Joebox - Abstract Analysis File 10357

General information
Joebox version:	4.5.0
Start time:	14:58:51
Start date:	08/12/2011
Overall analysis duration:	0h 4m 37s
Target binary file name:
Target script file name:	new_Mal_URL.jbs
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	2
Number of existing processes analysed:	1
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Errors:

Classification / Thread Score
Persistence, Installation, Boot Survival:
Hidding, Stealthness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:

Signature Detections
Executable is probably coded in java
Printf formatting strings found in memory and binary data
SQL strings found in memory and binary data
Urls found in memory or binary data
Downloads files from webservers via HTTP
Found strings which match to known social media urls
Performs DNS lookups

Analysis Overview

Startup

system is xp

iexplore.exe (PID: 3196 MD5: B60DDDD2D63CE41CB8C487FCFBB6419E)

wmplayer.exe (PID: 3432 MD5: 97364267F7EC88285957FE24BD39EB58)

setup_wm.exe (PID: 3636 MD5: 60C6E654F7253FC5277AD413B2536380)

java.exe (PID: 3528 MD5: 68288DA42BC798992A42CD59061B199D)

cleanup

Involved Domains
Name	IP	Name Server	ASN	ASN Description	ANS State	Registrar	e-Mail
ext-marketing.com	74.53.140.71	ns603.websitewelcome.com ns604.websitewelcome.com	unknown	unknown	US	GODADDY.COM, INC.	rheft@intcorpcom.com
firedepartment.mobi	174.121.93.116	ns2.firedepartment.mobi ns1.firedepartment.mobi	unknown	unknown	US	GoDaddy.com, Inc. (146)	scall@srvfire.ca.gov
zespolpickup.pl	188.40.51.83	dns10.linuxpl.com ns10.linuxpl.com	unknown	unknown	DE		domeny@ConsultingService.pl
www.kva-applications.com	193.108.197.2		unknown	unknown	GB	unknown	unknown
southfloridazulunation.com	97.74.215.96	ns31.domaincontrol.com ns32.domaincontrol.com	unknown	unknown	US	GODADDY.COM, INC.	dinah.lopez@yahoo.com
combijump.com	46.45.137.206	0101domain1.venus.orderbox-dns.com 0101domain1.mercury.orderbox-dns.com 0101domain1.earth.orderbox-dns.com 0101domain1.mars.orderbox-dns.com	unknown	unknown	TR	0101 INTERNET, INC.	korpicsscan@skynet.be

Involved IP Addresses
IP	ASN	ASN Description	ANS State
199.7.52.190	unknown	unknown	US
195.186.1.121	unknown	unknown	CH

Global Network Data

All TCP
Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 8, 2011 15:01:24.918251038 CET	1083	80	192.168.0.10	174.121.93.116
Dec 8, 2011 15:01:24.918275118 CET	80	1083	174.121.93.116	192.168.0.10
Dec 8, 2011 15:01:24.918450117 CET	1083	80	192.168.0.10	174.121.93.116
Dec 8, 2011 15:01:24.918730021 CET	1083	80	192.168.0.10	174.121.93.116
Dec 8, 2011 15:01:24.918751955 CET	80	1083	174.121.93.116	192.168.0.10
Dec 8, 2011 15:01:25.686256886 CET	80	1083	174.121.93.116	192.168.0.10
Dec 8, 2011 15:01:25.870501041 CET	1083	80	192.168.0.10	174.121.93.116
Dec 8, 2011 15:01:25.870518923 CET	80	1083	174.121.93.116	192.168.0.10
Dec 8, 2011 15:01:25.894803047 CET	1084	80	192.168.0.10	188.40.51.83
Dec 8, 2011 15:01:25.894821882 CET	80	1084	188.40.51.83	192.168.0.10
Dec 8, 2011 15:01:25.895071030 CET	1084	80	192.168.0.10	188.40.51.83
Dec 8, 2011 15:01:25.897365093 CET	1084	80	192.168.0.10	188.40.51.83
Dec 8, 2011 15:01:25.897377968 CET	80	1084	188.40.51.83	192.168.0.10
Dec 8, 2011 15:01:25.902815104 CET	1085	80	192.168.0.10	97.74.215.96
Dec 8, 2011 15:01:25.902832985 CET	80	1085	97.74.215.96	192.168.0.10
Dec 8, 2011 15:01:25.903080940 CET	1085	80	192.168.0.10	97.74.215.96
Dec 8, 2011 15:01:25.908865929 CET	1086	80	192.168.0.10	193.108.197.2
Dec 8, 2011 15:01:25.908881903 CET	80	1086	193.108.197.2	192.168.0.10
Dec 8, 2011 15:01:25.909133911 CET	1086	80	192.168.0.10	193.108.197.2
Dec 8, 2011 15:01:25.915029049 CET	1087	80	192.168.0.10	74.53.140.71
Dec 8, 2011 15:01:25.915045023 CET	80	1087	74.53.140.71	192.168.0.10
Dec 8, 2011 15:01:25.915298939 CET	1087	80	192.168.0.10	74.53.140.71
Dec 8, 2011 15:01:25.916162014 CET	1085	80	192.168.0.10	97.74.215.96
Dec 8, 2011 15:01:25.916174889 CET	80	1085	97.74.215.96	192.168.0.10
Dec 8, 2011 15:01:25.916815042 CET	1086	80	192.168.0.10	193.108.197.2
Dec 8, 2011 15:01:25.916826963 CET	80	1086	193.108.197.2	192.168.0.10
Dec 8, 2011 15:01:25.917468071 CET	1087	80	192.168.0.10	74.53.140.71
Dec 8, 2011 15:01:25.917480946 CET	80	1087	74.53.140.71	192.168.0.10
Dec 8, 2011 15:01:26.088812113 CET	1083	80	192.168.0.10	174.121.93.116
Dec 8, 2011 15:01:26.347868919 CET	80	1084	188.40.51.83	192.168.0.10
Dec 8, 2011 15:01:26.403050900 CET	80	1086	193.108.197.2	192.168.0.10
Dec 8, 2011 15:01:26.525899887 CET	1086	80	192.168.0.10	193.108.197.2
Dec 8, 2011 15:01:26.526096106 CET	1084	80	192.168.0.10	188.40.51.83
Dec 8, 2011 15:01:26.625473022 CET	80	1085	97.74.215.96	192.168.0.10
Dec 8, 2011 15:01:26.632008076 CET	1087	80	192.168.0.10	74.53.140.71
Dec 8, 2011 15:01:26.638856888 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:26.638873100 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:26.639127016 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:26.639966965 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:26.639980078 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:26.745325089 CET	1085	80	192.168.0.10	97.74.215.96
Dec 8, 2011 15:01:27.353879929 CET	80	1084	188.40.51.83	192.168.0.10
Dec 8, 2011 15:01:27.354450941 CET	1084	80	192.168.0.10	188.40.51.83
Dec 8, 2011 15:01:27.666228056 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:27.799923897 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:27.800503016 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:27.800518990 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:27.800885916 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:27.810556889 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:27.810564041 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:27.811122894 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:27.907574892 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:27.908102036 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:27.908117056 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:27.908483982 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:27.980269909 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:27.998862982 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:27.999423027 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:27.999437094 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:27.999809980 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.005398989 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.005404949 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.005987883 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.083009958 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.105750084 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.106293917 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.106311083 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.106679916 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.113464117 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.113471031 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.114037991 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.142697096 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.193803072 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.194350958 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.194365025 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.194709063 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.203727007 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.203732967 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.204313993 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.284920931 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.286868095 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.287409067 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.287421942 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.288703918 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.289259911 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.289273024 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.289622068 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.322789907 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.322797060 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.322932005 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.323328018 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.323443890 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.323455095 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.377697945 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.377950907 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.378074884 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.378089905 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.378345966 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.390214920 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.390738010 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.390753031 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.404459000 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.405016899 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.405030012 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.405118942 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.416800976 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.417349100 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.417361975 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.417706966 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.486414909 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.492352009 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.492955923 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.492969990 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.493299961 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.496278048 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.508506060 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.509022951 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.509036064 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.509407997 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.523541927 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.523547888 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.523682117 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.524091959 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.524207115 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.524218082 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.583041906 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.583560944 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.583574057 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.583667994 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.594997883 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.595504999 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.595516920 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.595902920 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.605915070 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.606545925 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.607001066 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.607013941 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.607378006 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.636941910 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.636948109 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.637425900 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.687275887 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.687820911 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.687833071 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.688206911 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.688699961 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.699419975 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.699754953 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.699976921 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.699989080 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.700233936 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.774096012 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.774632931 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.774646997 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.776998043 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.777475119 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.777487040 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.777790070 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.778208017 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.778219938 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.778948069 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.778959036 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.802903891 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.803463936 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.803477049 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.803819895 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.835872889 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.835880995 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.836472034 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.884690046 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.885704041 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.886127949 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.886143923 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.886553049 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.887011051 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.887017965 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.887545109 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.887640953 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.887805939 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.902273893 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.902548075 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.902806997 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.902821064 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.903064013 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.911369085 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:28.911909103 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:28.911921978 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:29.041492939 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:29.041505098 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:29.260193110 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:29.260206938 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:29.482629061 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:29.975316048 CET	1084	80	192.168.0.10	188.40.51.83
Dec 8, 2011 15:01:30.796900034 CET	80	1083	174.121.93.116	192.168.0.10
Dec 8, 2011 15:01:30.797394991 CET	1083	80	192.168.0.10	174.121.93.116
Dec 8, 2011 15:01:32.044327974 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:32.044347048 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.018349886 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.019032001 CET	1083	80	192.168.0.10	174.121.93.116
Dec 8, 2011 15:01:33.180912971 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.196698904 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.222733021 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.223092079 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.223109007 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.274785042 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.275217056 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.275232077 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.275511026 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.304460049 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.351985931 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.352401018 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.352413893 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.381565094 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.381908894 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.381983042 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.381997108 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.382278919 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.382363081 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.413597107 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.414021969 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.414035082 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.414108992 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.414668083 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.415043116 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.415055037 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.415292978 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.418009996 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.418018103 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.418453932 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.440573931 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.441011906 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.441026926 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.441291094 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.443780899 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.445343971 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.445669889 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.445718050 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.445730925 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.446018934 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.446284056 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.446655035 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.446666956 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.446907997 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.456933975 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.456939936 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.457326889 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.469271898 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.469774961 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.469788074 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.470052958 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.471538067 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.484818935 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.485420942 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.485434055 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.485707998 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.553664923 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.555438042 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.555774927 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.556385994 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.556399107 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.556476116 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.556750059 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.556761980 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.557331085 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.557698011 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.557710886 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.557946920 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.578855038 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.578861952 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.579252005 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.592572927 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.592978954 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.592991114 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.593000889 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:33.593373060 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.727273941 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:33.983057022 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:34.047307968 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.047323942 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:34.048300982 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.048316956 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:34.048386097 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.048401117 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:34.048774958 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.048788071 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:34.048861980 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.048876047 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:34.048962116 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.049321890 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.049338102 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:34.049408913 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.049504995 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.049521923 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:34.049933910 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.050019979 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.050029993 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:34.050035954 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:34.050112009 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.050220013 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.050311089 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.050435066 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.050674915 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:34.165728092 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:41.371627092 CET	80	1086	193.108.197.2	192.168.0.10
Dec 8, 2011 15:01:41.372025013 CET	1086	80	192.168.0.10	193.108.197.2
Dec 8, 2011 15:01:41.413239956 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:41.414885044 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:41.886557102 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:41.886569977 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:42.415654898 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:42.587723017 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:42.587739944 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:01:42.803864956 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:01:46.033818007 CET	1086	80	192.168.0.10	193.108.197.2
Dec 8, 2011 15:02:09.926039934 CET	1082	80	192.168.0.10	199.7.52.190
Dec 8, 2011 15:02:27.575208902 CET	1085	80	192.168.0.10	97.74.215.96
Dec 8, 2011 15:02:47.527354002 CET	80	1089	46.45.137.206	192.168.0.10
Dec 8, 2011 15:02:47.527672052 CET	1089	80	192.168.0.10	46.45.137.206
Dec 8, 2011 15:03:07.061162949 CET	1089	80	192.168.0.10	46.45.137.206

All UDP
Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 8, 2011 15:01:24.909394979 CET	52448	53	192.168.0.10	195.186.1.121
Dec 8, 2011 15:01:24.909488916 CET	53	52448	195.186.1.121	192.168.0.10
Dec 8, 2011 15:01:25.892657042 CET	64237	53	192.168.0.10	195.186.1.121
Dec 8, 2011 15:01:25.892730951 CET	53	64237	195.186.1.121	192.168.0.10
Dec 8, 2011 15:01:25.900804996 CET	63186	53	192.168.0.10	195.186.1.121
Dec 8, 2011 15:01:25.900842905 CET	53	63186	195.186.1.121	192.168.0.10
Dec 8, 2011 15:01:25.906234980 CET	53580	53	192.168.0.10	195.186.1.121
Dec 8, 2011 15:01:25.906270027 CET	53	53580	195.186.1.121	192.168.0.10
Dec 8, 2011 15:01:25.912863016 CET	56918	53	192.168.0.10	195.186.1.121
Dec 8, 2011 15:01:25.912898064 CET	53	56918	195.186.1.121	192.168.0.10
Dec 8, 2011 15:01:26.308650017 CET	57122	53	192.168.0.10	195.186.1.121
Dec 8, 2011 15:01:26.526284933 CET	53	57122	195.186.1.121	192.168.0.10
Dec 8, 2011 15:01:26.636559010 CET	64190	53	192.168.0.10	195.186.1.121
Dec 8, 2011 15:01:26.636600018 CET	53	64190	195.186.1.121	192.168.0.10
Dec 8, 2011 15:01:27.592406034 CET	60212	53	192.168.0.10	195.186.1.121
Dec 8, 2011 15:01:27.882874012 CET	53	60212	195.186.1.121	192.168.0.10
Dec 8, 2011 15:01:41.867929935 CET	63187	53	192.168.0.10	195.186.1.121
Dec 8, 2011 15:01:42.271615028 CET	53	63187	195.186.1.121	192.168.0.10

DNS Query
Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 8, 2011 15:01:24.909394979 CET	192.168.0.10	195.186.1.121	0xb841	Standard query (0)	firedepartment.mobi	A (IP address)	IN (0x0001)
Dec 8, 2011 15:01:25.892657042 CET	192.168.0.10	195.186.1.121	0xab77	Standard query (0)	zespolpickup.pl	A (IP address)	IN (0x0001)
Dec 8, 2011 15:01:25.900804996 CET	192.168.0.10	195.186.1.121	0x7b20	Standard query (0)	southfloridazulunation.com	A (IP address)	IN (0x0001)
Dec 8, 2011 15:01:25.906234980 CET	192.168.0.10	195.186.1.121	0x5abc	Standard query (0)	www.kva-applications.com	A (IP address)	IN (0x0001)
Dec 8, 2011 15:01:25.912863016 CET	192.168.0.10	195.186.1.121	0x492b	Standard query (0)	ext-marketing.com	A (IP address)	IN (0x0001)
Dec 8, 2011 15:01:26.636559010 CET	192.168.0.10	195.186.1.121	0x5e73	Standard query (0)	combijump.com	A (IP address)	IN (0x0001)

DNS Answer
Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Dec 8, 2011 15:01:24.909488916 CET	195.186.1.121	192.168.0.10	0xb841	No error (0)	firedepartment.mobi		174.121.93.116	A (IP address)	IN (0x0001)
Dec 8, 2011 15:01:25.892730951 CET	195.186.1.121	192.168.0.10	0xab77	No error (0)	zespolpickup.pl		188.40.51.83	A (IP address)	IN (0x0001)
Dec 8, 2011 15:01:25.900842905 CET	195.186.1.121	192.168.0.10	0x7b20	No error (0)	southfloridazulunation.com		97.74.215.96	A (IP address)	IN (0x0001)
Dec 8, 2011 15:01:25.906270027 CET	195.186.1.121	192.168.0.10	0x5abc	No error (0)	www.kva-applications.com		193.108.197.2	A (IP address)	IN (0x0001)
Dec 8, 2011 15:01:25.912898064 CET	195.186.1.121	192.168.0.10	0x492b	No error (0)	ext-marketing.com		74.53.140.71	A (IP address)	IN (0x0001)
Dec 8, 2011 15:01:26.636600018 CET	195.186.1.121	192.168.0.10	0x5e73	No error (0)	combijump.com		46.45.137.206	A (IP address)	IN (0x0001)

HTTP
Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header
Dec 8, 2011 15:01:24.918730021 CET	1083	80	192.168.0.10	174.121.93.116	GET /f3429b/index.html HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: firedepartment.mobi Connection: Keep-Alive
Dec 8, 2011 15:01:25.686256886 CET	80	1083	174.121.93.116	192.168.0.10	HTTP/1.1 200 OK Date: Thu, 08 Dec 2011 14:10:45 GMT Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Last-Modified: Thu, 08 Dec 2011 07:46:58 GMT ETag: "14a3866c-1eb-4b38fdf7c4080" Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Content-Length: 209 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html
Dec 8, 2011 15:01:25.897365093 CET	1084	80	192.168.0.10	188.40.51.83	GET /ajaxam.js HTTP/1.1 Accept: / Referer: http://firedepartment.mobi/f3429b/index.html Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: zespolpickup.pl Connection: Keep-Alive
Dec 8, 2011 15:01:25.916162014 CET	1085	80	192.168.0.10	97.74.215.96	GET /ajaxam.js HTTP/1.1 Accept: / Referer: http://firedepartment.mobi/f3429b/index.html Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: southfloridazulunation.com Connection: Keep-Alive
Dec 8, 2011 15:01:25.916815042 CET	1086	80	192.168.0.10	193.108.197.2	GET /jscounter.js HTTP/1.1 Accept: / Referer: http://firedepartment.mobi/f3429b/index.html Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: www.kva-applications.com Connection: Keep-Alive
Dec 8, 2011 15:01:25.917468071 CET	1087	80	192.168.0.10	74.53.140.71	GET /ajaxam.js HTTP/1.1 Accept: / Referer: http://firedepartment.mobi/f3429b/index.html Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: ext-marketing.com Connection: Keep-Alive
Dec 8, 2011 15:01:26.347868919 CET	80	1084	188.40.51.83	192.168.0.10	HTTP/1.1 404 Not Found Date: Thu, 08 Dec 2011 14:10:43 GMT Server: Power MOD by linuxpl.com Content-Length: 409 Keep-Alive: timeout=1, max=10000 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
Dec 8, 2011 15:01:26.403050900 CET	80	1086	193.108.197.2	192.168.0.10	HTTP/1.1 200 OK Date: Thu, 08 Dec 2011 14:10:46 GMT Server: Apache Last-Modified: Wed, 07 Dec 2011 20:58:15 GMT ETag: "4eabbe-48-cf7e67c0" Accept-Ranges: bytes Content-Length: 72 Keep-Alive: timeout=15 Connection: Keep-Alive Content-Type: application/x-javascript
Dec 8, 2011 15:01:26.625473022 CET	80	1085	97.74.215.96	192.168.0.10	HTTP/1.1 200 OK Content-Type: application/x-javascript Last-Modified: Wed, 07 Dec 2011 20:58:11 GMT Accept-Ranges: bytes ETag: "8574aee22b5cc1:0" Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Thu, 08 Dec 2011 14:10:45 GMT Content-Length: 72
Dec 8, 2011 15:01:26.639966965 CET	1089	80	192.168.0.10	46.45.137.206	GET /main.php?page=abfd0d069b45c17e HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: combijump.com Connection: Keep-Alive
Dec 8, 2011 15:01:27.666228056 CET	80	1089	46.45.137.206	192.168.0.10	HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Thu, 08 Dec 2011 14:11:53 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.3.8-1~dotdeb.2
Dec 8, 2011 15:01:32.044327974 CET	1089	80	192.168.0.10	46.45.137.206	GET /content/fdp2.php?f=41::4 HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, / Referer: http://combijump.com/main.php?page=abfd0d069b45c17e Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: combijump.com Connection: Keep-Alive
Dec 8, 2011 15:01:33.018349886 CET	80	1089	46.45.137.206	192.168.0.10	HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Thu, 08 Dec 2011 14:11:59 GMT Content-Type: application/pdf Connection: keep-alive X-Powered-By: PHP/5.3.8-1~dotdeb.2 Accept-Ranges: bytes Content-Length: 118094 Content-Disposition: inline; filename=58326.pdf
Dec 8, 2011 15:01:41.886557102 CET	1089	80	192.168.0.10	46.45.137.206	GET /content/field.swf HTTP/1.1 Accept: / Accept-Language: en-US Referer: http://combijump.com/main.php?page=abfd0d069b45c17e x-flash-version: 10,2,153,1 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: combijump.com Connection: Keep-Alive
Dec 8, 2011 15:01:42.415654898 CET	80	1089	46.45.137.206	192.168.0.10	HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Thu, 08 Dec 2011 14:12:08 GMT Content-Type: application/x-shockwave-flash Connection: keep-alive Content-Length: 1383 Last-Modified: Wed, 07 Dec 2011 08:42:54 GMT Accept-Ranges: bytes

Hooks

Analysis File: iexplore.exe PID: 3196 Parent PID: -1

Sections

General
Start time:	05:52:09
Start date:	08/12/2011
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Commandline:	not known
Imagebase:	0x400000
File size:	638816 bytes
MD5 hash:	B60DDDD2D63CE41CB8C487FCFBB6419E

Chronological sections
Operation	Data	Completion	Time

Analysis File: wmplayer.exe PID: 3432 Parent PID: 3276

Sections

General
Start time:	05:52:18
Start date:	08/12/2011
Path:	C:\Program Files\Windows Media Player\wmplayer.exe
Commandline:	not known
Imagebase:	0x1000000
File size:	73728 bytes
MD5 hash:	97364267F7EC88285957FE24BD39EB58

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
unknown	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	1C0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	1E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	230000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	280000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	280000	24576	own pid	readonly	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	280000	24576	own pid	readonly	object name not found	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ShimEng.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	object name not found	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	290000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3D0000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3D0000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
\KnownDlls\WINMM.dll	write and read and execute	unknown	6F880000	1875968	own pid	read write	object name not found	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1
\KnownDlls\MSACM32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	object name not found	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	success or wait	1
\KnownDlls\UxTheme.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	object name not found	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	3E0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\aclayers.dll	write and read and execute	commit	430000	475136	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\aclayers.dll	write and read and execute	commit	430000	475136	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\aclayers.dll	query and write and read and execute	image	71590000	495616	own pid	read write	success or wait	1
\KnownDlls\WINSPOOL.DRV	write and read and execute	unknown	71590000	495616	own pid	read write	object name not found	1
C:\WINDOWS\system32\winspool.drv	query and write and read and execute	image	73000000	155648	own pid	read write	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	360000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	360000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1020000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	910000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	390000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	390000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	read	commit	390000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\system32\rpcss.dll	write and read and execute	commit	910000	401408	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctf.dll	write and read and execute	commit	910000	299008	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctf.dll	query and write and read and execute	image	74720000	311296	own pid	read write	success or wait	1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500	query and write and read	commit	74720000	311296	own pid	read write	object name exists	1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500	query and write and read and execute and extend size	unknown	910000	262144	own pid	read write	success or wait	1
\KnownDlls\netapi32.dll	write and read and execute	unknown	910000	262144	own pid	read write	object name not found	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
\KnownDlls\appHelp.dll	write and read and execute	unknown	77B40000	139264	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	950000	1208320	own pid	readonly	success or wait	1
\BaseNamedObjects\ShimSharedMemory	write	unknown	A80000	57344	own pid	read write	success or wait	1
\KnownDlls\CLBCATQ.DLL	write and read and execute	unknown	A80000	57344	own pid	read write	object name not found	1
C:\WINDOWS\system32\clbcatq.dll	query and write and read and execute	image	76FD0000	520192	own pid	read write	success or wait	1
\KnownDlls\COMRes.dll	write and read and execute	unknown	76FD0000	520192	own pid	read write	object name not found	1
C:\WINDOWS\system32\comres.dll	query and write and read and execute	image	77050000	806912	own pid	read write	success or wait	1
C:\WINDOWS\system32\ieframe.dll	write and read and execute	commit	1020000	11083776	own pid	execute	success or wait	1
C:\WINDOWS\system32\ieframe.dll	query and write and read and execute	image	3E1C0000	11096064	own pid	read write	success or wait	1
\KnownDlls\iertutil.dll	write and read and execute	unknown	3DFD0000	2002944	own pid	read write	success or wait	1
C:\WINDOWS\system32\en-us\ieframe.dll.mui	query and read	commit	AD0000	1241088	own pid	write copy	success or wait	1
\KnownDlls\urlmon.dll	write and read and execute	unknown	78130000	1257472	own pid	read write	success or wait	1
\BaseNamedObjects\Local\UrlZonesSM_Administrator	query and write and read	commit	78130000	1257472	own pid	read write	object name exists	1
\KnownDlls\SETUPAPI.dll	write and read and execute	unknown	78130000	1257472	own pid	read write	object name not found	1
C:\WINDOWS\system32\setupapi.dll	query and write and read and execute	image	77920000	995328	own pid	read write	success or wait	1
C:\Program Files\Windows Media Player\setup_wm.exe	write and read and execute	commit	C10000	774144	own pid	execute	success or wait	1
C:\Program Files\Windows Media Player\setup_wm.exe	query and read	commit	C10000	774144	own pid	readonly	success or wait	1
C:\Program Files\Windows Media Player\setup_wm.exe	write and read and execute	commit	C10000	774144	own pid	execute	success or wait	1
C:\Program Files\Windows Media Player\setup_wm.exe	query and read	commit	C10000	774144	own pid	readonly	success or wait	1
C:\Program Files\Windows Media Player\setup_wm.exe	query and write and read and execute and extend size	image	C10000	774144	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	C10000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\system32\wmploc.dll	write and read and execute	commit	1020000	2940928	own pid	execute	success or wait	1
C:\WINDOWS\system32\wmploc.dll	query and read	commit	1020000	2940928	own pid	readonly	success or wait	1
C:\WINDOWS\system32\wmploc.dll	write and read and execute	commit	1020000	2940928	own pid	execute	success or wait	1
C:\WINDOWS\system32\wmploc.dll	query and read	commit	1020000	2940928	own pid	readonly	success or wait	1
C:\Program Files\Windows Media Player\setup_wm.exe	query and read	commit	C10000	774144	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	2031204479
Section loaded	Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	2031298488
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 1C0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2031324794
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 1E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	2031342881
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 230000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	2031349172
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 280000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	2031360895
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 280000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	2031370201
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 280000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	2031379094
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	2031395753
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	2031426098
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	2031494910
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	2031576259
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	2031589024
Section loaded	Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	object name not found	2031725361
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	2031727962
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 290000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	2031845092
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3D0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	2032080387
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3D0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	2032177788
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	2032209621
Section loaded	Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	object name not found	2032274988
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	2032314767
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	2032439117
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	2032540522
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	2032626914
Section loaded	Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	object name not found	2032838306
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	2032839995
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2032845477
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	2032848835
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	2033113866
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	2033242612
Section loaded	Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	object name not found	2033282772
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	2033284468
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 3E0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	2033533270
Section loaded	Path: C:\WINDOWS\AppPatch\aclayers.dll Access: write and read and execute Type: commit Baseaddress: 430000 Size: 475136 Protection: execute Mapped to pid: own pid	success or wait	2033679902
Section loaded	Path: C:\WINDOWS\AppPatch\aclayers.dll Access: write and read and execute Type: commit Baseaddress: 430000 Size: 475136 Protection: execute Mapped to pid: own pid	success or wait	2034071088
Section loaded	Path: C:\WINDOWS\AppPatch\aclayers.dll Access: query and write and read and execute Type: image Baseaddress: 71590000 Size: 495616 Protection: read write Mapped to pid: own pid	success or wait	2034094222
Section loaded	Path: \KnownDlls\WINSPOOL.DRV Access: write and read and execute Type: unknown Baseaddress: 71590000 Size: 495616 Protection: read write Mapped to pid: own pid	object name not found	2034117276
Section loaded	Path: C:\WINDOWS\system32\winspool.drv Access: query and write and read and execute Type: image Baseaddress: 73000000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	2034135064
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2034335595
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2034338612
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	2034343719
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1020000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	2034674716
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 910000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	2034821584
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	2034824239
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 390000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	2034850515
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2034856559
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2034858884
Section loaded	Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: 910000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	2034951971
Section loaded	Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 910000 Size: 299008 Protection: execute Mapped to pid: own pid	success or wait	2035085804
Section loaded	Path: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid	success or wait	2035134877
Section loaded	Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid	object name exists	2035166041
Section loaded	Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 910000 Size: 262144 Protection: read write Mapped to pid: own pid	success or wait	2035175412
Section loaded	Path: \KnownDlls\netapi32.dll Access: write and read and execute Type: unknown Baseaddress: 910000 Size: 262144 Protection: read write Mapped to pid: own pid	object name not found	2035181151
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	2035182964
Section loaded	Path: \KnownDlls\appHelp.dll Access: write and read and execute Type: unknown Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	2035365149
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 950000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	2035377525
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: A80000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	2035387709
Section loaded	Path: \KnownDlls\CLBCATQ.DLL Access: write and read and execute Type: unknown Baseaddress: A80000 Size: 57344 Protection: read write Mapped to pid: own pid	object name not found	2035391107
Section loaded	Path: C:\WINDOWS\system32\clbcatq.dll Access: query and write and read and execute Type: image Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid	success or wait	2035393202
Section loaded	Path: \KnownDlls\COMRes.dll Access: write and read and execute Type: unknown Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid	object name not found	2035398218
Section loaded	Path: C:\WINDOWS\system32\comres.dll Access: query and write and read and execute Type: image Baseaddress: 77050000 Size: 806912 Protection: read write Mapped to pid: own pid	success or wait	2035400532
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: write and read and execute Type: commit Baseaddress: 1020000 Size: 11083776 Protection: execute Mapped to pid: own pid	success or wait	2035488597
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: query and write and read and execute Type: image Baseaddress: 3E1C0000 Size: 11096064 Protection: read write Mapped to pid: own pid	success or wait	2035492074
Section loaded	Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid	success or wait	2035509775
Section loaded	Path: C:\WINDOWS\system32\en-us\ieframe.dll.mui Access: query and read Type: commit Baseaddress: AD0000 Size: 1241088 Protection: write copy Mapped to pid: own pid	success or wait	2035688540
Section loaded	Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid	success or wait	2035719860
Section loaded	Path: \BaseNamedObjects\Local\UrlZonesSM_Administrator Access: query and write and read Type: commit Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid	object name exists	2035841963
Section loaded	Path: \KnownDlls\SETUPAPI.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid	object name not found	2035892364
Section loaded	Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid	success or wait	2035894028
Section loaded	Path: C:\Program Files\Windows Media Player\setup_wm.exe Access: write and read and execute Type: commit Baseaddress: C10000 Size: 774144 Protection: execute Mapped to pid: own pid	success or wait	2036262722
Section loaded	Path: C:\Program Files\Windows Media Player\setup_wm.exe Access: query and read Type: commit Baseaddress: C10000 Size: 774144 Protection: readonly Mapped to pid: own pid	success or wait	2036310549
Section loaded	Path: C:\Program Files\Windows Media Player\setup_wm.exe Access: write and read and execute Type: commit Baseaddress: C10000 Size: 774144 Protection: execute Mapped to pid: own pid	success or wait	2036373036
Section loaded	Path: C:\Program Files\Windows Media Player\setup_wm.exe Access: query and read Type: commit Baseaddress: C10000 Size: 774144 Protection: readonly Mapped to pid: own pid	success or wait	2036375574
Section loaded	Path: C:\Program Files\Windows Media Player\setup_wm.exe Access: query and write and read and execute and extend size Type: image Baseaddress: C10000 Size: 774144 Protection: readonly Mapped to pid: own pid	success or wait	2036395747
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: C10000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	2036410282
Section loaded	Path: C:\WINDOWS\system32\wmploc.dll Access: write and read and execute Type: commit Baseaddress: 1020000 Size: 2940928 Protection: execute Mapped to pid: own pid	success or wait	2036527346
Section loaded	Path: C:\WINDOWS\system32\wmploc.dll Access: query and read Type: commit Baseaddress: 1020000 Size: 2940928 Protection: readonly Mapped to pid: own pid	success or wait	2036530344
Section loaded	Path: C:\WINDOWS\system32\wmploc.dll Access: write and read and execute Type: commit Baseaddress: 1020000 Size: 2940928 Protection: execute Mapped to pid: own pid	success or wait	2036574718
Section loaded	Path: C:\WINDOWS\system32\wmploc.dll Access: query and read Type: commit Baseaddress: 1020000 Size: 2940928 Protection: readonly Mapped to pid: own pid	success or wait	2036578414
Section loaded	Path: C:\Program Files\Windows Media Player\setup_wm.exe Access: query and read Type: commit Baseaddress: C10000 Size: 774144 Protection: readonly Mapped to pid: own pid	success or wait	2036615232

Analysis File: java.exe PID: 3528 Parent PID: 3276

Sections

General
Start time:	05:52:19
Start date:	08/12/2011
Path:	C:\Program Files\Java\jre6\bin\java.exe
Commandline:	not known
Imagebase:	0x400000
File size:	145184 bytes
MD5 hash:	68288DA42BC798992A42CD59061B199D

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
unknown	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	1D0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	1F0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	240000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	290000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	290000	24576	own pid	readonly	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	290000	24576	own pid	readonly	object name not found	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\ShimEng.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	object name not found	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	2A0000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\aclayers.dll	write and read and execute	commit	430000	475136	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\aclayers.dll	write and read and execute	commit	430000	475136	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\aclayers.dll	query and write and read and execute	image	71590000	495616	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	success or wait	1
\KnownDlls\WINSPOOL.DRV	write and read and execute	unknown	769C0000	737280	own pid	read write	object name not found	1
C:\WINDOWS\system32\winspool.drv	query and write and read and execute	image	73000000	155648	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	3F0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	370000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	370000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	880000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	880000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	3A0000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	3A0000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	read	commit	3A0000	4096	own pid	readonly	success or wait	1
C:\Program Files\Java\jre6\bin\msvcr71.dll	write and read and execute	commit	880000	348160	own pid	execute	success or wait	1
C:\Program Files\Java\jre6\bin\msvcr71.dll	query and write and read and execute	image	7C340000	352256	own pid	read write	success or wait	1
C:\Program Files\Java\jre6\bin\client\jvm.dll	write and read and execute	commit	890000	2695168	own pid	execute	success or wait	1
C:\Program Files\Java\jre6\bin\client\jvm.dll	query and write and read and execute	image	6D7F0000	2777088	own pid	read write	success or wait	1
\KnownDlls\WINMM.dll	write and read and execute	unknown	6D7F0000	2777088	own pid	read write	object name not found	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
C:\Program Files\Java\jre6\bin\verify.dll	write and read and execute	commit	960000	32768	own pid	execute	success or wait	1
C:\Program Files\Java\jre6\bin\verify.dll	query and write and read and execute	image	6D7A0000	49152	own pid	read write	success or wait	1
C:\Program Files\Java\jre6\bin\java.dll	write and read and execute	commit	960000	126976	own pid	execute	success or wait	1
C:\Program Files\Java\jre6\bin\java.dll	query and write and read and execute	image	6D320000	126976	own pid	read write	success or wait	1
C:\Program Files\Java\jre6\bin\awt.dll	write and read and execute	commit	980000	1208320	own pid	execute	success or wait	1
C:\Program Files\Java\jre6\bin\awt.dll	query and write and read and execute	image	6D000000	1351680	own pid	read write	success or wait	1
C:\Program Files\Java\jre6\bin\hpi.dll	write and read and execute	commit	980000	16384	own pid	execute	success or wait	1
C:\Program Files\Java\jre6\bin\hpi.dll	query and write and read and execute	image	6D280000	32768	own pid	read write	success or wait	1
\KnownDlls\PSAPI.DLL	write and read and execute	unknown	6D280000	32768	own pid	read write	object name not found	1
C:\WINDOWS\system32\psapi.dll	query and write and read and execute	image	76BF0000	45056	own pid	read write	success or wait	1
\KnownDlls\d3d9.dll	write and read and execute	unknown	76BF0000	45056	own pid	read write	object name not found	1
C:\WINDOWS\system32\d3d9.dll	query and write and read and execute	image	4FDD0000	1728512	own pid	read write	success or wait	1
\KnownDlls\d3d8thk.dll	write and read and execute	unknown	4FDD0000	1728512	own pid	read write	object name not found	1
C:\WINDOWS\system32\d3d8thk.dll	query and write and read and execute	image	A80000	24576	own pid	read write	conflicting addresses	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
\BaseNamedObjects\hsperfdata_Administrator_3528	query and write and read	commit	A90000	65536	own pid	read write	success or wait	1
C:\WINDOWS\system32\VBoxDisp.dll	query and read	commit	AA0000	77824	own pid	readonly	success or wait	1
C:\Program Files\Java\jre6\bin\zip.dll	write and read and execute	commit	AA0000	49152	own pid	execute	success or wait	1
C:\Program Files\Java\jre6\bin\zip.dll	query and write and read and execute	image	6D7E0000	61440	own pid	read write	success or wait	1
C:\WINDOWS\system32\VBoxDisp.dll	query and read	commit	AA0000	77824	own pid	readonly	success or wait	1
C:\WINDOWS\system32\VBoxDisp.dll	query and read	commit	AA0000	77824	own pid	readonly	success or wait	1
C:\WINDOWS\system32\VBoxDisp.dll	query and read	commit	AA0000	77824	own pid	readonly	success or wait	1
C:\Program Files\Java\jre6\bin\client\classes.jsa	query and read	commit	2C990000	5439488	own pid	readonly	success or wait	1
C:\Program Files\Java\jre6\bin\client\classes.jsa	query and read	commit	2D390000	6946816	own pid	write copy	success or wait	1
C:\Program Files\Java\jre6\bin\client\classes.jsa	query and read	commit	2DF90000	851968	own pid	write copy	success or wait	1
C:\WINDOWS\system32\VBoxDisp.dll	query and read	commit	2DF0000	77824	own pid	readonly	success or wait	1
C:\WINDOWS\system32\VBoxDisp.dll	query and read	commit	2DF0000	77824	own pid	readonly	success or wait	1
C:\WINDOWS\system32\VBoxDisp.dll	query and read	commit	2F80000	77824	own pid	readonly	success or wait	1
C:\WINDOWS\system32\VBoxDisp.dll	query and read	commit	2F80000	77824	own pid	readonly	success or wait	1
C:\Program Files\Java\jre6\bin\jp2native.dll	write and read and execute	commit	A80000	8192	own pid	execute	success or wait	1
C:\Program Files\Java\jre6\bin\jp2native.dll	query and write and read and execute	image	6D420000	24576	own pid	read write	success or wait	1
C:\Program Files\Java\jre6\bin\deploy.dll	write and read and execute	commit	2F80000	77824	own pid	execute	success or wait	1
C:\Program Files\Java\jre6\bin\deploy.dll	query and write and read and execute	image	6D1D0000	77824	own pid	read write	success or wait	1
\KnownDlls\CRYPT32.dll	write and read and execute	unknown	6D1D0000	77824	own pid	read write	object name not found	1
C:\WINDOWS\system32\crypt32.dll	query and write and read and execute	image	77A80000	610304	own pid	read write	success or wait	1
\KnownDlls\MSASN1.dll	write and read and execute	unknown	77A80000	610304	own pid	read write	object name not found	1
C:\WINDOWS\system32\msasn1.dll	query and write and read and execute	image	77B20000	73728	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1
\KnownDlls\WININET.dll	write and read and execute	unknown	3D930000	942080	own pid	read write	success or wait	1
\KnownDlls\Normaliz.dll	write and read and execute	unknown	A80000	36864	own pid	read write	conflicting addresses	1
\KnownDlls\urlmon.dll	write and read and execute	unknown	78130000	1257472	own pid	read write	success or wait	1
\KnownDlls\iertutil.dll	write and read and execute	unknown	3DFD0000	2002944	own pid	read write	success or wait	1
C:\Program Files\Java\jre6\bin\regutils.dll	write and read and execute	commit	30F0000	278528	own pid	execute	success or wait	1
C:\Program Files\Java\jre6\bin\regutils.dll	query and write and read and execute	image	6D6A0000	286720	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\shfolder.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	object name not found	1
C:\WINDOWS\system32\shfolder.dll	query and write and read and execute	image	76780000	36864	own pid	read write	success or wait	1
C:\Program Files\Java\jre6\bin\net.dll	write and read and execute	commit	3150000	77824	own pid	execute	success or wait	1
C:\Program Files\Java\jre6\bin\net.dll	query and write and read and execute	image	6D600000	77824	own pid	read write	success or wait	1
\KnownDlls\WS2_32.dll	write and read and execute	unknown	6D600000	77824	own pid	read write	object name not found	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
\KnownDlls\WS2HELP.dll	write and read and execute	unknown	71AB0000	94208	own pid	read write	object name not found	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
C:\Program Files\Java\jre6\bin\nio.dll	write and read and execute	commit	3150000	20480	own pid	execute	success or wait	1
C:\Program Files\Java\jre6\bin\nio.dll	query and write and read and execute	image	6D620000	36864	own pid	read write	success or wait	1
C:\WINDOWS\system32\msctf.dll	write and read and execute	commit	34E0000	299008	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctf.dll	query and write and read and execute	image	74720000	311296	own pid	read write	success or wait	1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500	query and write and read	commit	74720000	311296	own pid	read write	object name exists	1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500	query and write and read and execute and extend size	unknown	34F0000	262144	own pid	read write	success or wait	1
C:\WINDOWS\system32\msctfime.ime	write and read and execute	commit	3530000	180224	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctfime.ime	query and read	commit	3530000	180224	own pid	readonly	success or wait	1
C:\WINDOWS\system32\msctfime.ime	write and read and execute	commit	3530000	180224	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctfime.ime	query and read	commit	3530000	180224	own pid	readonly	success or wait	1
\KnownDlls\apphelp.dll	write and read and execute	unknown	77B40000	139264	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	3530000	1208320	own pid	readonly	success or wait	1
\BaseNamedObjects\ShimSharedMemory	write	unknown	3530000	57344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msctfime.ime	write and read and execute	commit	3540000	180224	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctfime.ime	query and write and read and execute	image	755C0000	188416	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	3540000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\system32\rpcss.dll	write and read and execute	commit	3540000	401408	own pid	execute	success or wait	1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_Temporary Internet Files_Content.IE5_index.dat_98304	write	unknown	3720000	98304	own pid	read write	success or wait	1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Cookies_index.dat_32768	write	unknown	3740000	32768	own pid	read write	success or wait	1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_index.dat_32768	write	unknown	3750000	32768	own pid	read write	success or wait	1
C:\Program Files\Java\jre6\bin\fontmanager.dll	write and read and execute	commit	3540000	323584	own pid	execute	success or wait	1
C:\Program Files\Java\jre6\bin\fontmanager.dll	query and write and read and execute	image	6D230000	323584	own pid	read write	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	2034098746
Section loaded	Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	2034102881
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 1D0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2034109266
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 1F0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	2034112909
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 240000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	2034114089
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 290000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	2034114960
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 290000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	2034118816
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 290000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	2034119186
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	2034131755
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	2034140549
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	2034147009
Section loaded	Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	object name not found	2034165650
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	2034167204
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 2A0000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	2034175291
Section loaded	Path: C:\WINDOWS\AppPatch\aclayers.dll Access: write and read and execute Type: commit Baseaddress: 430000 Size: 475136 Protection: execute Mapped to pid: own pid	success or wait	2034192975
Section loaded	Path: C:\WINDOWS\AppPatch\aclayers.dll Access: write and read and execute Type: commit Baseaddress: 430000 Size: 475136 Protection: execute Mapped to pid: own pid	success or wait	2034197878
Section loaded	Path: C:\WINDOWS\AppPatch\aclayers.dll Access: query and write and read and execute Type: image Baseaddress: 71590000 Size: 495616 Protection: read write Mapped to pid: own pid	success or wait	2034199951
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	2034204753
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	2034206052
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	2034223239
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	2034229347
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	2034239585
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	2034280095
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	2034293609
Section loaded	Path: \KnownDlls\WINSPOOL.DRV Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	object name not found	2034307903
Section loaded	Path: C:\WINDOWS\system32\winspool.drv Access: query and write and read and execute Type: image Baseaddress: 73000000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	2034309693
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 3F0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	2034326441
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 370000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2034503713
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 370000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2034506509
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	2034511874
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 880000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	2034575814
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 880000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	2034629208
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	2034638353
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 3A0000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	2034668727
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 3A0000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2034678685
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 3A0000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2034681061
Section loaded	Path: C:\Program Files\Java\jre6\bin\msvcr71.dll Access: write and read and execute Type: commit Baseaddress: 880000 Size: 348160 Protection: execute Mapped to pid: own pid	success or wait	2034925024
Section loaded	Path: C:\Program Files\Java\jre6\bin\msvcr71.dll Access: query and write and read and execute Type: image Baseaddress: 7C340000 Size: 352256 Protection: read write Mapped to pid: own pid	success or wait	2034931419
Section loaded	Path: C:\Program Files\Java\jre6\bin\client\jvm.dll Access: write and read and execute Type: commit Baseaddress: 890000 Size: 2695168 Protection: execute Mapped to pid: own pid	success or wait	2035089866
Section loaded	Path: C:\Program Files\Java\jre6\bin\client\jvm.dll Access: query and write and read and execute Type: image Baseaddress: 6D7F0000 Size: 2777088 Protection: read write Mapped to pid: own pid	success or wait	2035092843
Section loaded	Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 6D7F0000 Size: 2777088 Protection: read write Mapped to pid: own pid	object name not found	2035096666
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	2035098461
Section loaded	Path: C:\Program Files\Java\jre6\bin\verify.dll Access: write and read and execute Type: commit Baseaddress: 960000 Size: 32768 Protection: execute Mapped to pid: own pid	success or wait	2036328292
Section loaded	Path: C:\Program Files\Java\jre6\bin\verify.dll Access: query and write and read and execute Type: image Baseaddress: 6D7A0000 Size: 49152 Protection: read write Mapped to pid: own pid	success or wait	2036331245
Section loaded	Path: C:\Program Files\Java\jre6\bin\java.dll Access: write and read and execute Type: commit Baseaddress: 960000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	2036337240
Section loaded	Path: C:\Program Files\Java\jre6\bin\java.dll Access: query and write and read and execute Type: image Baseaddress: 6D320000 Size: 126976 Protection: read write Mapped to pid: own pid	success or wait	2036339776
Section loaded	Path: C:\Program Files\Java\jre6\bin\awt.dll Access: write and read and execute Type: commit Baseaddress: 980000 Size: 1208320 Protection: execute Mapped to pid: own pid	success or wait	2036352995
Section loaded	Path: C:\Program Files\Java\jre6\bin\awt.dll Access: query and write and read and execute Type: image Baseaddress: 6D000000 Size: 1351680 Protection: read write Mapped to pid: own pid	success or wait	2036355492
Section loaded	Path: C:\Program Files\Java\jre6\bin\hpi.dll Access: write and read and execute Type: commit Baseaddress: 980000 Size: 16384 Protection: execute Mapped to pid: own pid	success or wait	2036433449
Section loaded	Path: C:\Program Files\Java\jre6\bin\hpi.dll Access: query and write and read and execute Type: image Baseaddress: 6D280000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2036435986
Section loaded	Path: \KnownDlls\PSAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D280000 Size: 32768 Protection: read write Mapped to pid: own pid	object name not found	2036441286
Section loaded	Path: C:\WINDOWS\system32\psapi.dll Access: query and write and read and execute Type: image Baseaddress: 76BF0000 Size: 45056 Protection: read write Mapped to pid: own pid	success or wait	2036443061
Section loaded	Path: \KnownDlls\d3d9.dll Access: write and read and execute Type: unknown Baseaddress: 76BF0000 Size: 45056 Protection: read write Mapped to pid: own pid	object name not found	2036574325
Section loaded	Path: C:\WINDOWS\system32\d3d9.dll Access: query and write and read and execute Type: image Baseaddress: 4FDD0000 Size: 1728512 Protection: read write Mapped to pid: own pid	success or wait	2036659718
Section loaded	Path: \KnownDlls\d3d8thk.dll Access: write and read and execute Type: unknown Baseaddress: 4FDD0000 Size: 1728512 Protection: read write Mapped to pid: own pid	object name not found	2036725309
Section loaded	Path: C:\WINDOWS\system32\d3d8thk.dll Access: query and write and read and execute Type: image Baseaddress: A80000 Size: 24576 Protection: read write Mapped to pid: own pid	conflicting addresses	2037696892
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2038325210
Section loaded	Path: \BaseNamedObjects\hsperfdata_Administrator_3528 Access: query and write and read Type: commit Baseaddress: A90000 Size: 65536 Protection: read write Mapped to pid: own pid	success or wait	2038537554
Section loaded	Path: C:\WINDOWS\system32\VBoxDisp.dll Access: query and read Type: commit Baseaddress: AA0000 Size: 77824 Protection: readonly Mapped to pid: own pid	success or wait	2038542587
Section loaded	Path: C:\Program Files\Java\jre6\bin\zip.dll Access: write and read and execute Type: commit Baseaddress: AA0000 Size: 49152 Protection: execute Mapped to pid: own pid	success or wait	2038547698
Section loaded	Path: C:\Program Files\Java\jre6\bin\zip.dll Access: query and write and read and execute Type: image Baseaddress: 6D7E0000 Size: 61440 Protection: read write Mapped to pid: own pid	success or wait	2038548636
Section loaded	Path: C:\WINDOWS\system32\VBoxDisp.dll Access: query and read Type: commit Baseaddress: AA0000 Size: 77824 Protection: readonly Mapped to pid: own pid	success or wait	2038558061
Section loaded	Path: C:\WINDOWS\system32\VBoxDisp.dll Access: query and read Type: commit Baseaddress: AA0000 Size: 77824 Protection: readonly Mapped to pid: own pid	success or wait	2038567009
Section loaded	Path: C:\WINDOWS\system32\VBoxDisp.dll Access: query and read Type: commit Baseaddress: AA0000 Size: 77824 Protection: readonly Mapped to pid: own pid	success or wait	2038569708
Section loaded	Path: C:\Program Files\Java\jre6\bin\client\classes.jsa Access: query and read Type: commit Baseaddress: 2C990000 Size: 5439488 Protection: readonly Mapped to pid: own pid	success or wait	2038657318
Section loaded	Path: C:\Program Files\Java\jre6\bin\client\classes.jsa Access: query and read Type: commit Baseaddress: 2D390000 Size: 6946816 Protection: write copy Mapped to pid: own pid	success or wait	2038658337
Section loaded	Path: C:\Program Files\Java\jre6\bin\client\classes.jsa Access: query and read Type: commit Baseaddress: 2DF90000 Size: 851968 Protection: write copy Mapped to pid: own pid	success or wait	2038659338
Section loaded	Path: C:\WINDOWS\system32\VBoxDisp.dll Access: query and read Type: commit Baseaddress: 2DF0000 Size: 77824 Protection: readonly Mapped to pid: own pid	success or wait	2041580474
Section loaded	Path: C:\WINDOWS\system32\VBoxDisp.dll Access: query and read Type: commit Baseaddress: 2DF0000 Size: 77824 Protection: readonly Mapped to pid: own pid	success or wait	2041616541
Section loaded	Path: C:\WINDOWS\system32\VBoxDisp.dll Access: query and read Type: commit Baseaddress: 2F80000 Size: 77824 Protection: readonly Mapped to pid: own pid	success or wait	2043140827
Section loaded	Path: C:\WINDOWS\system32\VBoxDisp.dll Access: query and read Type: commit Baseaddress: 2F80000 Size: 77824 Protection: readonly Mapped to pid: own pid	success or wait	2043159735
Section loaded	Path: C:\Program Files\Java\jre6\bin\jp2native.dll Access: write and read and execute Type: commit Baseaddress: A80000 Size: 8192 Protection: execute Mapped to pid: own pid	success or wait	2043683957
Section loaded	Path: C:\Program Files\Java\jre6\bin\jp2native.dll Access: query and write and read and execute Type: image Baseaddress: 6D420000 Size: 24576 Protection: read write Mapped to pid: own pid	success or wait	2043687240
Section loaded	Path: C:\Program Files\Java\jre6\bin\deploy.dll Access: write and read and execute Type: commit Baseaddress: 2F80000 Size: 77824 Protection: execute Mapped to pid: own pid	success or wait	2043697867
Section loaded	Path: C:\Program Files\Java\jre6\bin\deploy.dll Access: query and write and read and execute Type: image Baseaddress: 6D1D0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	2043703289
Section loaded	Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 6D1D0000 Size: 77824 Protection: read write Mapped to pid: own pid	object name not found	2043703921
Section loaded	Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid	success or wait	2043704786
Section loaded	Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid	object name not found	2043707424
Section loaded	Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	2043708885
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	2043718276
Section loaded	Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid	success or wait	2043723969
Section loaded	Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: A80000 Size: 36864 Protection: read write Mapped to pid: own pid	conflicting addresses	2043728751
Section loaded	Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid	success or wait	2043797680
Section loaded	Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid	success or wait	2043811931
Section loaded	Path: C:\Program Files\Java\jre6\bin\regutils.dll Access: write and read and execute Type: commit Baseaddress: 30F0000 Size: 278528 Protection: execute Mapped to pid: own pid	success or wait	2044337506
Section loaded	Path: C:\Program Files\Java\jre6\bin\regutils.dll Access: query and write and read and execute Type: image Baseaddress: 6D6A0000 Size: 286720 Protection: read write Mapped to pid: own pid	success or wait	2044342347
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2044346824
Section loaded	Path: \KnownDlls\shfolder.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	object name not found	2044759805
Section loaded	Path: C:\WINDOWS\system32\shfolder.dll Access: query and write and read and execute Type: image Baseaddress: 76780000 Size: 36864 Protection: read write Mapped to pid: own pid	success or wait	2044776243
Section loaded	Path: C:\Program Files\Java\jre6\bin\net.dll Access: write and read and execute Type: commit Baseaddress: 3150000 Size: 77824 Protection: execute Mapped to pid: own pid	success or wait	2045006698
Section loaded	Path: C:\Program Files\Java\jre6\bin\net.dll Access: query and write and read and execute Type: image Baseaddress: 6D600000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	2045010282
Section loaded	Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 6D600000 Size: 77824 Protection: read write Mapped to pid: own pid	object name not found	2045012728
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	2045016384
Section loaded	Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	object name not found	2045029326
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2045080939
Section loaded	Path: C:\Program Files\Java\jre6\bin\nio.dll Access: write and read and execute Type: commit Baseaddress: 3150000 Size: 20480 Protection: execute Mapped to pid: own pid	success or wait	2045269060
Section loaded	Path: C:\Program Files\Java\jre6\bin\nio.dll Access: query and write and read and execute Type: image Baseaddress: 6D620000 Size: 36864 Protection: read write Mapped to pid: own pid	success or wait	2045311991
Section loaded	Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 34E0000 Size: 299008 Protection: execute Mapped to pid: own pid	success or wait	2061756802
Section loaded	Path: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid	success or wait	2061848060
Section loaded	Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid	object name exists	2061934943
Section loaded	Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 34F0000 Size: 262144 Protection: read write Mapped to pid: own pid	success or wait	2061964630
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: 3530000 Size: 180224 Protection: execute Mapped to pid: own pid	success or wait	2061976308
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: 3530000 Size: 180224 Protection: readonly Mapped to pid: own pid	success or wait	2061982047
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: 3530000 Size: 180224 Protection: execute Mapped to pid: own pid	success or wait	2061992238
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: 3530000 Size: 180224 Protection: readonly Mapped to pid: own pid	success or wait	2062035967
Section loaded	Path: \KnownDlls\apphelp.dll Access: write and read and execute Type: unknown Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	2062040535
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 3530000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	2062180216
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: 3530000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	2062278821
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: 3540000 Size: 180224 Protection: execute Mapped to pid: own pid	success or wait	2062284201
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: query and write and read and execute Type: image Baseaddress: 755C0000 Size: 188416 Protection: read write Mapped to pid: own pid	success or wait	2062292336
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 3540000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	2062463213
Section loaded	Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: 3540000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	2062530148
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_Temporary Internet Files_Content.IE5_index.dat_98304 Access: write Type: unknown Baseaddress: 3720000 Size: 98304 Protection: read write Mapped to pid: own pid	success or wait	2071639617
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Cookies_index.dat_32768 Access: write Type: unknown Baseaddress: 3740000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2071649088
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_index.dat_32768 Access: write Type: unknown Baseaddress: 3750000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2071658380
Section loaded	Path: C:\Program Files\Java\jre6\bin\fontmanager.dll Access: write and read and execute Type: commit Baseaddress: 3540000 Size: 323584 Protection: execute Mapped to pid: own pid	success or wait	2075361428
Section loaded	Path: C:\Program Files\Java\jre6\bin\fontmanager.dll Access: query and write and read and execute Type: image Baseaddress: 6D230000 Size: 323584 Protection: read write Mapped to pid: own pid	success or wait	2075382030

Analysis File: setup_wm.exe PID: 3636 Parent PID: 3432

Sections

General
Start time:	05:52:20
Start date:	08/12/2011
Path:	C:\Program Files\Windows Media Player\setup_wm.exe
Commandline:	C:\Program Files\Windows Media Player\setup_wm.exe /RunOnce: C:\Program Files\Windows Media Player\wmplayer.exe /open http://combijump.com/content/hcp_asx.php?f=41::4
Imagebase:	0x1000000
File size:	774144 bytes
MD5 hash:	60C6E654F7253FC5277AD413B2536380

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
unknown	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	1C0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	1E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	230000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	280000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	280000	24576	own pid	readonly	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	280000	24576	own pid	readonly	object name not found	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1302528	own pid	read write	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\WININET.dll	write and read and execute	unknown	3D930000	942080	own pid	read write	success or wait	1
\KnownDlls\Normaliz.dll	write and read and execute	unknown	400000	36864	own pid	read write	success or wait	1
\KnownDlls\urlmon.dll	write and read and execute	unknown	78130000	1257472	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1
\KnownDlls\iertutil.dll	write and read and execute	unknown	3DFD0000	2002944	own pid	read write	success or wait	1
\KnownDlls\SETUPAPI.dll	write and read and execute	unknown	3DFD0000	2002944	own pid	read write	object name not found	1
C:\WINDOWS\system32\setupapi.dll	query and write and read and execute	image	77920000	995328	own pid	read write	success or wait	1
\KnownDlls\WINTRUST.dll	write and read and execute	unknown	77920000	995328	own pid	read write	object name not found	1
C:\WINDOWS\system32\wintrust.dll	query and write and read and execute	image	76C30000	188416	own pid	read write	success or wait	1
\KnownDlls\CRYPT32.dll	write and read and execute	unknown	76C30000	188416	own pid	read write	object name not found	1
C:\WINDOWS\system32\crypt32.dll	query and write and read and execute	image	77A80000	610304	own pid	read write	success or wait	1
\KnownDlls\MSASN1.dll	write and read and execute	unknown	77A80000	610304	own pid	read write	object name not found	1
C:\WINDOWS\system32\msasn1.dll	query and write and read and execute	image	77B20000	73728	own pid	read write	success or wait	1
\KnownDlls\IMAGEHLP.dll	write and read and execute	unknown	76C90000	163840	own pid	read write	success or wait	1
\KnownDlls\WSOCK32.dll	write and read and execute	unknown	76C90000	163840	own pid	read write	object name not found	1
C:\WINDOWS\system32\wsock32.dll	query and write and read and execute	image	71AD0000	36864	own pid	read write	success or wait	1
\KnownDlls\WS2_32.dll	write and read and execute	unknown	71AD0000	36864	own pid	read write	object name not found	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
\KnownDlls\WS2HELP.dll	write and read and execute	unknown	71AB0000	94208	own pid	read write	object name not found	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
\KnownDlls\MPR.dll	write and read and execute	unknown	71B20000	73728	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\ShimEng.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	object name not found	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	290000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\aclayers.dll	write and read and execute	commit	410000	475136	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\aclayers.dll	write and read and execute	commit	410000	475136	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\aclayers.dll	query and write and read and execute	image	71590000	495616	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	success or wait	1
\KnownDlls\WINSPOOL.DRV	write and read and execute	unknown	769C0000	737280	own pid	read write	object name not found	1
C:\WINDOWS\system32\winspool.drv	query and write and read and execute	image	73000000	155648	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	3E0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	360000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	360000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	read	commit	380000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	10C0000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\system32\rpcss.dll	write and read and execute	commit	AA0000	401408	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctf.dll	write and read and execute	commit	AA0000	299008	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctf.dll	query and write and read and execute	image	74720000	311296	own pid	read write	success or wait	1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500	query and write and read	commit	74720000	311296	own pid	read write	object name exists	1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500	query and write and read and execute and extend size	unknown	AB0000	262144	own pid	read write	success or wait	1
C:\WINDOWS\system32\msctfime.ime	write and read and execute	commit	AF0000	180224	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctfime.ime	query and read	commit	AF0000	180224	own pid	readonly	success or wait	1
C:\WINDOWS\system32\msctfime.ime	write and read and execute	commit	AF0000	180224	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctfime.ime	query and read	commit	AF0000	180224	own pid	readonly	success or wait	1
\KnownDlls\apphelp.dll	write and read and execute	unknown	77B40000	139264	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	AF0000	1208320	own pid	readonly	success or wait	1
\BaseNamedObjects\ShimSharedMemory	write	unknown	AF0000	57344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msctfime.ime	write and read and execute	commit	B00000	180224	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctfime.ime	query and write and read and execute	image	755C0000	188416	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	B00000	1208320	own pid	readonly	success or wait	1
\KnownDlls\UxTheme.dll	write and read and execute	unknown	B00000	1208320	own pid	readonly	object name not found	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\KnownDlls\netapi32.dll	write and read and execute	unknown	5AD70000	229376	own pid	read write	object name not found	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
C:\PROGRA~1\WINDOW~2\wmplayer.exe	write and read and execute	commit	B00000	73728	own pid	execute	success or wait	1
C:\PROGRA~1\WINDOW~2\wmplayer.exe	query and read	commit	B00000	73728	own pid	readonly	success or wait	1
C:\PROGRA~1\WINDOW~2\wmplayer.exe	write and read and execute	commit	B00000	73728	own pid	execute	success or wait	1
C:\PROGRA~1\WINDOW~2\wmplayer.exe	query and read	commit	B00000	73728	own pid	readonly	success or wait	1
\KnownDlls\CLBCATQ.DLL	write and read and execute	unknown	B00000	73728	own pid	readonly	object name not found	1
C:\WINDOWS\system32\clbcatq.dll	query and write and read and execute	image	76FD0000	520192	own pid	read write	success or wait	1
\KnownDlls\COMRes.dll	write and read and execute	unknown	76FD0000	520192	own pid	read write	object name not found	1
C:\WINDOWS\system32\comres.dll	query and write and read and execute	image	77050000	806912	own pid	read write	success or wait	1
C:\WINDOWS\system32\quartz.dll	write and read and execute	commit	B10000	1294336	own pid	execute	success or wait	1
C:\WINDOWS\system32\quartz.dll	query and write and read and execute	image	74810000	1499136	own pid	read write	success or wait	1
\KnownDlls\WINMM.dll	write and read and execute	unknown	74810000	1499136	own pid	read write	object name not found	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\BaseNamedObjects\VIDEOMEMORY	query and write and read	commit	B90000	4096	own pid	read write	success or wait	1
C:\WINDOWS\system32\devenum.dll	write and read and execute	commit	BA0000	61440	own pid	execute	success or wait	1
C:\WINDOWS\system32\devenum.dll	query and write and read and execute	image	75F40000	69632	own pid	read write	success or wait	1
\KnownDlls\msdmo.dll	write and read and execute	unknown	75F40000	69632	own pid	read write	object name not found	1
C:\WINDOWS\system32\msdmo.dll	query and write and read and execute	image	736B0000	28672	own pid	read write	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	write and read and execute	commit	CA0000	208896	own pid	execute	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	query and read	commit	CA0000	208896	own pid	readonly	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	write and read and execute	commit	CA0000	208896	own pid	execute	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	query and read	commit	CA0000	208896	own pid	readonly	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	write and read and execute	commit	CA0000	208896	own pid	execute	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	query and read	commit	CA0000	208896	own pid	readonly	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	write and read and execute	commit	CA0000	208896	own pid	execute	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	query and read	commit	CA0000	208896	own pid	readonly	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	write and read and execute	commit	CA0000	208896	own pid	execute	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	query and read	commit	CA0000	208896	own pid	readonly	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	write and read and execute	commit	CA0000	208896	own pid	execute	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	query and read	commit	CA0000	208896	own pid	readonly	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	write and read and execute	commit	CA0000	208896	own pid	execute	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	query and read	commit	CA0000	208896	own pid	readonly	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	write and read and execute	commit	CA0000	208896	own pid	execute	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	query and read	commit	CA0000	208896	own pid	readonly	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	write and read and execute	commit	CA0000	208896	own pid	execute	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	query and read	commit	CA0000	208896	own pid	readonly	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	write and read and execute	commit	CA0000	208896	own pid	execute	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	query and read	commit	CA0000	208896	own pid	readonly	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	write and read and execute	commit	CA0000	208896	own pid	execute	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	query and read	commit	CA0000	208896	own pid	readonly	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	write and read and execute	commit	CA0000	208896	own pid	execute	success or wait	1
C:\WINDOWS\inf\unregmp2.exe	query and read	commit	CA0000	208896	own pid	readonly	success or wait	1
\BaseNamedObjects\CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500	query and write and read and execute and extend size	unknown	CA0000	4096	own pid	read write	success or wait	1
C:\WINDOWS\system32\msimtf.dll	write and read and execute	commit	CA0000	159744	own pid	execute	success or wait	1
C:\WINDOWS\system32\msimtf.dll	write and read and execute	commit	CA0000	159744	own pid	execute	success or wait	1
C:\WINDOWS\system32\msimtf.dll	write and read and execute	commit	CA0000	159744	own pid	execute	success or wait	1
C:\WINDOWS\system32\msimtf.dll	write and read and execute	commit	CA0000	159744	own pid	execute	success or wait	1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO..MKFLI	query and write and read	commit	CA0000	4096	own pid	read write	success or wait	1
\BaseNamedObjects\MSCTF.Shared.SFM.ICH	query and write and read and execute and extend size	unknown	CB0000	524288	own pid	read write	success or wait	1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO.B.MKFLI	query and write and read	commit	CA0000	4096	own pid	read write	success or wait	1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO.C.MKFLI	query and write and read	commit	D30000	4096	own pid	read write	success or wait	1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO.D.MKFLI	query and write and read	commit	D40000	4096	own pid	read write	success or wait	1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO.E.MLFLI	query and write and read	commit	CA0000	4096	own pid	read write	success or wait	1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO.F.MLFLI	query and write and read	commit	CA0000	4096	own pid	read write	success or wait	1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO.G.MLFLI	query and write and read	commit	CA0000	4096	own pid	read write	success or wait	1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ICH.ME.MLFLI	query and write and read and execute and extend size	unknown	CA0000	4096	own pid	read write	success or wait	1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ICH.NE.MLFLI	query and write and read and execute and extend size	unknown	CA0000	4096	own pid	read write	success or wait	1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ICH.OE.MLFLI	query and write and read and execute and extend size	unknown	CA0000	4096	own pid	read write	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	2037813236
Section loaded	Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	2037834511
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 1C0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2037843008
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 1E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	2037844488
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 230000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	2037867054
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 280000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	2037887942
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 280000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	2037914920
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 280000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	2038122356
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	2038268365
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	2038328139
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	2038336176
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	2038344736
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	2038359114
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	2038364147
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	2038375950
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	2038382488
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	2038400625
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	2038420625
Section loaded	Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid	success or wait	2038437881
Section loaded	Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 400000 Size: 36864 Protection: read write Mapped to pid: own pid	success or wait	2038474383
Section loaded	Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid	success or wait	2038490514
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	2038535320
Section loaded	Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid	success or wait	2038559011
Section loaded	Path: \KnownDlls\SETUPAPI.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid	object name not found	2038580441
Section loaded	Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid	success or wait	2038602149
Section loaded	Path: \KnownDlls\WINTRUST.dll Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid	object name not found	2038612529
Section loaded	Path: C:\WINDOWS\system32\wintrust.dll Access: query and write and read and execute Type: image Baseaddress: 76C30000 Size: 188416 Protection: read write Mapped to pid: own pid	success or wait	2038615826
Section loaded	Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 76C30000 Size: 188416 Protection: read write Mapped to pid: own pid	object name not found	2038690993
Section loaded	Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid	success or wait	2038691844
Section loaded	Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid	object name not found	2038728659
Section loaded	Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	2038729390
Section loaded	Path: \KnownDlls\IMAGEHLP.dll Access: write and read and execute Type: unknown Baseaddress: 76C90000 Size: 163840 Protection: read write Mapped to pid: own pid	success or wait	2041350270
Section loaded	Path: \KnownDlls\WSOCK32.dll Access: write and read and execute Type: unknown Baseaddress: 76C90000 Size: 163840 Protection: read write Mapped to pid: own pid	object name not found	2041491206
Section loaded	Path: C:\WINDOWS\system32\wsock32.dll Access: query and write and read and execute Type: image Baseaddress: 71AD0000 Size: 36864 Protection: read write Mapped to pid: own pid	success or wait	2041525906
Section loaded	Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 71AD0000 Size: 36864 Protection: read write Mapped to pid: own pid	object name not found	2041564092
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	2041580835
Section loaded	Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	object name not found	2041821154
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2041851483
Section loaded	Path: \KnownDlls\MPR.dll Access: write and read and execute Type: unknown Baseaddress: 71B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	2041924857
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2041985503
Section loaded	Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	object name not found	2042028954
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	2042031441
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 290000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	2042063821
Section loaded	Path: C:\WINDOWS\AppPatch\aclayers.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 475136 Protection: execute Mapped to pid: own pid	success or wait	2042200329
Section loaded	Path: C:\WINDOWS\AppPatch\aclayers.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 475136 Protection: execute Mapped to pid: own pid	success or wait	2042264044
Section loaded	Path: C:\WINDOWS\AppPatch\aclayers.dll Access: query and write and read and execute Type: image Baseaddress: 71590000 Size: 495616 Protection: read write Mapped to pid: own pid	success or wait	2042265945
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	2042994186
Section loaded	Path: \KnownDlls\WINSPOOL.DRV Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	object name not found	2043052908
Section loaded	Path: C:\WINDOWS\system32\winspool.drv Access: query and write and read and execute Type: image Baseaddress: 73000000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	2043054433
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 3E0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	2043283448
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2044187814
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2044193520
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	2044198164
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	2044342674
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2044345059
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2044347262
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 10C0000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	2044366462
Section loaded	Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: AA0000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	2044727627
Section loaded	Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: AA0000 Size: 299008 Protection: execute Mapped to pid: own pid	success or wait	2044891523
Section loaded	Path: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid	success or wait	2044893504
Section loaded	Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid	object name exists	2044917690
Section loaded	Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: AB0000 Size: 262144 Protection: read write Mapped to pid: own pid	success or wait	2044937438
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: AF0000 Size: 180224 Protection: execute Mapped to pid: own pid	success or wait	2044978881
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: AF0000 Size: 180224 Protection: readonly Mapped to pid: own pid	success or wait	2044987925
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: AF0000 Size: 180224 Protection: execute Mapped to pid: own pid	success or wait	2044995589
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: AF0000 Size: 180224 Protection: readonly Mapped to pid: own pid	success or wait	2045000533
Section loaded	Path: \KnownDlls\apphelp.dll Access: write and read and execute Type: unknown Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	2045001295
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: AF0000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	2045022302
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: AF0000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	2045090036
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: B00000 Size: 180224 Protection: execute Mapped to pid: own pid	success or wait	2045094175
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: query and write and read and execute Type: image Baseaddress: 755C0000 Size: 188416 Protection: read write Mapped to pid: own pid	success or wait	2045098388
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: B00000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	2045226690
Section loaded	Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: B00000 Size: 1208320 Protection: readonly Mapped to pid: own pid	object name not found	2045259537
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	2045261712
Section loaded	Path: \KnownDlls\netapi32.dll Access: write and read and execute Type: unknown Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	object name not found	2045348785
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	2045396458
Section loaded	Path: C:\PROGRA~1\WINDOW~2\wmplayer.exe Access: write and read and execute Type: commit Baseaddress: B00000 Size: 73728 Protection: execute Mapped to pid: own pid	success or wait	2045912323
Section loaded	Path: C:\PROGRA~1\WINDOW~2\wmplayer.exe Access: query and read Type: commit Baseaddress: B00000 Size: 73728 Protection: readonly Mapped to pid: own pid	success or wait	2046016777
Section loaded	Path: C:\PROGRA~1\WINDOW~2\wmplayer.exe Access: write and read and execute Type: commit Baseaddress: B00000 Size: 73728 Protection: execute Mapped to pid: own pid	success or wait	2046023680
Section loaded	Path: C:\PROGRA~1\WINDOW~2\wmplayer.exe Access: query and read Type: commit Baseaddress: B00000 Size: 73728 Protection: readonly Mapped to pid: own pid	success or wait	2046042197
Section loaded	Path: \KnownDlls\CLBCATQ.DLL Access: write and read and execute Type: unknown Baseaddress: B00000 Size: 73728 Protection: readonly Mapped to pid: own pid	object name not found	2046288034
Section loaded	Path: C:\WINDOWS\system32\clbcatq.dll Access: query and write and read and execute Type: image Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid	success or wait	2046307572
Section loaded	Path: \KnownDlls\COMRes.dll Access: write and read and execute Type: unknown Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid	object name not found	2046318335
Section loaded	Path: C:\WINDOWS\system32\comres.dll Access: query and write and read and execute Type: image Baseaddress: 77050000 Size: 806912 Protection: read write Mapped to pid: own pid	success or wait	2046359595
Section loaded	Path: C:\WINDOWS\system32\quartz.dll Access: write and read and execute Type: commit Baseaddress: B10000 Size: 1294336 Protection: execute Mapped to pid: own pid	success or wait	2047384441
Section loaded	Path: C:\WINDOWS\system32\quartz.dll Access: query and write and read and execute Type: image Baseaddress: 74810000 Size: 1499136 Protection: read write Mapped to pid: own pid	success or wait	2047469316
Section loaded	Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 74810000 Size: 1499136 Protection: read write Mapped to pid: own pid	object name not found	2047553249
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	2047604300
Section loaded	Path: \BaseNamedObjects\VIDEOMEMORY Access: query and write and read Type: commit Baseaddress: B90000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	2048101063
Section loaded	Path: C:\WINDOWS\system32\devenum.dll Access: write and read and execute Type: commit Baseaddress: BA0000 Size: 61440 Protection: execute Mapped to pid: own pid	success or wait	2057359858
Section loaded	Path: C:\WINDOWS\system32\devenum.dll Access: query and write and read and execute Type: image Baseaddress: 75F40000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	2057481085
Section loaded	Path: \KnownDlls\msdmo.dll Access: write and read and execute Type: unknown Baseaddress: 75F40000 Size: 69632 Protection: read write Mapped to pid: own pid	object name not found	2058971895
Section loaded	Path: C:\WINDOWS\system32\msdmo.dll Access: query and write and read and execute Type: image Baseaddress: 736B0000 Size: 28672 Protection: read write Mapped to pid: own pid	success or wait	2058975121
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 208896 Protection: execute Mapped to pid: own pid	success or wait	2063675236
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: query and read Type: commit Baseaddress: CA0000 Size: 208896 Protection: readonly Mapped to pid: own pid	success or wait	2063704193
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 208896 Protection: execute Mapped to pid: own pid	success or wait	2063721921
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: query and read Type: commit Baseaddress: CA0000 Size: 208896 Protection: readonly Mapped to pid: own pid	success or wait	2063724984
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 208896 Protection: execute Mapped to pid: own pid	success or wait	2063769768
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: query and read Type: commit Baseaddress: CA0000 Size: 208896 Protection: readonly Mapped to pid: own pid	success or wait	2063770811
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 208896 Protection: execute Mapped to pid: own pid	success or wait	2063794558
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: query and read Type: commit Baseaddress: CA0000 Size: 208896 Protection: readonly Mapped to pid: own pid	success or wait	2064102125
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 208896 Protection: execute Mapped to pid: own pid	success or wait	2064193212
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: query and read Type: commit Baseaddress: CA0000 Size: 208896 Protection: readonly Mapped to pid: own pid	success or wait	2064199651
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 208896 Protection: execute Mapped to pid: own pid	success or wait	2064205915
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: query and read Type: commit Baseaddress: CA0000 Size: 208896 Protection: readonly Mapped to pid: own pid	success or wait	2064211747
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 208896 Protection: execute Mapped to pid: own pid	success or wait	2064291769
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: query and read Type: commit Baseaddress: CA0000 Size: 208896 Protection: readonly Mapped to pid: own pid	success or wait	2064296483
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 208896 Protection: execute Mapped to pid: own pid	success or wait	2064411444
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: query and read Type: commit Baseaddress: CA0000 Size: 208896 Protection: readonly Mapped to pid: own pid	success or wait	2064415968
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 208896 Protection: execute Mapped to pid: own pid	success or wait	2064418950
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: query and read Type: commit Baseaddress: CA0000 Size: 208896 Protection: readonly Mapped to pid: own pid	success or wait	2064419748
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 208896 Protection: execute Mapped to pid: own pid	success or wait	2064421430
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: query and read Type: commit Baseaddress: CA0000 Size: 208896 Protection: readonly Mapped to pid: own pid	success or wait	2064422227
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 208896 Protection: execute Mapped to pid: own pid	success or wait	2064424036
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: query and read Type: commit Baseaddress: CA0000 Size: 208896 Protection: readonly Mapped to pid: own pid	success or wait	2064424835
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 208896 Protection: execute Mapped to pid: own pid	success or wait	2064426720
Section loaded	Path: C:\WINDOWS\inf\unregmp2.exe Access: query and read Type: commit Baseaddress: CA0000 Size: 208896 Protection: readonly Mapped to pid: own pid	success or wait	2064427522
Section loaded	Path: \BaseNamedObjects\CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: CA0000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	2065744658
Section loaded	Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 159744 Protection: execute Mapped to pid: own pid	success or wait	2065853023
Section loaded	Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 159744 Protection: execute Mapped to pid: own pid	success or wait	2065907863
Section loaded	Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 159744 Protection: execute Mapped to pid: own pid	success or wait	2065918134
Section loaded	Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: CA0000 Size: 159744 Protection: execute Mapped to pid: own pid	success or wait	2066190540
Section loaded	Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO..MKFLI Access: query and write and read Type: commit Baseaddress: CA0000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	2066282949
Section loaded	Path: \BaseNamedObjects\MSCTF.Shared.SFM.ICH Access: query and write and read and execute and extend size Type: unknown Baseaddress: CB0000 Size: 524288 Protection: read write Mapped to pid: own pid	success or wait	2066285414
Section loaded	Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO.B.MKFLI Access: query and write and read Type: commit Baseaddress: CA0000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	2066285853
Section loaded	Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO.C.MKFLI Access: query and write and read Type: commit Baseaddress: D30000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	2066286227
Section loaded	Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO.D.MKFLI Access: query and write and read Type: commit Baseaddress: D40000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	2066286598
Section loaded	Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO.E.MLFLI Access: query and write and read Type: commit Baseaddress: CA0000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	2066293410
Section loaded	Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO.F.MLFLI Access: query and write and read Type: commit Baseaddress: CA0000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	2066338479
Section loaded	Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IDO.G.MLFLI Access: query and write and read Type: commit Baseaddress: CA0000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	2066339709
Section loaded	Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ICH.ME.MLFLI Access: query and write and read and execute and extend size Type: unknown Baseaddress: CA0000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	2066341208
Section loaded	Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ICH.NE.MLFLI Access: query and write and read and execute and extend size Type: unknown Baseaddress: CA0000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	2066341646
Section loaded	Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ICH.OE.MLFLI Access: query and write and read and execute and extend size Type: unknown Baseaddress: CA0000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	2066341984