:46.2657464 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS",""
"10:37:46.2667704 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:37:46.2669109 a.m.","cmd.exe","4604","QueryAttributeTagFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Attributes: N, ReparseTag: 0x0"
"10:37:46.2670535 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:37:46.2671003 a.m.","cmd.exe","4604","FileSystemControl","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Control: IOCTL_LMR_DISABLE_LOCAL_BUFFERING"
"10:37:46.2673851 a.m.","cmd.exe","4604","FileSystemControl","\\vboxsvr\DataShared\temp\temp.txt","INVALID DEVICE REQUEST","Control: FSCTL_LMR_GET_HINT_SIZE"
"10:37:46.2674107 a.m.","cmd.exe","4604","QueryStandardInformationFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","AllocationSize: 4,313,088, EndOfFile: 4,312,397, NumberOfLinks: 1, DeletePending: False, Directory: False"
"10:37:46.2674202 a.m.","cmd.exe","4604","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","CreationTime: 28/07/2011 5:34:20 p.m., LastAccessTime: 28/07/2011 5:34:25 p.m., LastWriteTime: 28/07/2011 5:34:20 p.m., ChangeTime: 28/07/2011 5:34:20 p.m., FileAttributes: N"
"10:37:46.2676864 a.m.","cmd.exe","4604","QueryStreamInformationFile","\\vboxsvr\DataShared\temp\temp.txt","NOT IMPLEMENTED",""
"10:37:46.2678386 a.m.","cmd.exe","4604","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","CreationTime: 28/07/2011 5:34:20 p.m., LastAccessTime: 28/07/2011 5:34:25 p.m., LastWriteTime: 28/07/2011 5:34:20 p.m., ChangeTime: 28/07/2011 5:34:20 p.m., FileAttributes: N"
"10:37:46.2679838 a.m.","cmd.exe","4604","QueryEaInformationFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","EaSize: 0"
"10:37:46.2688270 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 4,312,397, OpenResult: Created"
"10:37:46.2715950 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:37:46.2716618 a.m.","cmd.exe","4604","FileSystemControl","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Control: IOCTL_LMR_DISABLE_LOCAL_BUFFERING"
"10:37:46.2717069 a.m.","cmd.exe","4604","QueryAttributeInformationVolume","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","FileSystemAttributes: , MaximumComponentNameLength: 255, FileSystemName: VBoxSharedFolderFS"
"10:37:46.2717450 a.m.","cmd.exe","4604","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","CreationTime: 29/07/2011 10:37:46 a.m., LastAccessTime: 28/07/2011 5:21:08 p.m., LastWriteTime: 29/07/2011 10:37:46 a.m., ChangeTime: 29/07/2011 10:37:46 a.m., FileAttributes: N"
"10:37:46.2718942 a.m.","cmd.exe","4604","QueryAttributeInformationVolume","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","FileSystemAttributes: , MaximumComponentNameLength: 255, FileSystemName: VBoxSharedFolderFS"
"10:37:46.2719809 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:37:46.2720030 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:37:46.2723316 a.m.","cmd.exe","4604","DeviceIoControl","\\vboxsvr\DataShared\temp\temp.txt","INVALID DEVICE REQUEST","Control: 0x140410 (Device:0x14 Function:260 Method: 0)"
"10:37:46.2723936 a.m.","cmd.exe","4604","SetEndOfFileInformationFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","EndOfFile: 4,312,397"
"10:37:46.2731379 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:37:46.2732073 a.m.","cmd.exe","4604","QueryDeviceInformationVolume","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","DeviceType: Disk, Characteristics: Remote"
"10:37:46.2732298 a.m.","cmd.exe","4604","<Unknown>","\\vboxsvr\DataShared\temp\temp.txt","NOT IMPLEMENTED",""
"10:37:46.2734293 a.m.","cmd.exe","4604","<Unknown>","\\vboxsvr\DataShared\temp\temp2.txt","NOT IMPLEMENTED",""
"10:37:46.2751317 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Offset: 0, Length: 524,288, Priority: Normal"
"10:37:46.2763651 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Offset: 524,288, Length: 524,288, Priority: Normal"
"10:37:46.2776223 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Offset: 1,048,576, Length: 524,288, Priority: Normal"
"10:37:46.2780354 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Offset: 1,572,864, Length: 524,288, Priority: Normal"
"10:37:46.2799490 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Offset: 2,097,152, Length: 524,288, Priority: Normal"
"10:37:46.2799876 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Offset: 2,621,440, Length: 524,288, Priority: Normal"
"10:37:46.2819397 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Offset: 3,145,728, Length: 524,288, Priority: Normal"
"10:37:46.2829160 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Offset: 3,670,016, Length: 524,288, Priority: Normal"
"10:37:46.2897530 a.m.","cmd.exe","4604","WriteFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Offset: 0, Length: 524,288, Priority: Normal"
"10:37:46.3681941 a.m.","cmd.exe","4604","WriteFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Offset: 524,288, Length: 524,288, Priority: Normal"
"10:37:46.3696846 a.m.","cmd.exe","4604","WriteFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Offset: 1,048,576, Length: 524,288, Priority: Normal"
"10:37:46.3710874 a.m.","cmd.exe","4604","WriteFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Offset: 1,572,864, Length: 524,288, Priority: Normal"
"10:37:46.3725722 a.m.","cmd.exe","4604","WriteFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Offset: 2,097,152, Length: 524,288, Priority: Normal"
"10:37:46.3744008 a.m.","cmd.exe","4604","WriteFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Offset: 2,621,440, Length: 524,288, Priority: Normal"
"10:37:46.3765242 a.m.","cmd.exe","4604","WriteFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Offset: 3,145,728, Length: 524,288, Priority: Normal"
"10:37:46.3812921 a.m.","cmd.exe","4604","WriteFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Offset: 3,670,016, Length: 524,288, Priority: Normal"
"10:37:46.3824730 a.m.","cmd.exe","4604","ReadFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS","Offset: 4,194,304, Length: 118,093, Priority: Normal"
"10:37:46.3839261 a.m.","cmd.exe","4604","WriteFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Offset: 4,194,304, Length: 118,093, Priority: Normal"
"10:37:46.3855358 a.m.","cmd.exe","4604","SetBasicInformationFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","CreationTime: 1/01/1601 12:00:00 p.m., LastAccessTime: 1/01/1601 12:00:00 p.m., LastWriteTime: 28/07/2011 5:34:20 p.m., ChangeTime: 28/07/2011 5:34:20 p.m., FileAttributes: n/a"
"10:37:46.3857942 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS",""
"10:37:46.3860127 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS",""
"10:37:46.4644408 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:37:46.4652735 a.m.","cmd.exe","4604","QueryBasicInformationFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","CreationTime: 29/07/2011 10:37:46 a.m., LastAccessTime: 28/07/2011 5:21:08 p.m., LastWriteTime: 28/07/2011 5:34:20 p.m., ChangeTime: 29/07/2011 10:37:46 a.m., FileAttributes: N"
"10:37:46.4654266 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS",""
"10:37:46.4667904 a.m.","cmd.exe","4604","CreateFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","Desired Access: Write Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"10:37:46.4676397 a.m.","cmd.exe","4604","SetBasicInformationFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS","CreationTime: 1/01/1601 12:00:00 p.m., LastAccessTime: 1/01/1601 12:00:00 p.m., LastWriteTime: 1/01/1601 12:00:00 p.m., ChangeTime: 1/01/1601 12:00:00 p.m., FileAttributes: N"
"10:37:46.4677672 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp2.txt","SUCCESS",""
"10:37:46.4679778 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp\temp.txt","SUCCESS",""
"10:37:46.4685206 a.m.","cmd.exe","4604","QueryDirectory","\\vboxsvr\DataShared\temp","NO MORE FILES",""
"10:37:46.4686840 a.m.","cmd.exe","4604","CloseFile","\\vboxsvr\DataShared\temp","SUCCESS",""
